Windows Analysis Report
SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe
Analysis ID: 1543313
MD5: 1f16394645feef286d24108fb5154858
SHA1: 8d01fd31af2e90dc568435f21b9def36519faa83
SHA256: 87d7cba333569ff7e19e283f77dfa1257b71dcf8230fdd6a9af78e10d8269913
Tags: exe
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking computer name)
Queries memory information (via WMI often done to detect virtual machines)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Detected potential crypto function
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2628920702.0000017D171C3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2632926203.0000017D17806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2642080121.0000017D17802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2627498811.0000017D17808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2628920702.0000017D171C3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2632926203.0000017D17806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2642080121.0000017D17802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2627498811.0000017D17808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2628920702.0000017D171C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2628920702.0000017D171C3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2632926203.0000017D17806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2642080121.0000017D17802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2627498811.0000017D17808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2628920702.0000017D171C3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2632926203.0000017D17806000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2642080121.0000017D17802000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2627498811.0000017D17808000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2642080121.0000017D178A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2632926203.0000017D178A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2642080121.0000017D178A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2632926203.0000017D178A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B600830 GetProcessTimes,GetSystemTimes,GetProcessIoCounters,GetTokenInformation,GetTokenInformation,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,K32GetModuleFileNameExW,ReadProcessMemory,ReadProcessMemory,RtlFreeHeap,RtlFreeHeap,ReadProcessMemory, 0_2_00007FF79B600830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5FD0C0 NtQuerySystemInformation,RtlFreeHeap,RtlFreeHeap, 0_2_00007FF79B5FD0C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B602190 NtQueryInformationProcess,NtQueryInformationProcess, 0_2_00007FF79B602190
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B614040 0_2_00007FF79B614040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B600830 0_2_00007FF79B600830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5FCC30 0_2_00007FF79B5FCC30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5E9D10 0_2_00007FF79B5E9D10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5C80E0 0_2_00007FF79B5C80E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5FE4E0 0_2_00007FF79B5FE4E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B6028E0 0_2_00007FF79B6028E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5CA4E8 0_2_00007FF79B5CA4E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5C48C0 0_2_00007FF79B5C48C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5FD0C0 0_2_00007FF79B5FD0C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B6038B0 0_2_00007FF79B6038B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5CC360 0_2_00007FF79B5CC360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5FDBE0 0_2_00007FF79B5FDBE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B612BB0 0_2_00007FF79B612BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5C1680 0_2_00007FF79B5C1680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5ED620 0_2_00007FF79B5ED620
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B603EA0 0_2_00007FF79B603EA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5C4080 0_2_00007FF79B5C4080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5ED890 0_2_00007FF79B5ED890
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B615C70 0_2_00007FF79B615C70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5EF440 0_2_00007FF79B5EF440
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5FA050 0_2_00007FF79B5FA050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5D3500 0_2_00007FF79B5D3500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5C3510 0_2_00007FF79B5C3510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5E10E0 0_2_00007FF79B5E10E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B616CF0 0_2_00007FF79B616CF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5E8CC0 0_2_00007FF79B5E8CC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5DD8D0 0_2_00007FF79B5DD8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5D8260 0_2_00007FF79B5D8260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5D6F60 0_2_00007FF79B5D6F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5EE370 0_2_00007FF79B5EE370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5C3340 0_2_00007FF79B5C3340
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5F9750 0_2_00007FF79B5F9750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5F2810 0_2_00007FF79B5F2810
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5F73E0 0_2_00007FF79B5F73E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5DD3F0 0_2_00007FF79B5DD3F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5D8260 0_2_00007FF79B5D8260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5C5280 0_2_00007FF79B5C5280
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5DA680 0_2_00007FF79B5DA680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5C3A90 0_2_00007FF79B5C3A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5E2690 0_2_00007FF79B5E2690
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5C7E60 0_2_00007FF79B5C7E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5D8260 0_2_00007FF79B5D8260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5C4E70 0_2_00007FF79B5C4E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5FCA40 0_2_00007FF79B5FCA40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B602640 0_2_00007FF79B602640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B615700 0_2_00007FF79B615700
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B612300 0_2_00007FF79B612300
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5ECAF0 0_2_00007FF79B5ECAF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5C7AC0 0_2_00007FF79B5C7AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5F92D0 0_2_00007FF79B5F92D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5C3AB0 0_2_00007FF79B5C3AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5C32B0 0_2_00007FF79B5C32B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5DAD70 0_2_00007FF79B5DAD70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5D2D70 0_2_00007FF79B5D2D70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5C2D30 0_2_00007FF79B5C2D30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5D1930 0_2_00007FF79B5D1930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5CA616 0_2_00007FF79B5CA616
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5F9210 0_2_00007FF79B5F9210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5D39D0 0_2_00007FF79B5D39D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5FF1D0 0_2_00007FF79B5FF1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5DCDB0 0_2_00007FF79B5DCDB0
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2632939512.0000017D175F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameApplicationFrameHost.exej% vs SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2628015783.0000017D174F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameApplicationFrameHost.exej% vs SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe
Source: classification engine Classification label: mal64.evad.winEXE@1/0@1/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B603EA0 CoCreateInstance,CoSetProxyBlanket, 0_2_00007FF79B603EA0
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Section loaded: perfos.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Section loaded: profapi.dll Jump to behavior
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Static file information: File size 30420480 > 1048576
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1ca8a00
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Static PE information: section name: .voltbl
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Static PE information: section name: _RDATA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking computer name)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Evasive API call chain: GetComputerName,DecisionNodes,ExitProcess
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B5E9D10 GetSystemInfo, 0_2_00007FF79B5E9D10
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus PipesS
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D1718B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D1750B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2639019408.0000017D155F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D1553C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2647703909.0000017D155F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2627498811.0000017D17836000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2619018701.0000017D16FC1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2605464690.0000017D15622000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2639019408.0000017D1560C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D175DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: lowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshotj
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D1718B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D1750B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D1553C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D1750B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition4
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2642080121.0000017D1781B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2628920702.0000017D171CE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2633927973.0000017D171CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partition
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisore
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2639019408.0000017D155F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2647703909.0000017D155F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2632926203.0000017D178A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2619393872.0000017D16FC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2632926203.0000017D178A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2632926203.0000017D178A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root Partitiondn;P
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D1718B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D1750B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D1553C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D1750B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processorw
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2605435877.0000017D16FAE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2603197388.0000017D16FB1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2606389974.0000017D16FB1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HW
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus PipesI
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2632926203.0000017D178A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2620286194.0000017D17033000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2620124309.0000017D17050000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tions/sec9568BranchCache9570Retrieval: Bytes from server9572Retrieval: Bytes from cache9574Retrieval: Bytes served9576Discovery: Weighted average discovery time9578SMB: Bytes from cache9580SMB: Bytes from server9582BITS: Bytes from cache9584BITS: Bytes from server9586WININET: Bytes from cache9588WININET: Bytes from server9590WINHTTP: Bytes from cache9592WINHTTP: Bytes from server9594OTHER: Bytes from cache9596OTHER: Bytes from server9598Discovery: Attempted discoveries9600Local Cache: Cache complete file segments9602Local Cache: Cache partial file segments9604Hosted Cache: Client file segment offers made9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2627498811.0000017D17836000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D1718B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D1750B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D1553C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D1750B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processordll
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2632926203.0000017D178A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2639019408.0000017D155F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2647703909.0000017D155F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partition
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partitionl
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2639019408.0000017D155F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2647703909.0000017D155F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2639019408.0000017D155F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2647703909.0000017D155F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processors9
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2605435877.0000017D16FAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root Partition
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V fhcggfswwssneqq Bus
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2619393872.0000017D16FC6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervis
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical ProcessorC;
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2604119045.0000017D16FF5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2604195617.0000017D16FF5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2605416998.0000017D16FF5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2604363465.0000017D16FF5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2619018701.0000017D16FC1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2606024731.0000017D16FF5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2619091530.0000017D16FF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partition:
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2632926203.0000017D178A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2604859289.0000017D16FAD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hyperviso
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2639019408.0000017D155F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2647703909.0000017D155F5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processor.mui
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2604341657.0000017D16FD7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2603169576.0000017D16FBE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2605558473.0000017D16FD7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Inte
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D1725B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshotj
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V fhcggfswwssneqq Bus Pipes
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V VM Vid Partition.dll
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2619091530.0000017D16FF4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: or Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions CostomplHH
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D1751A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D1718B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17208000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D1751A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D1553C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D17588000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D155B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D1718B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2644252831.0000017D1750B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000002.2649273952.0000017D1553C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2634737707.0000017D1750B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisorr
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2632926203.0000017D178A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2626571654.0000017D17261000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshotd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe NtQueryInformationProcess: Indirect: 0x7FF79B600CD8 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe NtQueryInformationProcess: Indirect: 0x7FF79B600E4C Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe NtQueryInformationProcess: Indirect: 0x7FF79B6021BC Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe NtQueryInformationProcess: Indirect: 0x7FF79B602255 Jump to behavior
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2642080121.0000017D178A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2632926203.0000017D178A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2631683987.0000017D17506000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2641038675.0000017D17506000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2631683987.0000017D17506000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe, 00000000.00000003.2641038675.0000017D17506000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndg
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe Code function: 0_2_00007FF79B600830 GetProcessTimes,GetSystemTimes,GetProcessIoCounters,GetTokenInformation,GetTokenInformation,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,K32GetModuleFileNameExW,ReadProcessMemory,ReadProcessMemory,RtlFreeHeap,RtlFreeHeap,ReadProcessMemory, 0_2_00007FF79B600830
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1543313 Sample: SecuriteInfo.com.Win64.Cryp... Startdate: 27/10/2024 Architecture: WINDOWS Score: 64 9 18.31.95.13.in-addr.arpa 2->9 11 Multi AV Scanner detection for submitted file 2->11 6 SecuriteInfo.com.Win64.CrypterX-gen.1579.2229.exe 2->6         started        signatures3 process4 signatures5 13 Found evasive API chain (may stop execution after checking computer name) 6->13 15 Queries memory information (via WMI often done to detect virtual machines) 6->15 17 Found direct / indirect Syscall (likely to bypass EDR) 6->17
No contacted IP infos

Contacted Domains

Name IP Active
18.31.95.13.in-addr.arpa unknown unknown