Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
Analysis ID:	755940
MD5:	55d6460392408d1325c18b69a91c28e3
SHA1:	405847d03be406a0025eda76852dfd46420a8d7a
SHA256:	d1e9780a620ddf149c2aed319388bca7ed690c2a58c9ffc8f60b1c4515115dc9
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Sigma detected: Scheduled temp file as task from temp location

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Machine Learning detection for dropped file

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Adds a directory exclusion to Windows Defender

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe

ReversingLabs: Detection: 29%

Yara detected FormBook

Source: Yara match	File source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.somethingyourselves.com/n2hm/?bN=9gwJr9Ib0rEc+KDTQOrHkeZIL+750DWB0cIboGlmlHlNjyJ/Euut2Sz1G3s+yPgqLfhiB/VwLZOXrNsbN5gXgWVJl9cnSs3fxA==&TpfpO=3fCD1To0u	Avira URL Cloud: Label: malware
Source: www.madamkikkiey.net/n2hm/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe

ReversingLabs: Detection: 29%

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe

Joe Sandbox ML: detected

Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.madamkikkiey.net/n2hm/"]}

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000003.359410400.000000000194A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000002.361323624.0000000001AE0000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000003.355211610.00000000017A7000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 0000000D.00000002.501948554.0000000001950000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.504620671.0000000003588000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.578060777.0000000003720000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.501310955.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.581625002.000000000383F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000003.359410400.000000000194A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000002.361323624.0000000001AE0000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000003.355211610.00000000017A7000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 0000000D.00000002.501948554.0000000001950000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.504620671.0000000003588000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.578060777.0000000003720000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.501310955.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.581625002.000000000383F000.00000040.00000800.00020000.00000000.sdmp

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.somethingyourselves.com
Source: C:\Windows\explorer.exe	Network Connect: 103.193.185.8 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.madamkikkiey.net/n2hm/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: EHOSTIDC-AS-KREHOSTICTKR EHOSTIDC-AS-KREHOSTICTKR

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /n2hm/?bN=9gwJr9Ib0rEc+KDTQOrHkeZIL+750DWB0cIboGlmlHlNjyJ/Euut2Sz1G3s+yPgqLfhiB/VwLZOXrNsbN5gXgWVJl9cnSs3fxA==&TpfpO=3fCD1To0u HTTP/1.1Host: www.somethingyourselves.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.193.185.8 103.193.185.8

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 09:43:45 GMTServer: ApacheContent-Type: text/htmlContent-Length: 1Vary: Accept-EncodingConnection: closeData Raw: 20 Data Ascii:

Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359675878.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.361866159.0000000003151000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 00000007.00000002.390890604.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359450288.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359450288.00000000014C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000003.313238837.0000000005D88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.c
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000003.313238837.0000000005D88000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000003.311383849.0000000005D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000003.311383849.0000000005D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.come
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000003.311383849.0000000005D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comiv
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: 17089-7.17.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 17089-7.17.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 17089-7.17.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: cmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 17089-7.17.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: cmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: cmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: cmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: cmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: cmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

DNS traffic detected: queries for: www.somethingyourselves.com

Source: global traffic

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.FqJXaFxwEj.exe.2e02e38.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 7.2.FqJXaFxwEj.exe.2e20608.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.2eb0724.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.2e92f54.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.501723041.0000000001870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe PID: 5616, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: FqJXaFxwEj.exe PID: 4460, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmd.exe PID: 3628, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 7.2.FqJXaFxwEj.exe.2e02e38.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 7.2.FqJXaFxwEj.exe.2e20608.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.2eb0724.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.2e92f54.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.501723041.0000000001870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe PID: 5616, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: FqJXaFxwEj.exe PID: 4460, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 3628, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 0_2_02E34948	0_2_02E34948
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 0_2_02E34938	0_2_02E34938
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 0_2_053506E8	0_2_053506E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 0_2_053528E0	0_2_053528E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 0_2_053566F8	0_2_053566F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 0_2_053566EB	0_2_053566EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 0_2_053506D9	0_2_053506D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 0_2_05352330	0_2_05352330
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 0_2_05352320	0_2_05352320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 0_2_05356998	0_2_05356998
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 0_2_05356989	0_2_05356989
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Code function: 7_2_011DC164	7_2_011DC164
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Code function: 7_2_011DE5B0	7_2_011DE5B0
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Code function: 7_2_011DE5A1	7_2_011DE5A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B299BF	9_2_01B299BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B22990	9_2_01B22990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B1C1C0	9_2_01B1C1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B24120	9_2_01B24120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B0F900	9_2_01B0F900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B320A0	9_2_01B320A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BD20A8	9_2_01BD20A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B1B090	9_2_01B1B090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BC60F5	9_2_01BC60F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B088E0	9_2_01B088E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BD28EC	9_2_01BD28EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B2A830	9_2_01B2A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BDE824	9_2_01BDE824
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B3701D	9_2_01B3701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B06800	9_2_01B06800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BC1002	9_2_01BC1002
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B3EBB0	9_2_01B3EBB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B2EB9A	9_2_01B2EB9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BAEB8A	9_2_01BAEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B3138B	9_2_01B3138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BB23E3	9_2_01BB23E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B58BE8	9_2_01B58BE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BC03DA	9_2_01BC03DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B3ABD8	9_2_01B3ABD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BCDBD2	9_2_01BCDBD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BD2B28	9_2_01BD2B28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BC231B	9_2_01BC231B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B2A309	9_2_01B2A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B23360	9_2_01B23360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B2AB40	9_2_01B2AB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BACB4F	9_2_01BACB4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BD22AE	9_2_01BD22AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BD32A9	9_2_01BD32A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BC4AEF	9_2_01BC4AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BCE2C5	9_2_01BCE2C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B2B236	9_2_01B2B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BBFA2B	9_2_01BBFA2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BC5A4F	9_2_01BC5A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B365A0	9_2_01B365A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B32581	9_2_01B32581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BC2D82	9_2_01BC2D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B1D5E0	9_2_01B1D5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BD25DD	9_2_01BD25DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B00D20	9_2_01B00D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BD2D07	9_2_01BD2D07
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B22D50	9_2_01B22D50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BD1D55	9_2_01BD1D55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BC4496	9_2_01BC4496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B34CD4	9_2_01B34CD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B22430	9_2_01B22430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B1841F	9_2_01B1841F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B2B477	9_2_01B2B477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BCCC77	9_2_01BCCC77
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BCD466	9_2_01BCD466
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BD1FF1	9_2_01BD1FF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BC67E2	9_2_01BC67E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BDDFCE	9_2_01BDDFCE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BB1EB6	9_2_01BB1EB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BD2EF7	9_2_01BD2EF7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B306C0	9_2_01B306C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B26E30	9_2_01B26E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01BCD616	9_2_01BCD616
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B25600	9_2_01B25600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B09660	9_2_01B09660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B8AE60	9_2_01B8AE60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_004012A3	9_2_004012A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_0042195E	9_2_0042195E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_00422343	9_2_00422343
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_004223DC	9_2_004223DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_00422C0F	9_2_00422C0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_004044C7	9_2_004044C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_004044BE	9_2_004044BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_0040B532	9_2_0040B532
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_0040B537	9_2_0040B537
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_004225D3	9_2_004225D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_0042159C	9_2_0042159C

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: String function: 01B95720 appears 85 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: String function: 01B5D08C appears 48 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: String function: 01B0B150 appears 177 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_01B49860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B496E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_01B496E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_01B49660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B499A0 NtCreateSection,	9_2_01B499A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B499D0 NtCreateProcessEx,	9_2_01B499D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49910 NtAdjustPrivilegesToken,	9_2_01B49910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49950 NtQueueApcThread,	9_2_01B49950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B498A0 NtWriteVirtualMemory,	9_2_01B498A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B498F0 NtReadVirtualMemory,	9_2_01B498F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49820 NtEnumerateKey,	9_2_01B49820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49840 NtDelayExecution,	9_2_01B49840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B4B040 NtSuspendThread,	9_2_01B4B040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B4A3B0 NtGetContextThread,	9_2_01B4A3B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49B00 NtSetValueKey,	9_2_01B49B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49A80 NtOpenDirectoryObject,	9_2_01B49A80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49A20 NtResumeThread,	9_2_01B49A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49A10 NtQuerySection,	9_2_01B49A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49A00 NtProtectVirtualMemory,	9_2_01B49A00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49A50 NtCreateFile,	9_2_01B49A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B495F0 NtQueryInformationFile,	9_2_01B495F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B495D0 NtClose,	9_2_01B495D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B4AD30 NtSetContextThread,	9_2_01B4AD30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49520 NtWaitForSingleObject,	9_2_01B49520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49560 NtWriteFile,	9_2_01B49560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49540 NtReadFile,	9_2_01B49540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B497A0 NtUnmapViewOfSection,	9_2_01B497A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49780 NtMapViewOfSection,	9_2_01B49780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49FE0 NtCreateMutant,	9_2_01B49FE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49730 NtQueryVirtualMemory,	9_2_01B49730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49710 NtQueryInformationToken,	9_2_01B49710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B4A710 NtOpenProcessToken,	9_2_01B4A710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49770 NtSetInformationFile,	9_2_01B49770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B4A770 NtOpenThread,	9_2_01B4A770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49760 NtOpenProcess,	9_2_01B49760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B496D0 NtCreateKey,	9_2_01B496D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49610 NtEnumerateValueKey,	9_2_01B49610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49670 NtQueryInformationProcess,	9_2_01B49670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B49650 NtQueryValueKey,	9_2_01B49650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_0041E047 NtReadFile,	9_2_0041E047
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_0041E0C7 NtClose,	9_2_0041E0C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_0041E177 NtAllocateVirtualMemory,	9_2_0041E177
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_004012A3 NtProtectVirtualMemory,	9_2_004012A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_0041DF97 NtCreateFile,	9_2_0041DF97
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_0041E042 NtReadFile,	9_2_0041E042
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_0041E0C1 NtClose,	9_2_0041E0C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_0041E173 NtAllocateVirtualMemory,	9_2_0041E173
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_004014E9 NtProtectVirtualMemory,	9_2_004014E9

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359675878.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359675878.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000000.308286342.0000000000A42000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenXwV.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.366984387.0000000007650000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000003.360162279.0000000001A69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000003.357988306.00000000018BD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000002.362197036.0000000001BFF000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Binary or memory string: OriginalFilenamenXwV.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe

Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FqJXaFxwEj.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe

ReversingLabs: Detection: 29%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp4724.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp8C7A.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Process created: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Process created: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp4724.tmp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp8C7A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Process created: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Process created: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000000.308136610.0000000000962000.00000002.00000001.01000000.00000003.sdmp, FqJXaFxwEj.exe.0.dr	Binary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000000.308136610.0000000000962000.00000002.00000001.01000000.00000003.sdmp, FqJXaFxwEj.exe.0.dr	Binary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000000.308136610.0000000000962000.00000002.00000001.01000000.00000003.sdmp, FqJXaFxwEj.exe.0.dr	Binary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);

Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5212:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1028:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3216:120:WilError_01
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Mutant created: \Sessions\1\BaseNamedObjects\FgAniyuUJLIlHUpU
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_01

Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	String found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	String found in binary or memory: Username:-AddusertextBoxUsernameCash

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 0_2_02E3F401 push ecx; ret	0_2_02E3F415
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 0_2_053571C1 push esp; iretd	0_2_053571C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_01B5D0D1 push ecx; ret	9_2_01B5D0E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_0040588C push 00000021h; retf	9_2_0040588E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_004229DB push ebx; ret	9_2_004229DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_004212CC push eax; ret	9_2_0042131F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_00421319 push eax; ret	9_2_0042131F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_00421322 push eax; ret	9_2_00421389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_00421383 push eax; ret	9_2_00421389
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_00409C01 push eax; iretd	9_2_00409C1B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_00422C0F push dword ptr [B99DF5C4h]; ret	9_2_00422FF5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Code function: 9_2_0041AD57 push ebp; iretd	9_2_0041AD5B

Source: initial sample	Static PE information: section name: .text entropy: 7.644411619658559
Source: initial sample	Static PE information: section name: .text entropy: 7.644411619658559

Source: Yara match	File source: 7.2.FqJXaFxwEj.exe.2e02e38.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.FqJXaFxwEj.exe.2e20608.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.2eb0724.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.2e92f54.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.390890604.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.359675878.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.361866159.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe PID: 3292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: FqJXaFxwEj.exe PID: 5516, type: MEMORYSTR

Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359675878.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.361866159.0000000003151000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 00000007.00000002.390890604.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359675878.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.361866159.0000000003151000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 00000007.00000002.390890604.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe TID: 4584	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe TID: 2144	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2264	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5192	Thread sleep count: 9277 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 996	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe TID: 5560	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe TID: 2472	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9438			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9277			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 0000000E.00000000.411916320.000000000834F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 0000000E.00000000.454651139.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000E.00000000.400286007.00000000059F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: FqJXaFxwEj.exe, 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000E.00000000.455182068.0000000008394000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: FqJXaFxwEj.exe, 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000E.00000000.486557090.000000000CDEC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 0000000E.00000000.454651139.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Source: explorer.exe, 0000000E.00000000.415035418.00000000085A9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: FqJXaFxwEj.exe, 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: FqJXaFxwEj.exe, 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	Thread register set: target process: 3528			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 3528

Windows Analysis Report SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe

Source: explorer.exe, 0000000E.00000000.473602299.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.444035794.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.389456185.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Managerzx
Source: explorer.exe, 0000000E.00000000.473602299.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.484036893.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.454888148.000000000834F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000000.473602299.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.444035794.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.389456185.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000000.443354268.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.388566345.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.473028657.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanath
Source: explorer.exe, 0000000E.00000000.473602299.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.444035794.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.389456185.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Name	IP	Active
www.somethingyourselves.com	103.193.185.8	true
www.alrt.info	80.92.205.131	true

Name	Malicious	Antivirus Detection	Reputation
http://www.somethingyourselves.com/n2hm/?bN=9gwJr9Ib0rEc+KDTQOrHkeZIL+750DWB0cIboGlmlHlNjyJ/Euut2Sz1G3s+yPgqLfhiB/VwLZOXrNsbN5gXgWVJl9cnSs3fxA==&TpfpO=3fCD1To0u	true	Avira URL Cloud: malware	unknown
www.madamkikkiey.net/n2hm/	true	Avira URL Cloud: malware	low

ID:	755940
Product:	CloudBasic
Start time:	10:40:48
Start date:	29.11.2022
Sample:	SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	55d6460392408d1325c18b69a91c28e3
SHA1:	405847d03be406a0025eda76852dfd46420a8d7a
SHA256:	d1e9780a620ddf149c2aed319388bca7ed690c2a58c9ffc8f60b1c4515115dc9
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FqJXaFxwEj.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	84C44110AE1D79E1CAF451F6E381CEE6	1A92B2ABA0161D4DD3C807D665E08E25C8DD6E99	D0024E0C27DC567BD3601940C8653CED465C588B384F4D9794338015D5E83D1B
C:\Users\user\AppData\Local\Temp\17089-7	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3	5F02C426BCF0D3E3DC81F002F9125663	EA50920666E30250E4BE05194FA7B3F44967BE94	DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44oebsyr.ko3.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4searmeq.c02.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ab3likgp.3hk.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kuw1e3h0.ro1.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp4724.tmp	XML 1.0 document, ASCII text	936AEB32A643A82E85DFCB00D9B2AA81	B9EAB79BC7BF79BB7097BA973F1DED9D0917D91F	BC771042757EC4CFD44ACEF348DB5FB4069AC67AFB5D63C67D89D05F69B29012
C:\Users\user\AppData\Local\Temp\tmp8C7A.tmp	XML 1.0 document, ASCII text	936AEB32A643A82E85DFCB00D9B2AA81	B9EAB79BC7BF79BB7097BA973F1DED9D0917D91F	BC771042757EC4CFD44ACEF348DB5FB4069AC67AFB5D63C67D89D05F69B29012
C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	55D6460392408D1325C18B69A91C28E3	405847D03BE406A0025EDA76852DFD46420A8D7A	D1E9780A620DDF149C2AED319388BCA7ED690C2A58C9FFC8F60B1C4515115DC9
C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309