Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Analysis ID:	756002
MD5:	d6f0e59d1bb1d559029da21e132a1c9b
SHA1:	7b760ca553c6d95126146825b1f5b846d5a69378
SHA256:	0afcaf64f298203c19ee5001aeb67a4a785a2a3a56fac3ead54c86811583d873
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe (PID: 5708 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe MD5: D6F0E59D1BB1D559029DA21E132A1C9B)

SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe (PID: 64 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe MD5: D6F0E59D1BB1D559029DA21E132A1C9B)

wPBZqbH.exe (PID: 2816 cmdline: "C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe" MD5: D6F0E59D1BB1D559029DA21E132A1C9B)

wPBZqbH.exe (PID: 5328 cmdline: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe MD5: D6F0E59D1BB1D559029DA21E132A1C9B)

wPBZqbH.exe (PID: 5316 cmdline: "C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe" MD5: D6F0E59D1BB1D559029DA21E132A1C9B)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.akademetre.com", "Username": "suletas@akademetre.com", "Password": "st6473"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.361237827.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x143c06:$a13: get_DnsResolver 0x17a426:$a13: get_DnsResolver 0x1b0a46:$a13: get_DnsResolver 0x142313:$a20: get_LastAccessed 0x178b33:$a20: get_LastAccessed 0x1af153:$a20: get_LastAccessed 0x144634:$a27: set_InternalServerPort 0x17ae54:$a27: set_InternalServerPort 0x1b1474:$a27: set_InternalServerPort 0x144969:$a30: set_GuidMasterKey 0x17b189:$a30: set_GuidMasterKey 0x1b17a9:$a30: set_GuidMasterKey 0x142425:$a33: get_Clipboard 0x178c45:$a33: get_Clipboard 0x1af265:$a33: get_Clipboard 0x142433:$a34: get_Keyboard 0x178c53:$a34: get_Keyboard 0x1af273:$a34: get_Keyboard 0x143800:$a35: get_ShiftKeyDown 0x17a020:$a35: get_ShiftKeyDown 0x1b0640:$a35: get_ShiftKeyDown
0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31d06:$a13: get_DnsResolver 0x30413:$a20: get_LastAccessed 0x32734:$a27: set_InternalServerPort 0x32a69:$a30: set_GuidMasterKey 0x30525:$a33: get_Clipboard 0x30533:$a34: get_Keyboard 0x31900:$a35: get_ShiftKeyDown 0x31911:$a36: get_AltKeyDown 0x30540:$a37: get_Password 0x3105b:$a38: get_PasswordHash 0x32168:$a39: get_DefaultCredentials
00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.295133580.00000000032AC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.292899757.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 5708	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 5708	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 5708	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x46d51:$a13: get_DnsResolver 0x45d3c:$a20: get_LastAccessed 0x473f3:$a27: set_InternalServerPort 0x475da:$a30: set_GuidMasterKey 0x45e22:$a33: get_Clipboard 0x45e30:$a34: get_Keyboard 0x46ace:$a35: get_ShiftKeyDown 0x46adf:$a36: get_AltKeyDown 0x45e3d:$a37: get_Password 0x46554:$a38: get_PasswordHash 0x47011:$a39: get_DefaultCredentials
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 64	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 64	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 64	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2a2ec:$a13: get_DnsResolver 0x28c59:$a20: get_LastAccessed 0x2acc9:$a27: set_InternalServerPort 0x2af30:$a30: set_GuidMasterKey 0x28d54:$a33: get_Clipboard 0x28d62:$a34: get_Keyboard 0x29f82:$a35: get_ShiftKeyDown 0x29f93:$a36: get_AltKeyDown 0x28d6f:$a37: get_Password 0x297e6:$a38: get_PasswordHash 0x2a722:$a39: get_DefaultCredentials
Process Memory Space: wPBZqbH.exe PID: 2816	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: wPBZqbH.exe PID: 5328	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: wPBZqbH.exe PID: 5328	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.wPBZqbH.exe.2d3063c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.wPBZqbH.exe.2d3063c.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd16a:$v1: SbieDll.dll 0xd184:$v2: USER 0xd190:$v3: SANDBOX 0xd1a2:$v4: VIRUS 0xd1f2:$v4: VIRUS 0xd1b0:$v5: MALWARE 0xd1c2:$v6: SCHMIDTI 0xd1d6:$v7: CURRENTUSER
11.2.wPBZqbH.exe.2d12e6c.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.wPBZqbH.exe.2d12e6c.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2a93a:$v1: SbieDll.dll 0x2a954:$v2: USER 0x2a960:$v3: SANDBOX 0x2a972:$v4: VIRUS 0x2a9c2:$v4: VIRUS 0x2a980:$v5: MALWARE 0x2a992:$v6: SCHMIDTI 0x2a9a6:$v7: CURRENTUSER
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2ff0724.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2ff0724.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd16a:$v1: SbieDll.dll 0xd184:$v2: USER 0xd190:$v3: SANDBOX 0xd1a2:$v4: VIRUS 0xd1f2:$v4: VIRUS 0xd1b0:$v5: MALWARE 0xd1c2:$v6: SCHMIDTI 0xd1d6:$v7: CURRENTUSER
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x1458e0:$s10: logins 0x17c100:$s10: logins 0x1b2720:$s10: logins 0x14535a:$s11: credential 0x17bb7a:$s11: credential 0x1b219a:$s11: credential 0x1415bd:$g1: get_Clipboard 0x177ddd:$g1: get_Clipboard 0x1ae3fd:$g1: get_Clipboard 0x1415cb:$g2: get_Keyboard 0x177deb:$g2: get_Keyboard 0x1ae40b:$g2: get_Keyboard 0x1415d8:$g3: get_Password 0x177df8:$g3: get_Password 0x1ae418:$g3: get_Password 0x142988:$g4: get_CtrlKeyDown 0x1791a8:$g4: get_CtrlKeyDown 0x1af7c8:$g4: get_CtrlKeyDown 0x142998:$g5: get_ShiftKeyDown 0x1791b8:$g5: get_ShiftKeyDown 0x1af7d8:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xb327f:$s1: file:/// 0xb318f:$s2: {11111-22222-10009-11112} 0xb320f:$s3: {11111-22222-50001-00000} 0xb2411:$s4: get_Module 0xb278c:$s5: Reverse 0x141b6e:$s5: Reverse 0x17838e:$s5: Reverse 0x1ae9ae:$s5: Reverse 0xad995:$s6: BlockCopy 0x143bb4:$s6: BlockCopy 0x17a3d4:$s6: BlockCopy 0x1b09f4:$s6: BlockCopy 0x141e2c:$s7: ReadByte 0x17864c:$s7: ReadByte 0x1aec6c:$s7: ReadByte 0xb3291:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x142d9e:$a13: get_DnsResolver 0x1795be:$a13: get_DnsResolver 0x1afbde:$a13: get_DnsResolver 0x1414ab:$a20: get_LastAccessed 0x177ccb:$a20: get_LastAccessed 0x1ae2eb:$a20: get_LastAccessed 0x1437cc:$a27: set_InternalServerPort 0x179fec:$a27: set_InternalServerPort 0x1b060c:$a27: set_InternalServerPort 0x143b01:$a30: set_GuidMasterKey 0x17a321:$a30: set_GuidMasterKey 0x1b0941:$a30: set_GuidMasterKey 0x1415bd:$a33: get_Clipboard 0x177ddd:$a33: get_Clipboard 0x1ae3fd:$a33: get_Clipboard 0x1415cb:$a34: get_Keyboard 0x177deb:$a34: get_Keyboard 0x1ae40b:$a34: get_Keyboard 0x142998:$a35: get_ShiftKeyDown 0x1791b8:$a35: get_ShiftKeyDown 0x1af7d8:$a35: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2fd2f54.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2fd2f54.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2a93a:$v1: SbieDll.dll 0x2a954:$v2: USER 0x2a960:$v3: SANDBOX 0x2a972:$v4: VIRUS 0x2a9c2:$v4: VIRUS 0x2a980:$v5: MALWARE 0x2a992:$v6: SCHMIDTI 0x2a9a6:$v7: CURRENTUSER
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xc7868:$s10: logins 0xfe088:$s10: logins 0x1346a8:$s10: logins 0xc72e2:$s11: credential 0xfdb02:$s11: credential 0x134122:$s11: credential 0xc3545:$g1: get_Clipboard 0xf9d65:$g1: get_Clipboard 0x130385:$g1: get_Clipboard 0xc3553:$g2: get_Keyboard 0xf9d73:$g2: get_Keyboard 0x130393:$g2: get_Keyboard 0xc3560:$g3: get_Password 0xf9d80:$g3: get_Password 0x1303a0:$g3: get_Password 0xc4910:$g4: get_CtrlKeyDown 0xfb130:$g4: get_CtrlKeyDown 0x131750:$g4: get_CtrlKeyDown 0xc4920:$g5: get_ShiftKeyDown 0xfb140:$g5: get_ShiftKeyDown 0x131760:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x35207:$s1: file:/// 0x35117:$s2: {11111-22222-10009-11112} 0x35197:$s3: {11111-22222-50001-00000} 0x34399:$s4: get_Module 0x34714:$s5: Reverse 0xc3af6:$s5: Reverse 0xfa316:$s5: Reverse 0x130936:$s5: Reverse 0x2f91d:$s6: BlockCopy 0xc5b3c:$s6: BlockCopy 0xfc35c:$s6: BlockCopy 0x13297c:$s6: BlockCopy 0xc3db4:$s7: ReadByte 0xfa5d4:$s7: ReadByte 0x130bf4:$s7: ReadByte 0x35219:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xc4d26:$a13: get_DnsResolver 0xfb546:$a13: get_DnsResolver 0x131b66:$a13: get_DnsResolver 0xc3433:$a20: get_LastAccessed 0xf9c53:$a20: get_LastAccessed 0x130273:$a20: get_LastAccessed 0xc5754:$a27: set_InternalServerPort 0xfbf74:$a27: set_InternalServerPort 0x132594:$a27: set_InternalServerPort 0xc5a89:$a30: set_GuidMasterKey 0xfc2a9:$a30: set_GuidMasterKey 0x1328c9:$a30: set_GuidMasterKey 0xc3545:$a33: get_Clipboard 0xf9d65:$a33: get_Clipboard 0x130385:$a33: get_Clipboard 0xc3553:$a34: get_Keyboard 0xf9d73:$a34: get_Keyboard 0x130393:$a34: get_Keyboard 0xc4920:$a35: get_ShiftKeyDown 0xfb140:$a35: get_ShiftKeyDown 0x131760:$a35: get_ShiftKeyDown
7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a48:$s10: logins 0x344c2:$s11: credential 0x30725:$g1: get_Clipboard 0x30733:$g2: get_Keyboard 0x30740:$g3: get_Password 0x31af0:$g4: get_CtrlKeyDown 0x31b00:$g5: get_ShiftKeyDown 0x31b11:$g6: get_AltKeyDown
7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31f06:$a13: get_DnsResolver 0x30613:$a20: get_LastAccessed 0x32934:$a27: set_InternalServerPort 0x32c69:$a30: set_GuidMasterKey 0x30725:$a33: get_Clipboard 0x30733:$a34: get_Keyboard 0x31b00:$a35: get_ShiftKeyDown 0x31b11:$a36: get_AltKeyDown 0x30740:$a37: get_Password 0x3125b:$a38: get_PasswordHash 0x32368:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c48:$s10: logins 0x326c2:$s11: credential 0x2e925:$g1: get_Clipboard 0x2e933:$g2: get_Keyboard 0x2e940:$g3: get_Password 0x2fcf0:$g4: get_CtrlKeyDown 0x2fd00:$g5: get_ShiftKeyDown 0x2fd11:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x30106:$a13: get_DnsResolver 0x2e813:$a20: get_LastAccessed 0x30b34:$a27: set_InternalServerPort 0x30e69:$a30: set_GuidMasterKey 0x2e925:$a33: get_Clipboard 0x2e933:$a34: get_Keyboard 0x2fd00:$a35: get_ShiftKeyDown 0x2fd11:$a36: get_AltKeyDown 0x2e940:$a37: get_Password 0x2f45b:$a38: get_PasswordHash 0x30568:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a48:$s10: logins 0x6b268:$s10: logins 0xa1888:$s10: logins 0x344c2:$s11: credential 0x6ace2:$s11: credential 0xa1302:$s11: credential 0x30725:$g1: get_Clipboard 0x66f45:$g1: get_Clipboard 0x9d565:$g1: get_Clipboard 0x30733:$g2: get_Keyboard 0x66f53:$g2: get_Keyboard 0x9d573:$g2: get_Keyboard 0x30740:$g3: get_Password 0x66f60:$g3: get_Password 0x9d580:$g3: get_Password 0x31af0:$g4: get_CtrlKeyDown 0x68310:$g4: get_CtrlKeyDown 0x9e930:$g4: get_CtrlKeyDown 0x31b00:$g5: get_ShiftKeyDown 0x68320:$g5: get_ShiftKeyDown 0x9e940:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31f06:$a13: get_DnsResolver 0x68726:$a13: get_DnsResolver 0x9ed46:$a13: get_DnsResolver 0x30613:$a20: get_LastAccessed 0x66e33:$a20: get_LastAccessed 0x9d453:$a20: get_LastAccessed 0x32934:$a27: set_InternalServerPort 0x69154:$a27: set_InternalServerPort 0x9f774:$a27: set_InternalServerPort 0x32c69:$a30: set_GuidMasterKey 0x69489:$a30: set_GuidMasterKey 0x9faa9:$a30: set_GuidMasterKey 0x30725:$a33: get_Clipboard 0x66f45:$a33: get_Clipboard 0x9d565:$a33: get_Clipboard 0x30733:$a34: get_Keyboard 0x66f53:$a34: get_Keyboard 0x9d573:$a34: get_Keyboard 0x31b00:$a35: get_ShiftKeyDown 0x68320:$a35: get_ShiftKeyDown 0x9e940:$a35: get_ShiftKeyDown
Click to see the 25 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.3 - Destination IP: 212.58.6.82

Timestamp:	192.168.2.3212.58.6.82496995872840032 11/29/22-13:51:17.089585
SID:	2840032
Source Port:	49699
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.3 - Destination IP: 212.58.6.82

Timestamp:	192.168.2.3212.58.6.82496985872851779 11/29/22-13:50:47.438476
SID:	2851779
Source Port:	49698
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.3 - Destination IP: 212.58.6.82

Timestamp:	192.168.2.3212.58.6.82496985872840032 11/29/22-13:50:47.438476
SID:	2840032
Source Port:	49698
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.3 - Destination IP: 212.58.6.82

Timestamp:	192.168.2.3212.58.6.82496985872030171 11/29/22-13:50:47.438476
SID:	2030171
Source Port:	49698
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.3 - Destination IP: 212.58.6.82

Timestamp:	192.168.2.3212.58.6.82496995872851779 11/29/22-13:51:17.089585
SID:	2851779
Source Port:	49699
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.3 - Destination IP: 212.58.6.82

Timestamp:	192.168.2.3212.58.6.82496995872030171 11/29/22-13:51:17.089495
SID:	2030171
Source Port:	49699
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/Agent Tesla SMTP Activity - Source IP: 192.168.2.3 - Destination IP: 212.58.6.82

Timestamp:	192.168.2.3212.58.6.82496995872839723 11/29/22-13:51:17.089495
SID:	2839723
Source Port:	49699
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/Agent Tesla SMTP Activity - Source IP: 192.168.2.3 - Destination IP: 212.58.6.82

Timestamp:	192.168.2.3212.58.6.82496985872839723 11/29/22-13:50:47.438476
SID:	2839723
Source Port:	49698
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

ReversingLabs: Detection: 45%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe

ReversingLabs: Detection: 45%

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe

Joe Sandbox ML: detected

Source: 7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.akademetre.com", "Username": "suletas@akademetre.com", "Password": "st6473"}

Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49698 -> 212.58.6.82:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49698 -> 212.58.6.82:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49698 -> 212.58.6.82:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49698 -> 212.58.6.82:587
Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49699 -> 212.58.6.82:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.3:49699 -> 212.58.6.82:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49699 -> 212.58.6.82:587
Source: Traffic	Snort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.3:49699 -> 212.58.6.82:587

Source: Joe Sandbox View

ASN Name: DORUKNETTR DORUKNETTR

Source: Joe Sandbox View

IP Address: 212.58.6.82 212.58.6.82

Source: global traffic

TCP traffic: 192.168.2.3:49698 -> 212.58.6.82:587

Source: global traffic

TCP traffic: 192.168.2.3:49698 -> 212.58.6.82:587

Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: wPBZqbH.exe, 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: wPBZqbH.exe, 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hVcQOe.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000007.00000002.553736174.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000C.00000002.549612745.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.akademetre.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: wPBZqbH.exe, 0000000C.00000002.549612745.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://Xnj1QfqQIFq9bE.net
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: mail.akademetre.com

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.wPBZqbH.exe.2d3063c.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 11.2.wPBZqbH.exe.2d12e6c.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2ff0724.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2fd2f54.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 5708, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 64, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 11.2.wPBZqbH.exe.2d3063c.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 11.2.wPBZqbH.exe.2d12e6c.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2ff0724.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2fd2f54.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 5708, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 64, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Code function: 0_2_02E1C164	0_2_02E1C164
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Code function: 0_2_02E1E5A2	0_2_02E1E5A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Code function: 0_2_02E1E5B0	0_2_02E1E5B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Code function: 7_2_00F36CAE	7_2_00F36CAE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Code function: 7_2_059CC570	7_2_059CC570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Code function: 7_2_059CD2D0	7_2_059CD2D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Code function: 7_2_059C29F8	7_2_059C29F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Code function: 7_2_059C0910	7_2_059C0910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Code function: 7_2_059C0040	7_2_059C0040

Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename58651ded-a5cb-48e7-921d-91931b151fe1.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.312566728.0000000007610000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000000.267518160.0000000000B92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFNkO.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.292899757.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.292899757.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.292899757.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename58651ded-a5cb-48e7-921d-91931b151fe1.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.312712886.0000000007830000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000007.00000000.289835221.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename58651ded-a5cb-48e7-921d-91931b151fe1.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000007.00000002.535980691.0000000000939000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Binary or memory string: OriginalFilenameFNkO.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wPBZqbH.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

ReversingLabs: Detection: 45%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe "C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe"
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process created: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe "C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process created: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

File created: C:\Users\user\AppData\Local\Temp\tmp14ED.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/4@3/2

Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000000.267518160.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, wPBZqbH.exe.7.dr	Binary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000000.267518160.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, wPBZqbH.exe.7.dr	Binary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000000.267518160.0000000000B92000.00000002.00000001.01000000.00000003.sdmp, wPBZqbH.exe.7.dr	Binary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);

Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	String found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	String found in binary or memory: Username:-AddusertextBoxUsernameCash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Code function: 0_2_02E1F972 pushad ; iretd

0_2_02E1F979

Source: initial sample	Static PE information: section name: .text entropy: 7.661200368718481
Source: initial sample	Static PE information: section name: .text entropy: 7.661200368718481

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

File created: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wPBZqbH			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wPBZqbH			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

File opened: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 11.2.wPBZqbH.exe.2d3063c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.wPBZqbH.exe.2d12e6c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2ff0724.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.2fd2f54.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.361237827.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.295133580.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.292899757.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 5708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wPBZqbH.exe PID: 2816, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.292899757.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.295133580.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000B.00000002.361237827.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.292899757.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.295133580.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000B.00000002.361237827.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5628	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5712	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 2956	Thread sleep count: 9672 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084	Thread sleep time: -99859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084	Thread sleep time: -99734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084	Thread sleep time: -99624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084	Thread sleep time: -99509s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084	Thread sleep time: -99396s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084	Thread sleep time: -99278s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084	Thread sleep time: -99160s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084	Thread sleep time: -99041s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084	Thread sleep time: -98930s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe TID: 5084	Thread sleep time: -98597s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5448	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5692	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5708	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5708	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 1780	Thread sleep count: 9764 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5708	Thread sleep time: -99858s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5708	Thread sleep time: -99734s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5708	Thread sleep time: -99618s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5708	Thread sleep time: -99500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5708	Thread sleep time: -99391s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5708	Thread sleep time: -99281s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe TID: 5332	Thread sleep time: -38122s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Window / User API: threadDelayed 9672			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Window / User API: threadDelayed 9764			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Thread delayed: delay time: 99859	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Thread delayed: delay time: 99734	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Thread delayed: delay time: 99624	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Thread delayed: delay time: 99509	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Thread delayed: delay time: 99396	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Thread delayed: delay time: 99278	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Thread delayed: delay time: 99160	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Thread delayed: delay time: 99041	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Thread delayed: delay time: 98930	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Thread delayed: delay time: 98597	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Thread delayed: delay time: 99858	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Thread delayed: delay time: 99734	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Thread delayed: delay time: 99618	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Thread delayed: delay time: 99500	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Thread delayed: delay time: 99391	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Thread delayed: delay time: 99281	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Thread delayed: delay time: 38122	Jump to behavior

Source: wPBZqbH.exe, 0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: wPBZqbH.exe, 0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: wPBZqbH.exe, 0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: wPBZqbH.exe, 0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Process created: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 5708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 64, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wPBZqbH.exe PID: 5328, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

Source: Yara match	File source: 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 64, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wPBZqbH.exe PID: 5328, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.420be68.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.4289ee0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.431cd00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 5708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe PID: 64, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wPBZqbH.exe PID: 5328, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	2 OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Hidden Files and Directories	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	114 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe	45%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.0.SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://Xnj1QfqQIFq9bE.net	0%	Avira URL Cloud	safe
http://hVcQOe.com	0%	Avira URL Cloud	safe
http://mail.akademetre.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.akademetre.com	212.58.6.82	true	true		unknown
_kerberos._tcp.dc._msdcs.akademetre.com	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://Xnj1QfqQIFq9bE.net	wPBZqbH.exe, 0000000C.00000002.549612745.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://hVcQOe.com	wPBZqbH.exe, 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://mail.akademetre.com	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000007.00000002.553736174.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, wPBZqbH.exe, 0000000C.00000002.549612745.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	wPBZqbH.exe, 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe, 00000000.00000002.309893360.0000000006FF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.58.6.82	mail.akademetre.com	Turkey		8685	DORUKNETTR	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756002
Start date and time:	2022-11-29 13:49:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/4@3/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 64 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.35.236.109
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Simulations

Behavior and APIs

Time	Type	Description
13:50:20	API Interceptor	602x Sleep call for process: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe modified
13:50:37	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run wPBZqbH C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
13:50:46	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run wPBZqbH C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
13:50:52	API Interceptor	420x Sleep call for process: wPBZqbH.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
212.58.6.82	SecuriteInfo.com.Win32.PWSX-gen.5152.22186.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.PWSX-gen.27634.23918.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Packed2.44597.31663.31710.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Packed2.44634.7162.6850.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.PWSX-gen.2333.18348.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.PWSX-gen.25112.28503.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.PWSX-gen.10615.22905.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.PWSX-gen.26769.14829.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mail.akademetre.com	SecuriteInfo.com.Win32.PWSX-gen.5152.22186.exe	Get hash	malicious	Browse	212.58.6.82
	SecuriteInfo.com.Win32.PWSX-gen.27634.23918.exe	Get hash	malicious	Browse	212.58.6.82
	SecuriteInfo.com.Trojan.Packed2.44597.31663.31710.exe	Get hash	malicious	Browse	212.58.6.82
	SecuriteInfo.com.Trojan.Packed2.44634.7162.6850.exe	Get hash	malicious	Browse	212.58.6.82
	SecuriteInfo.com.Win32.PWSX-gen.2333.18348.exe	Get hash	malicious	Browse	212.58.6.82
	SecuriteInfo.com.Win32.PWSX-gen.25112.28503.exe	Get hash	malicious	Browse	212.58.6.82
	SecuriteInfo.com.Win32.PWSX-gen.10615.22905.exe	Get hash	malicious	Browse	212.58.6.82
	SecuriteInfo.com.Win32.PWSX-gen.26769.14829.exe	Get hash	malicious	Browse	212.58.6.82

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DORUKNETTR	SecuriteInfo.com.Win32.PWSX-gen.5152.22186.exe	Get hash	malicious	Browse	212.58.6.82
	SecuriteInfo.com.Win32.PWSX-gen.27634.23918.exe	Get hash	malicious	Browse	212.58.6.82
	SecuriteInfo.com.Trojan.Packed2.44597.31663.31710.exe	Get hash	malicious	Browse	212.58.6.82
	SecuriteInfo.com.Trojan.Packed2.44634.7162.6850.exe	Get hash	malicious	Browse	212.58.6.82
	SecuriteInfo.com.Win32.PWSX-gen.2333.18348.exe	Get hash	malicious	Browse	212.58.6.82
	SecuriteInfo.com.Win32.PWSX-gen.25112.28503.exe	Get hash	malicious	Browse	212.58.6.82
	SecuriteInfo.com.Win32.PWSX-gen.10615.22905.exe	Get hash	malicious	Browse	212.58.6.82
	SecuriteInfo.com.Win32.PWSX-gen.26769.14829.exe	Get hash	malicious	Browse	212.58.6.82
	Teklif talebi ve proforma fatura 2022 06 28.pdf.exe	Get hash	malicious	Browse	212.58.3.62
	doc2022060601001.pdf.exe	Get hash	malicious	Browse	212.58.3.62
	Doc_2022060201111111.pdf.exe	Get hash	malicious	Browse	212.58.3.62
	DOC2022051950U8579490.PDF.exe	Get hash	malicious	Browse	212.58.3.62
	doc2022052401001.pdf.exe	Get hash	malicious	Browse	212.58.3.62
	3532CORDERCONFIRMATION,pdf.exe	Get hash	malicious	Browse	212.58.3.62
	sora.arm7	Get hash	malicious	Browse	212.2.219.145
	k42mrBhMWn	Get hash	malicious	Browse	212.58.9.86
	sys.exe	Get hash	malicious	Browse	82.151.143.222
	Z6UfOonRHz	Get hash	malicious	Browse	81.21.165.165
	sora.arm	Get hash	malicious	Browse	81.21.165.178
	policy#37820.xlsb	Get hash	malicious	Browse	212.2.198.90

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wPBZqbH.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	942592
Entropy (8bit):	7.654583285045402
Encrypted:	false
SSDEEP:	24576:FyDdEPf3ZQWjM2Xgx9cyEthRYxdIipRgIdbl:FTPfZpHw0hRO+i3zdbl
MD5:	D6F0E59D1BB1D559029DA21E132A1C9B
SHA1:	7B760CA553C6D95126146825B1F5B846D5A69378
SHA-256:	0AFCAF64F298203C19EE5001AEB67A4A785A2A3A56FAC3EAD54C86811583D873
SHA-512:	21615F5CCE87C73E219F8357AD7B989F1C9B769FF1440A3E6804DA6A9D020E864F39E22D32361EDD996D8D11F9945A60EAB2FE0B32F55A9AA5D0901FCB4DB4FB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 45%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....c..............0..Z.........."y... ........@.. ....................................@..................................x..O.................................................................................... ............... ..H............text...(Y... ...Z.................. ..`.rsrc................\..............@..@.reloc...............`..............@..B.................y......H.......<...........l...8u..............................................^..}.....(.......(......0...........s......o......(........0...........s......o......(........0...........s......o......(........0...........s......o......(........0..+.........,..{.......+....,...{....o........(.......0..r.............(....s......s....}.....s....}.....s....}.....s....}.....(......{....(....o......{.....o......{.....o .....{....r...p"..@A...s!...o".....{....(#...o$.....{.... .... ..

C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.654583285045402
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
File size:	942592
MD5:	d6f0e59d1bb1d559029da21e132a1c9b
SHA1:	7b760ca553c6d95126146825b1f5b846d5a69378
SHA256:	0afcaf64f298203c19ee5001aeb67a4a785a2a3a56fac3ead54c86811583d873
SHA512:	21615f5cce87c73e219f8357ad7b989f1c9b769ff1440a3e6804da6a9d020e864f39e22d32361edd996d8d11f9945a60eab2fe0b32f55a9aa5d0901fcb4db4fb
SSDEEP:	24576:FyDdEPf3ZQWjM2Xgx9cyEthRYxdIipRgIdbl:FTPfZpHw0hRO+i3zdbl
TLSH:	C415D09033A6AF71F5796BF22511900827B23C5EA5F1D2296DDDF0DE2A72B4049F0B27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............0..Z.........."y... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4e7922
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6385A4CC [Tue Nov 29 06:21:00 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe78d0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe8000	0x388	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xea000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe5928	0xe5a00	False	0.8265057243467611	data	7.661200368718481	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe8000	0x388	0x400	False	0.37109375	data	2.851224218573292	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xea000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xe8058	0x32c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3212.58.6.82496995872840032 11/29/22-13:51:17.089585	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49699	587	192.168.2.3	212.58.6.82
192.168.2.3212.58.6.82496985872851779 11/29/22-13:50:47.438476	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49698	587	192.168.2.3	212.58.6.82
192.168.2.3212.58.6.82496985872840032 11/29/22-13:50:47.438476	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49698	587	192.168.2.3	212.58.6.82
192.168.2.3212.58.6.82496985872030171 11/29/22-13:50:47.438476	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49698	587	192.168.2.3	212.58.6.82
192.168.2.3212.58.6.82496995872851779 11/29/22-13:51:17.089585	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49699	587	192.168.2.3	212.58.6.82
192.168.2.3212.58.6.82496995872030171 11/29/22-13:51:17.089495	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49699	587	192.168.2.3	212.58.6.82
192.168.2.3212.58.6.82496995872839723 11/29/22-13:51:17.089495	TCP	2839723	ETPRO TROJAN Win32/Agent Tesla SMTP Activity	49699	587	192.168.2.3	212.58.6.82
192.168.2.3212.58.6.82496985872839723 11/29/22-13:50:47.438476	TCP	2839723	ETPRO TROJAN Win32/Agent Tesla SMTP Activity	49698	587	192.168.2.3	212.58.6.82

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 13:50:46.464090109 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:50:46.511168957 CET	587	49698	212.58.6.82	192.168.2.3
Nov 29, 2022 13:50:46.511468887 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:50:46.558432102 CET	587	49698	212.58.6.82	192.168.2.3
Nov 29, 2022 13:50:46.559271097 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:50:46.606108904 CET	587	49698	212.58.6.82	192.168.2.3
Nov 29, 2022 13:50:46.655273914 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:50:46.935766935 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:50:46.983202934 CET	587	49698	212.58.6.82	192.168.2.3
Nov 29, 2022 13:50:46.992780924 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:50:47.039427042 CET	587	49698	212.58.6.82	192.168.2.3
Nov 29, 2022 13:50:47.040189028 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:50:47.089314938 CET	587	49698	212.58.6.82	192.168.2.3
Nov 29, 2022 13:50:47.097309113 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:50:47.144164085 CET	587	49698	212.58.6.82	192.168.2.3
Nov 29, 2022 13:50:47.164084911 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:50:47.212336063 CET	587	49698	212.58.6.82	192.168.2.3
Nov 29, 2022 13:50:47.264759064 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:50:47.360836029 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:50:47.408160925 CET	587	49698	212.58.6.82	192.168.2.3
Nov 29, 2022 13:50:47.438476086 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:50:47.438476086 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:50:47.439301968 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:50:47.439404011 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:50:47.485557079 CET	587	49698	212.58.6.82	192.168.2.3
Nov 29, 2022 13:50:47.485599995 CET	587	49698	212.58.6.82	192.168.2.3
Nov 29, 2022 13:50:47.487940073 CET	587	49698	212.58.6.82	192.168.2.3
Nov 29, 2022 13:50:47.530864000 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:51:16.604470968 CET	49699	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:51:16.652203083 CET	587	49699	212.58.6.82	192.168.2.3
Nov 29, 2022 13:51:16.652467012 CET	49699	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:51:16.699928999 CET	587	49699	212.58.6.82	192.168.2.3
Nov 29, 2022 13:51:16.700433016 CET	49699	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:51:16.747869015 CET	587	49699	212.58.6.82	192.168.2.3
Nov 29, 2022 13:51:16.788933992 CET	49699	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:51:16.836425066 CET	587	49699	212.58.6.82	192.168.2.3
Nov 29, 2022 13:51:16.836760044 CET	49699	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:51:16.883714914 CET	587	49699	212.58.6.82	192.168.2.3
Nov 29, 2022 13:51:16.897727966 CET	49699	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:51:16.945310116 CET	587	49699	212.58.6.82	192.168.2.3
Nov 29, 2022 13:51:16.945756912 CET	49699	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:51:16.993016958 CET	587	49699	212.58.6.82	192.168.2.3
Nov 29, 2022 13:51:16.993458033 CET	49699	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:51:17.041285992 CET	587	49699	212.58.6.82	192.168.2.3
Nov 29, 2022 13:51:17.041623116 CET	49699	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:51:17.088543892 CET	587	49699	212.58.6.82	192.168.2.3
Nov 29, 2022 13:51:17.089494944 CET	49699	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:51:17.089585066 CET	49699	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:51:17.089683056 CET	49699	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:51:17.089716911 CET	49699	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:51:17.136337042 CET	587	49699	212.58.6.82	192.168.2.3
Nov 29, 2022 13:51:17.136367083 CET	587	49699	212.58.6.82	192.168.2.3
Nov 29, 2022 13:51:17.138907909 CET	587	49699	212.58.6.82	192.168.2.3
Nov 29, 2022 13:51:17.189062119 CET	49699	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:52:26.316526890 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:52:26.397782087 CET	587	49698	212.58.6.82	192.168.2.3
Nov 29, 2022 13:52:26.397880077 CET	587	49698	212.58.6.82	192.168.2.3
Nov 29, 2022 13:52:26.397990942 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:52:26.398627996 CET	49698	587	192.168.2.3	212.58.6.82
Nov 29, 2022 13:52:26.445650101 CET	587	49698	212.58.6.82	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 13:50:46.354928970 CET	49977	53	192.168.2.3	8.8.8.8
Nov 29, 2022 13:50:46.420072079 CET	53	49977	8.8.8.8	192.168.2.3
Nov 29, 2022 13:50:46.813074112 CET	57840	53	192.168.2.3	8.8.8.8
Nov 29, 2022 13:50:46.886568069 CET	53	57840	8.8.8.8	192.168.2.3
Nov 29, 2022 13:51:16.486697912 CET	57990	53	192.168.2.3	8.8.8.8
Nov 29, 2022 13:51:16.571836948 CET	53	57990	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 13:50:46.354928970 CET	192.168.2.3	8.8.8.8	0xac75	Standard query (0)	mail.akademetre.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 13:50:46.813074112 CET	192.168.2.3	8.8.8.8	0x1488	Standard query (0)	_kerberos._tcp.dc._msdcs.akademetre.com	33	IN (0x0001)	false
Nov 29, 2022 13:51:16.486697912 CET	192.168.2.3	8.8.8.8	0x2c79	Standard query (0)	mail.akademetre.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 13:50:46.420072079 CET	8.8.8.8	192.168.2.3	0xac75	No error (0)	mail.akademetre.com		212.58.6.82	A (IP address)	IN (0x0001)	false
Nov 29, 2022 13:50:46.886568069 CET	8.8.8.8	192.168.2.3	0x1488	Name error (3)	_kerberos._tcp.dc._msdcs.akademetre.com	none	none	33	IN (0x0001)	false
Nov 29, 2022 13:51:16.571836948 CET	8.8.8.8	192.168.2.3	0x2c79	No error (0)	mail.akademetre.com		212.58.6.82	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 29, 2022 13:50:46.558432102 CET	587	49698	212.58.6.82	192.168.2.3	220 cmail16.webkontrol.doruk.net.tr ESMTP IceWarp Deep Castle 2 Update 2 build 14; Tue, 29 Nov 2022 15:51:08 +0300
Nov 29, 2022 13:50:46.559271097 CET	49698	587	192.168.2.3	212.58.6.82	EHLO 562258
Nov 29, 2022 13:50:46.606108904 CET	587	49698	212.58.6.82	192.168.2.3	250-cmail16.webkontrol.doruk.net.tr Hello 562258 [102.129.143.49], pleased to meet you. 250-ENHANCEDSTATUSCODES 250-SIZE 31457280 250-EXPN 250-ETRN 250-ATRN 250-CHECKPOINT 250-8BITMIME 250-DSN 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI 250-STARTTLS 250-VRFY 250 HELP
Nov 29, 2022 13:50:46.935766935 CET	49698	587	192.168.2.3	212.58.6.82	AUTH gssapi TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAO5CAAAADw==
Nov 29, 2022 13:50:46.983202934 CET	587	49698	212.58.6.82	192.168.2.3	535 5.7.8 Authentication credentials invalid
Nov 29, 2022 13:50:46.992780924 CET	49698	587	192.168.2.3	212.58.6.82	AUTH login c3VsZXRhc0Bha2FkZW1ldHJlLmNvbQ==
Nov 29, 2022 13:50:47.039427042 CET	587	49698	212.58.6.82	192.168.2.3	334 UGFzc3dvcmQ6
Nov 29, 2022 13:50:47.089314938 CET	587	49698	212.58.6.82	192.168.2.3	235 2.0.0 Authentication successful
Nov 29, 2022 13:50:47.097309113 CET	49698	587	192.168.2.3	212.58.6.82	MAIL FROM:<suletas@akademetre.com>
Nov 29, 2022 13:50:47.144164085 CET	587	49698	212.58.6.82	192.168.2.3	250 2.1.0 <suletas@akademetre.com>... Sender ok
Nov 29, 2022 13:50:47.164084911 CET	49698	587	192.168.2.3	212.58.6.82	RCPT TO:<suletas@akademetre.com>
Nov 29, 2022 13:50:47.212336063 CET	587	49698	212.58.6.82	192.168.2.3	250 2.1.5 <suletas@akademetre.com>... Recipient ok
Nov 29, 2022 13:50:47.360836029 CET	49698	587	192.168.2.3	212.58.6.82	DATA
Nov 29, 2022 13:50:47.408160925 CET	587	49698	212.58.6.82	192.168.2.3	354 Enter mail, end with "." on a line by itself
Nov 29, 2022 13:50:47.439404011 CET	49698	587	192.168.2.3	212.58.6.82	.
Nov 29, 2022 13:50:47.487940073 CET	587	49698	212.58.6.82	192.168.2.3	250 2.6.0 724 bytes received in 00:00:00; Message id 202211291551094239 accepted for delivery
Nov 29, 2022 13:51:16.699928999 CET	587	49699	212.58.6.82	192.168.2.3	220 cmail16.webkontrol.doruk.net.tr ESMTP IceWarp Deep Castle 2 Update 2 build 14; Tue, 29 Nov 2022 15:51:38 +0300
Nov 29, 2022 13:51:16.700433016 CET	49699	587	192.168.2.3	212.58.6.82	EHLO 562258
Nov 29, 2022 13:51:16.747869015 CET	587	49699	212.58.6.82	192.168.2.3	250-cmail16.webkontrol.doruk.net.tr Hello 562258 [102.129.143.49], pleased to meet you. 250-ENHANCEDSTATUSCODES 250-SIZE 31457280 250-EXPN 250-ETRN 250-ATRN 250-CHECKPOINT 250-8BITMIME 250-DSN 250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI 250-STARTTLS 250-VRFY 250 HELP
Nov 29, 2022 13:51:16.788933992 CET	49699	587	192.168.2.3	212.58.6.82	AUTH gssapi TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAO5CAAAADw==
Nov 29, 2022 13:51:16.836425066 CET	587	49699	212.58.6.82	192.168.2.3	535 5.7.8 Authentication credentials invalid
Nov 29, 2022 13:51:16.836760044 CET	49699	587	192.168.2.3	212.58.6.82	AUTH login c3VsZXRhc0Bha2FkZW1ldHJlLmNvbQ==
Nov 29, 2022 13:51:16.883714914 CET	587	49699	212.58.6.82	192.168.2.3	334 UGFzc3dvcmQ6
Nov 29, 2022 13:51:16.945310116 CET	587	49699	212.58.6.82	192.168.2.3	235 2.0.0 Authentication successful
Nov 29, 2022 13:51:16.945756912 CET	49699	587	192.168.2.3	212.58.6.82	MAIL FROM:<suletas@akademetre.com>
Nov 29, 2022 13:51:16.993016958 CET	587	49699	212.58.6.82	192.168.2.3	250 2.1.0 <suletas@akademetre.com>... Sender ok
Nov 29, 2022 13:51:16.993458033 CET	49699	587	192.168.2.3	212.58.6.82	RCPT TO:<suletas@akademetre.com>
Nov 29, 2022 13:51:17.041285992 CET	587	49699	212.58.6.82	192.168.2.3	250 2.1.5 <suletas@akademetre.com>... Recipient ok
Nov 29, 2022 13:51:17.041623116 CET	49699	587	192.168.2.3	212.58.6.82	DATA
Nov 29, 2022 13:51:17.088543892 CET	587	49699	212.58.6.82	192.168.2.3	354 Enter mail, end with "." on a line by itself
Nov 29, 2022 13:51:17.089716911 CET	49699	587	192.168.2.3	212.58.6.82	.
Nov 29, 2022 13:51:17.138907909 CET	587	49699	212.58.6.82	192.168.2.3	250 2.6.0 724 bytes received in 00:00:00; Message id 202211291551384797 accepted for delivery
Nov 29, 2022 13:52:26.316526890 CET	49698	587	192.168.2.3	212.58.6.82	QUIT
Nov 29, 2022 13:52:26.397782087 CET	587	49698	212.58.6.82	192.168.2.3	221 2.0.0 cmail16.webkontrol.doruk.net.tr closing connection

Target ID:	0
Start time:	13:50:12
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Imagebase:	0xb90000
File size:	942592 bytes
MD5 hash:	D6F0E59D1BB1D559029DA21E132A1C9B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.296635266.000000000420B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.295133580.00000000032AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.292899757.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	7
Start time:	13:50:22
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe
Imagebase:	0x490000
File size:	942592 bytes
MD5 hash:	D6F0E59D1BB1D559029DA21E132A1C9B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000007.00000000.289589215.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.541886291.0000000002911000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	11
Start time:	13:50:46
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe"
Imagebase:	0x8f0000
File size:	942592 bytes
MD5 hash:	D6F0E59D1BB1D559029DA21E132A1C9B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.361237827.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000B.00000002.365450020.0000000002FEB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 45%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	12
Start time:	13:50:54
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
Imagebase:	0x440000
File size:	942592 bytes
MD5 hash:	D6F0E59D1BB1D559029DA21E132A1C9B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.541161776.0000000002951000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	13
Start time:	13:50:54
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe"
Imagebase:	0xf60000
File size:	942592 bytes
MD5 hash:	D6F0E59D1BB1D559029DA21E132A1C9B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	97
Total number of Limit Nodes:	8

Executed Functions

Function 02E1B6C1 Relevance: 6.1, APIs: 4, Instructions: 122
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02E1B730
GetCurrentThread.KERNEL32 ref: 02E1B76D
GetCurrentProcess.KERNEL32 ref: 02E1B7AA
GetCurrentThreadId.KERNEL32 ref: 02E1B803

Memory Dump Source

Source File: 00000000.00000002.292508593.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 8115cc9e0df9dc1284fa2351e032dd74c5b9a02014be68e549a5cd2e53f5ddf3
Instruction ID: 5fbd889a958471031b3f03276f599f7317130461452093226074c067ffe10f87
Opcode Fuzzy Hash: 8115cc9e0df9dc1284fa2351e032dd74c5b9a02014be68e549a5cd2e53f5ddf3
Instruction Fuzzy Hash: C45144B4D002498FEB14CFA9C689BDEBFF1BF48318F24856AE419A7250DB346944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02E1B6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02E1B730
GetCurrentThread.KERNEL32 ref: 02E1B76D
GetCurrentProcess.KERNEL32 ref: 02E1B7AA
GetCurrentThreadId.KERNEL32 ref: 02E1B803

Memory Dump Source

Source File: 00000000.00000002.292508593.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 047d5ad8264625e73287f52052a338b732d4a80c2c979b8784910321615eaf88
Instruction ID: 0a2de43812eac506362938c0a7713256a1815b70da8e1f27bb5a12a411c12145
Opcode Fuzzy Hash: 047d5ad8264625e73287f52052a338b732d4a80c2c979b8784910321615eaf88
Instruction Fuzzy Hash: B35143B4D002498FEB14CFAAC588BDEBBF1BF48318F24856AE419A7250DB746944CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02E1FCD8 Relevance: 1.6, APIs: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E1FE4A

Memory Dump Source

Source File: 00000000.00000002.292508593.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: aa93564878e868522eacb8a9aa4937e519c743979e50963467469a332b213288
Instruction ID: facd3bf6515755896ff0c1e69de862a47c8558292397adecc27bf5db93e71732
Opcode Fuzzy Hash: aa93564878e868522eacb8a9aa4937e519c743979e50963467469a332b213288
Instruction Fuzzy Hash: 3251FEB1C00349AFDF15CFA9C880ADEBFB1BF49314F14816AE918AB221D7759955CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E1FD38 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02E1FE4A

Memory Dump Source

Source File: 00000000.00000002.292508593.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 382dbeb42a73d07cfad94169812e3393edf27e150b4a44c02788750c7f34f363
Instruction ID: 48ec97274cdd3cf606b27585ac25930041e38bb6f95b8372896d04f7870e5464
Opcode Fuzzy Hash: 382dbeb42a73d07cfad94169812e3393edf27e150b4a44c02788750c7f34f363
Instruction Fuzzy Hash: 6E4191B1D103099FDF14CF99C884ADEBBB5BF88314F24852AE419AB250D7749945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E15364 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02E15421

Memory Dump Source

Source File: 00000000.00000002.292508593.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: db065b73170bf7f4a08e469943b8712bab6d740a5540280ccf6f25c5221d7db4
Instruction ID: c601264754e5edcc8a2d399c71e67e18bec24aa61db2efa2af9d73e4fde5f0f3
Opcode Fuzzy Hash: db065b73170bf7f4a08e469943b8712bab6d740a5540280ccf6f25c5221d7db4
Instruction Fuzzy Hash: 6D41F371C40218CFEB24DFA5C885BCDBBB1BF89309F60816AD419BB251DBB55946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E13DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02E15421

Memory Dump Source

Source File: 00000000.00000002.292508593.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b5d3cde064f3d488412f539f4a43e4d10870f769e5e812c61959727b55ea95b9
Instruction ID: 4694ccc91cb8f020bffc80e9d71d6d60a14dcc7a7ddba1504d40dec362906b0e
Opcode Fuzzy Hash: b5d3cde064f3d488412f539f4a43e4d10870f769e5e812c61959727b55ea95b9
Instruction Fuzzy Hash: 3A41F370C44218CFEB24DFA9C8857CEBBB1BF89309F60806AD419BB251DBB56945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E1B8F2 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E1B97F

Memory Dump Source

Source File: 00000000.00000002.292508593.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 55ca0a3f1ab2dca74901836a3ba70a6cc4184081adcecb0c6124e439ab352a96
Instruction ID: 40da3b5ca2427be73b5328a5b6f82f81c7d6e31ec195469438fd78cf683d18e0
Opcode Fuzzy Hash: 55ca0a3f1ab2dca74901836a3ba70a6cc4184081adcecb0c6124e439ab352a96
Instruction Fuzzy Hash: 3D21E5B59002189FDB10CF9AD584ADEBBF4EB48324F14842AE954A3310D378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E1B8F8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E1B97F

Memory Dump Source

Source File: 00000000.00000002.292508593.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d6e5d959ef67cd18c74a9faea985f22c90558a8802ee5dea894f5ce5f770f1c4
Instruction ID: 9e5caae40945c571b49a0e82f111668cfe76cd898a3a75e4bfb14e7b65a65f1d
Opcode Fuzzy Hash: d6e5d959ef67cd18c74a9faea985f22c90558a8802ee5dea894f5ce5f770f1c4
Instruction Fuzzy Hash: 3021E4B5D002189FDB10CF9AD584ADEBBF8FB48324F14842AE914A3310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E194B8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E19991,00000800,00000000,00000000), ref: 02E19BA2

Memory Dump Source

Source File: 00000000.00000002.292508593.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0b8fa966aa56103c1c2ef3f7f50f6b7e67f9dd4f3de2456760f2da2092bd5da2
Instruction ID: ddec7856306bfa57d6d04601e5eb9871faa2b44ce07fc6dede057b31f582afe8
Opcode Fuzzy Hash: 0b8fa966aa56103c1c2ef3f7f50f6b7e67f9dd4f3de2456760f2da2092bd5da2
Instruction Fuzzy Hash: 0F1126B6D003498FDB10CF9AD494BDEFBF4EB98324F14842AE919A7200C778A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E19B30 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E19991,00000800,00000000,00000000), ref: 02E19BA2

Memory Dump Source

Source File: 00000000.00000002.292508593.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f066e302b37aa4b98283d436e2bce07b1537b9c96de89df52f22dd151a05d680
Instruction ID: b22d91afd9e96d03d40c9c30e97668523660b7f8aaaf7036ebfbc78ba533076a
Opcode Fuzzy Hash: f066e302b37aa4b98283d436e2bce07b1537b9c96de89df52f22dd151a05d680
Instruction Fuzzy Hash: 581126B6D002099FDB10CF9AC484BDEFBF4FB88324F14852AD919A7200C778A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E198B0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02E19916

Memory Dump Source

Source File: 00000000.00000002.292508593.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: f37f4b8d24914d1ace3d50dd580e91c76be0d20394b6cfb2a3e63bbf39e13218
Instruction ID: 3269f5b673eba3927138e4867ba92575af58337d7f8723ad0ae2043bdb0e264b
Opcode Fuzzy Hash: f37f4b8d24914d1ace3d50dd580e91c76be0d20394b6cfb2a3e63bbf39e13218
Instruction Fuzzy Hash: 3611E0B5D002498FDB10CF9AC484BDEFBF4EB88224F14856AD869B7600D378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0131D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.291971032.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f755ac5173624a982f4318c143d9f3574b6b869a166e78ad66dd37a8a7bfae6
Instruction ID: 191b72bd9aca5206a9edf834b7cd7ba43c68a33f29c2a78094175e868abc40d7
Opcode Fuzzy Hash: 2f755ac5173624a982f4318c143d9f3574b6b869a166e78ad66dd37a8a7bfae6
Instruction Fuzzy Hash: A32137B1504244DFDB09DF54D8C8B26BF65FB8832CF24C569E9054B60AC736E856CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0132D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.292100618.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_132d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a5e262b39d17e0ffb1b96357d21750fe39a7dba9dbb42fe28871f4266e42694
Instruction ID: a12cf745ce65c133cdf2609832ae8b8719c10ad080be4e4b32751f4bbe5c0af6
Opcode Fuzzy Hash: 6a5e262b39d17e0ffb1b96357d21750fe39a7dba9dbb42fe28871f4266e42694
Instruction Fuzzy Hash: 0D2149B1504304DFDB05EF94D5C0B26BB65FB85328F24C6ADD9094B346C73AD806CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0132D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.292100618.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_132d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94c3377e987ee8a6778f2cc717a7f3907fd2ec85cd8208518158fc200b55914
Instruction ID: 91bf3ae5d890f99a246ed9da6e0ed33187a406e8629fa5e9f743e0c853a17e50
Opcode Fuzzy Hash: f94c3377e987ee8a6778f2cc717a7f3907fd2ec85cd8208518158fc200b55914
Instruction Fuzzy Hash: EC2164B0608244DFDB10EFA4D8C0B26BB65FB84358F20C5A9D90A4B356C33ED807CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0132D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.292100618.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_132d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c03f96db9c62f0a1365d0385e85e5eeaffbb4f7788d047c1b1aa20a1dc5f212
Instruction ID: b284bb9805221b205db1ab5850991baabdb9beedb12c507f277d046f30096b18
Opcode Fuzzy Hash: 0c03f96db9c62f0a1365d0385e85e5eeaffbb4f7788d047c1b1aa20a1dc5f212
Instruction Fuzzy Hash: DF2180754083809FCB02DF24D994B15BF71EF46214F28C5DAD8858F267C33A9856CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0131D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.291971032.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
Instruction ID: f2bb14441c6c385063f32385be25ffb5241b6171758aa772c1629b57e6978f2a
Opcode Fuzzy Hash: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
Instruction Fuzzy Hash: 5111B176404280CFCB16CF54D5C4B16BF71FB85328F28C6A9D8450B61AC33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0132D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.292100618.000000000132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0132D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_132d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a7eb2830fe3889e456d27655020f58fd7942a7660a67a9db2bbc7502f19bed
Instruction ID: b95e0ff756e791a7083eb192ae8ce566f3bdd8a55581f00d24e05ef74f5669e6
Opcode Fuzzy Hash: 06a7eb2830fe3889e456d27655020f58fd7942a7660a67a9db2bbc7502f19bed
Instruction Fuzzy Hash: 7911B875904280DFDB02DF54D5C4B15BBB1FB85228F28C6AAD8494B656C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0131D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.291971032.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31ba518f64bdb853e6e6a4f4e5acbb01e082b86f3b5fa2ee5c75a10bd7ff45cd
Instruction ID: 9a5e40932a0dc1b671658c68dd96ea012a6686efca3e57cb91572f4160076a49
Opcode Fuzzy Hash: 31ba518f64bdb853e6e6a4f4e5acbb01e082b86f3b5fa2ee5c75a10bd7ff45cd
Instruction Fuzzy Hash: F501F7710083849AF7244E66CC88B67BB9CEF4223CF08C55AEE044B24AD379A440C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 0131D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.291971032.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_131d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028bc2107d0a4e0e4b50d49d8eab1cf5a60a42cb3f83e52bb955dc823f432048
Instruction ID: 45b1c4dd86bd4bbf8447c001681fba4149250e218501e0506823e05262f542eb
Opcode Fuzzy Hash: 028bc2107d0a4e0e4b50d49d8eab1cf5a60a42cb3f83e52bb955dc823f432048
Instruction Fuzzy Hash: C0F09C714043949EE7158E16CCC8B67FFA8EB92634F18C45AED085B28AC379A844CAB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02E1E5B0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.292508593.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf0086e777ed88e07be3701a0b4cfea732598e4d5f9820fd43235a8c0230c7d
Instruction ID: 56179bd10ad16f08f3f8e13bb2a980d0a134bd611adb274cf49d1cd867cd91ce
Opcode Fuzzy Hash: 6cf0086e777ed88e07be3701a0b4cfea732598e4d5f9820fd43235a8c0230c7d
Instruction Fuzzy Hash: AA12E7F5C9174A8BD710CF65ECD81A9FBA0B7413A8BD24A08D2612FAD1D7B8056ECF44

Uniqueness

Uniqueness Score: -1.00%

Function 02E1C164 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.292508593.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ac7556f00f840fa855f2027b75b0be4b4dc4f730fc2d7bf60313a02619acdd
Instruction ID: 55af4f3d227f83f4c661380248b3687c888b0f462f3af811865ae9fa7b51cbd0
Opcode Fuzzy Hash: f1ac7556f00f840fa855f2027b75b0be4b4dc4f730fc2d7bf60313a02619acdd
Instruction Fuzzy Hash: F0A17F32E4061A8FCF09DFA5C8445DEBBB2FF84304B25957AE805EB264EB71A955CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02E1E5A2 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.292508593.0000000002E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e10000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd45c3b99752bea7da678fde5095856de7d33b62930801500c72b5f6926a9c3f
Instruction ID: ba3bd8977ea51f7e872ea15bc73b28aa5cd633b9819c217f028e9d91f64096a7
Opcode Fuzzy Hash: fd45c3b99752bea7da678fde5095856de7d33b62930801500c72b5f6926a9c3f
Instruction Fuzzy Hash: D8C129F1C9174A8BD710CF64ECD81A9FBB1BB853A8FD24A08D1612B6D0D7B8146ACF44

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exePID: 64, Parent PID: 5708COMMON

Execution Graph

Execution Coverage:	20.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	284
Total number of Limit Nodes:	6

Executed Functions

Function 059C7E90 Relevance: 3.4, APIs: 2, Instructions: 361COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 249c37bc26a1b4e41bef697d976224536688d99cc61030dc0f286ac6af72756b
Instruction ID: 6160436a42bcc4128643b1207e9d2a6ddcd56abf9f2bdf40cc8f7e1389ef9837
Opcode Fuzzy Hash: 249c37bc26a1b4e41bef697d976224536688d99cc61030dc0f286ac6af72756b
Instruction Fuzzy Hash: A512FA35906229CFEB64DF34D99969CBBB2FF49306F1045E9D40A62350CB3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C7EB1 Relevance: 3.4, APIs: 2, Instructions: 361COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3c98f2b82b884bdb0855bcb83a07072919b6bb2e2ec1c02adb9ca9c95332ef1d
Instruction ID: 723370f1487dc4a805455d9768bcbfb6b006846614a5926fed4f9e874bd8b58a
Opcode Fuzzy Hash: 3c98f2b82b884bdb0855bcb83a07072919b6bb2e2ec1c02adb9ca9c95332ef1d
Instruction Fuzzy Hash: A912EA35906229CFEB64DF34D99969CBBB2FF49306F1045E9D40A62350CB3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C7EF6 Relevance: 3.4, APIs: 2, Instructions: 354COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4ca6e26fc7b8df8ef4501252660267dca60f9b0134efc21a372a18fd349ba2a9
Instruction ID: 0bbbfd8f968365bb97766d41be3e524e56296295e854938e4fe5ca66bab3793b
Opcode Fuzzy Hash: 4ca6e26fc7b8df8ef4501252660267dca60f9b0134efc21a372a18fd349ba2a9
Instruction Fuzzy Hash: 7102FA35906229CFEB64DF34D99969CBBB2FF49306F1045D9D40A62350CB3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C7F3B Relevance: 3.3, APIs: 2, Instructions: 347COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e669b71da7d213951d1f9d47bd4e1043637f960c9928f9a8eb9c97e93eb3cb41
Instruction ID: 2ea227d34a653c28ec8661e7713a184b29350f4f027b1348831b03ca5fbe7206
Opcode Fuzzy Hash: e669b71da7d213951d1f9d47bd4e1043637f960c9928f9a8eb9c97e93eb3cb41
Instruction Fuzzy Hash: 7402FA35906229CFEB64DF34D99969CBBB2FF49306F1045D9D40A62350CB3A9E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C7F80 Relevance: 3.3, APIs: 2, Instructions: 340COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8fb306f70c2e03d7dd4fc70b8e85170f34ee2c2f806567f51cd17e8dc21bc584
Instruction ID: adbaa7d85ef8fd29346fafe6ca27b383aa8f3601dce5bca43d1d7d3da309fdc3
Opcode Fuzzy Hash: 8fb306f70c2e03d7dd4fc70b8e85170f34ee2c2f806567f51cd17e8dc21bc584
Instruction Fuzzy Hash: 0802FA35906229CFEB64DF34D99969CBBB2FF49306F1045D9D40A62350CB3A9E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C7FC5 Relevance: 3.3, APIs: 2, Instructions: 333COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7ff7ae8115fa3d1ea34eb613b9dfd79fb8d6908933ad542139e263ab3c747e34
Instruction ID: 44ded523e746c1b91142cf6148657dea43534d7a00223b82eff0146d46d9b253
Opcode Fuzzy Hash: 7ff7ae8115fa3d1ea34eb613b9dfd79fb8d6908933ad542139e263ab3c747e34
Instruction Fuzzy Hash: BD02FA35906229CFEB64DF34D99969CBBB2FF49306F1045D9D40A62350CB3A9E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C800A Relevance: 3.3, APIs: 2, Instructions: 326COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1ebf9a5d6af1da0959c95c98c315c09844cde5515c807c88bc66c2054b8d2a34
Instruction ID: ce998d2020ccbea40331a81831efc7d97f4eb87eb46dec8dff6abb047f6b1147
Opcode Fuzzy Hash: 1ebf9a5d6af1da0959c95c98c315c09844cde5515c807c88bc66c2054b8d2a34
Instruction Fuzzy Hash: 9002FA35906229CFEB64DF34D99969CBBB2FF49306F1045D9D40A62350CB3A9E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C804F Relevance: 3.3, APIs: 2, Instructions: 319COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 253265f16fe67dcd3bd79b75c032f5ec8d8707058b7072803cca38c20764c3d1
Instruction ID: ead7177b24c5d5ae4252cdff852a81ff0e9b4c42a1742c3c952a0899e4b49625
Opcode Fuzzy Hash: 253265f16fe67dcd3bd79b75c032f5ec8d8707058b7072803cca38c20764c3d1
Instruction Fuzzy Hash: D1F10A35906229CFEB64DF34D99969CBBB2FF49306F1045D9D40AA2350CB3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C8094 Relevance: 3.3, APIs: 2, Instructions: 312COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4e54d5df449692a50fbed192447da0ad810a9423fdd7ef302542f16390c92cdc
Instruction ID: c08809f9a12a9bce994d85c3de3b415a83e71efe5849306a809f1fd4122ce6a8
Opcode Fuzzy Hash: 4e54d5df449692a50fbed192447da0ad810a9423fdd7ef302542f16390c92cdc
Instruction Fuzzy Hash: B4F1F935906229CFEB64DF34D99969CBBB2FF49306F1045D9D40AA2350CB3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C80D9 Relevance: 3.3, APIs: 2, Instructions: 305COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 804bb4a1ce665cd144391406705cdf1eab3e5b66fd29d207f4fa89ffc071733a
Instruction ID: e5d4ebc2082890c9dde7cfbf3bf26e1575083f39a0a340346e723ff1152b1124
Opcode Fuzzy Hash: 804bb4a1ce665cd144391406705cdf1eab3e5b66fd29d207f4fa89ffc071733a
Instruction Fuzzy Hash: 9BF10935906229CFEB64DF34D99969CBBB2FF49306F1045D9D40AA2350CB3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C811E Relevance: 3.3, APIs: 2, Instructions: 298COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8ba242d44d015d9b25331287a1816473e536f49a8a820fc8083ee14ba07c3fc5
Instruction ID: 70cb94c034ceaf195049dc54ec3bab017c144b1eb468d3fd1689da8240e9a184
Opcode Fuzzy Hash: 8ba242d44d015d9b25331287a1816473e536f49a8a820fc8083ee14ba07c3fc5
Instruction Fuzzy Hash: EBF10A35906229CFEB64DF34D99969CBBB2FF49306F1045D9D40AA2350CB3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C8163 Relevance: 3.3, APIs: 2, Instructions: 291COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ee533c276585b8dc266bcb3f83368d03b991c82a533243ac71dad722feb4ba73
Instruction ID: c105ad44bf89fc06a669d89b7cd0d0d0ae7a5f6850dd4b5966b79545020ca76a
Opcode Fuzzy Hash: ee533c276585b8dc266bcb3f83368d03b991c82a533243ac71dad722feb4ba73
Instruction Fuzzy Hash: F6E11A35906229CFEB64DF34D99969CBBB2FF49306F1045D9D40AA2350CB3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C81A8 Relevance: 3.3, APIs: 2, Instructions: 284COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 513eed2fa0af04bbb1bd3061b88c080213b25f5060a1d70d1f8a13920efed01a
Instruction ID: 5b92ca8804a745110bddae8046d51c1e4ae09c7131d9bfdb55e7c45f0d134df0
Opcode Fuzzy Hash: 513eed2fa0af04bbb1bd3061b88c080213b25f5060a1d70d1f8a13920efed01a
Instruction Fuzzy Hash: 64E10935906229CFEB64DF34D99969CBBB2FF49306F1045D9D40AA2350CB3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C81ED Relevance: 3.3, APIs: 2, Instructions: 275COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 76d7c48855cb49d5809640c5ec8b3bbe57e6952f7f2f94329388d6f814c51981
Instruction ID: c743c8473188323bcbeeb5bb2bb6488a5fa7bc907feecdd785629d8e9b6f400f
Opcode Fuzzy Hash: 76d7c48855cb49d5809640c5ec8b3bbe57e6952f7f2f94329388d6f814c51981
Instruction Fuzzy Hash: 71E1F935906229CFEB64DF34D99969CBBB2FF49306F1045D9D40A62350CB3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C82B3 Relevance: 3.3, APIs: 2, Instructions: 254COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 190681e845021482f30800ef8893d9a4613fa245137a8e785883578556837cbd
Instruction ID: 2b42fcb41eaf6cb09b84544ec96d394610ddc4acc0e3744aeb69e0272a927cd2
Opcode Fuzzy Hash: 190681e845021482f30800ef8893d9a4613fa245137a8e785883578556837cbd
Instruction Fuzzy Hash: C8D1E935906229CFEB64DF34D99969CBBB2FF49306F1045D9D40A62350CB3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C8334 Relevance: 3.2, APIs: 2, Instructions: 242COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 108c8dd1950a4ebe295448265aa5ea15309d151b9949a3ca375b352c377d330b
Instruction ID: 53ad5b2445f6f8535030bc554d1b7b07464b54ab3151270968cb1bf75a11b669
Opcode Fuzzy Hash: 108c8dd1950a4ebe295448265aa5ea15309d151b9949a3ca375b352c377d330b
Instruction Fuzzy Hash: 7BC1FB35905229CFEB64DF34D99969CBBB2FF49306F1045D9D40AA2350CB3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C8379 Relevance: 3.2, APIs: 2, Instructions: 235COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6f30886a0d01f5e814b3ab9d7d24e02cc692a3c23c71842fe6fc2ab06de2017c
Instruction ID: 4ac38ff0c9b52b60438d65938cf84afbbc27f287f4f2371ef30e367fe95b64cb
Opcode Fuzzy Hash: 6f30886a0d01f5e814b3ab9d7d24e02cc692a3c23c71842fe6fc2ab06de2017c
Instruction Fuzzy Hash: 02C1F835905229CFEB64DF34D99969CBBB2BF49306F2045D9D40AA2350CF3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C83BE Relevance: 3.2, APIs: 2, Instructions: 228COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c89b8c83b3fe2b14e3a3b4cf8e5b27583f2b2ec189d471d0d2a069f7baeed296
Instruction ID: 24cd06d44d6f82ca6681aca3adadc29ecbb5320a1c9fa7ced6c89f032ee430a5
Opcode Fuzzy Hash: c89b8c83b3fe2b14e3a3b4cf8e5b27583f2b2ec189d471d0d2a069f7baeed296
Instruction Fuzzy Hash: 80C10A35905229CFEB64DF34D99969CBBB2BF49306F2045D9D40AA2350CF365E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C8403 Relevance: 3.2, APIs: 2, Instructions: 221COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fc8efb1e3e00b84b3c99ccdbc3f28dd5180cbb15efe67e4bd58178e2aaf93bcf
Instruction ID: 9be58e596df197373475c31e640bbf9615885521810f3576c92cb7b19d6a36ed
Opcode Fuzzy Hash: fc8efb1e3e00b84b3c99ccdbc3f28dd5180cbb15efe67e4bd58178e2aaf93bcf
Instruction Fuzzy Hash: CDB10A35906229CFDB64DF34D99969CBBB2BF49306F2045D9D40AA2350CF365E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C8448 Relevance: 3.2, APIs: 2, Instructions: 214COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C846C
KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d283d29eb8ecb5f26a2de6fe23fc454097045f85baf463538c857ad95635d362
Instruction ID: 0e62ba921380c1bb4a113ed0ce2012168dec17f1011703fc7df493b892c0956f
Opcode Fuzzy Hash: d283d29eb8ecb5f26a2de6fe23fc454097045f85baf463538c857ad95635d362
Instruction Fuzzy Hash: D4B11A35906229CFEB64DF34D99969CBBB2BF49306F2045D9D40AA2350CF365E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00F30877 Relevance: 1.8, APIs: 1, Instructions: 251memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 00F30B0E

Memory Dump Source

Source File: 00000007.00000002.540657893.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f30000_SecuriteInfo.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: fddd512d3d5a93843ce4d07ab6017db6f60bc5477563fe9813da8ee361525ee5
Instruction ID: d954e19ecc7d01a059b6e3354cb9bae8a9c0a10c7b75b4418506f3122997ad0d
Opcode Fuzzy Hash: fddd512d3d5a93843ce4d07ab6017db6f60bc5477563fe9813da8ee361525ee5
Instruction Fuzzy Hash: FA819B71E002489FDF20DFA9E89079DBBB0EF89334F20446AE509E7391DB399845DB91

Uniqueness

Uniqueness Score: -1.00%

Function 059C84A3 Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bbaffeacdf18ca7653ab1c4335ed65cbc584f35a9b9e5333392d628ac22ef943
Instruction ID: b8061997f5571cc25bff4349ea7676971d0300df3af2181c82f1bdb10452aaee
Opcode Fuzzy Hash: bbaffeacdf18ca7653ab1c4335ed65cbc584f35a9b9e5333392d628ac22ef943
Instruction Fuzzy Hash: BFB11A35905229CFDB64DF34D99969CBBB2BF49306F2045D9D40AA2350CF3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C84E8 Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e36d347ab213ebf672bcacdd6fa256987077e0080e11d809f42d076d0de02d48
Instruction ID: e5c654b52d27f5896a4678d3179bc60b9887ce57ae6410634159c02d7aea173e
Opcode Fuzzy Hash: e36d347ab213ebf672bcacdd6fa256987077e0080e11d809f42d076d0de02d48
Instruction Fuzzy Hash: C9A12A35905229CFEB64DF34D99969CBBB2BF49305F2045D9D40AA2350CF3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C852D Relevance: 1.7, APIs: 1, Instructions: 189COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3bdbdbe09e7769d25ddc89017ddac9e364a14b2d24c000b30022218b7dc28949
Instruction ID: 2c33eff8ef11938ed5dafed6039a2a6dca99eea5a1e682b17322e352e02b3d46
Opcode Fuzzy Hash: 3bdbdbe09e7769d25ddc89017ddac9e364a14b2d24c000b30022218b7dc28949
Instruction Fuzzy Hash: B5A12A35906229CFEB64DF34D99969CBBB2BF49305F1045E9D40AA2350CF3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C8575 Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8ca9d33e35d5e3dd18c80b6d2cb706e4a34c17502542db72d660fed628235c03
Instruction ID: b02a23a399b81716c9e2865c8abc664e37ca19c3fe8fa47d6152d03b6f336ecb
Opcode Fuzzy Hash: 8ca9d33e35d5e3dd18c80b6d2cb706e4a34c17502542db72d660fed628235c03
Instruction Fuzzy Hash: 19911A35906229CFEB64DF34D99969CBBB2BF49305F1045E9D40AA2350CF3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C85BD Relevance: 1.7, APIs: 1, Instructions: 175COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ddb688e2f4ffc7be9dd4335eecd627d98afeb48857069dd8977ac1d51d2840a5
Instruction ID: 6aa13e03c94a3b2b5482b261403318fff84a256754d4300a9c4b7e05ac3bfadc
Opcode Fuzzy Hash: ddb688e2f4ffc7be9dd4335eecd627d98afeb48857069dd8977ac1d51d2840a5
Instruction Fuzzy Hash: 93912A35906229CFEB64DF34D99969CBBB2BF49305F1045D9D40AA2350CF365E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C8605 Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cb54fdbfaeff8d1227fa3899a76e7634403989249c41e435f0ce4a352df4bf9c
Instruction ID: 7f793e5ac010528f19fa7d60e0bf296a9ed15d05d8465a85d3f3d655d6d5a2dc
Opcode Fuzzy Hash: cb54fdbfaeff8d1227fa3899a76e7634403989249c41e435f0ce4a352df4bf9c
Instruction Fuzzy Hash: CD813B35906229CFEB64DF34D99969CBBB2BF49305F2045E9D40AA2350CF365E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C8641 Relevance: 1.7, APIs: 1, Instructions: 159COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4229321a8ccc89dc5b2670b29f5891b64350de1d2e9bd008b805e558fb8136f2
Instruction ID: f78c06d23c62c1b53463204f81a06e564563af34b2150083324df199b9300c51
Opcode Fuzzy Hash: 4229321a8ccc89dc5b2670b29f5891b64350de1d2e9bd008b805e558fb8136f2
Instruction Fuzzy Hash: 7A813A35906229CFEB64DF34D99969CBBB2BF49305F2045E9D40AA2350CF365E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C867D Relevance: 1.7, APIs: 1, Instructions: 154COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f441aa8cd3da2e962ed3fb91ab6ce4e0850784267e0919acb465576848571df7
Instruction ID: 506569038a26198358ea46a9a65853bbc8ded4339577cfbaa6514e70a31d1485
Opcode Fuzzy Hash: f441aa8cd3da2e962ed3fb91ab6ce4e0850784267e0919acb465576848571df7
Instruction Fuzzy Hash: FF811935906229CFDB64DF34D89969DBBB2BF49305F1045E9D40AA2350CF365E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C86C5 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3c9171213d46b9bb5b556a24649ddb0f12b9d78c78c9b0429797b6e519854b42
Instruction ID: eab14e926a9a5f81a8219f36c8ad3712f17636104b14a390370e1e9124df48df
Opcode Fuzzy Hash: 3c9171213d46b9bb5b556a24649ddb0f12b9d78c78c9b0429797b6e519854b42
Instruction Fuzzy Hash: CB712935906229CFEB64DF34D89969CBBB2BF49305F1045E9D40AA2350CF365E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C870D Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4afca01d38a2917fe1b814f212ba5db028945c2411a1ba519d4920bb64c19c56
Instruction ID: 4a7c59eaf83c9d95b26f6be071a2e1f5bfa244d50c6cbf590c0351f5edb98c81
Opcode Fuzzy Hash: 4afca01d38a2917fe1b814f212ba5db028945c2411a1ba519d4920bb64c19c56
Instruction Fuzzy Hash: F0710935906229CFDB64DF34D89969CBBB2BF49305F2045E9D40AA2350DF365E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C8755 Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 976cf10007bb156779516d5e047e05542625550e2abf8de10cca926b20aa35b5
Instruction ID: 0568b206ed7aa214366ae759be077585e14d9802ea201b651043a9f3ac5df763
Opcode Fuzzy Hash: 976cf10007bb156779516d5e047e05542625550e2abf8de10cca926b20aa35b5
Instruction Fuzzy Hash: CD612A35906229CFDB64DF34D99969CBBB2BF89305F1045D9D40AA2350CF3A5E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 059C8791 Relevance: 1.6, APIs: 1, Instructions: 124COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 059C87AC

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1a4b2f8fc71646ffc13ab8cf13a344b744aaaeb830e8b08472094aa553a34b23
Instruction ID: 9479e4ceb7f66b77b0a5b55e901e3adabc859e28e0dad50b26a1ae94ecf197f0
Opcode Fuzzy Hash: 1a4b2f8fc71646ffc13ab8cf13a344b744aaaeb830e8b08472094aa553a34b23
Instruction Fuzzy Hash: 3E511A35906229CFDB64DF34D99969CBBB2BF89305F1045D9D40AA2350CF365E81CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B7D4 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 00F3D7E2

Memory Dump Source

Source File: 00000007.00000002.540657893.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f30000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3ed77f78a6da4a46fc804f3ca9adf9e73457978578e44fd7d8deb9a05f812ed6
Instruction ID: c471a3f0b4b7de874552b20bc9a5e1703b3cb44b77e57b90720523b4901e751f
Opcode Fuzzy Hash: 3ed77f78a6da4a46fc804f3ca9adf9e73457978578e44fd7d8deb9a05f812ed6
Instruction Fuzzy Hash: 7E3133B0D002499FDF14DFA9D88579EBBF5FB08324F148529E815AB380D778A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F3D70C Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 00F3D7E2

Memory Dump Source

Source File: 00000007.00000002.540657893.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f30000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 58294f006452fba5b54877b4c8833372b23cb27bb8bb229ecd048aabc5ed300e
Instruction ID: deb6e4dc0433c978932fb65d3906e528d6d47554c643bacdb28a9a2350192c9d
Opcode Fuzzy Hash: 58294f006452fba5b54877b4c8833372b23cb27bb8bb229ecd048aabc5ed300e
Instruction Fuzzy Hash: 943135B4D00249CFDB14DFA9D88579EBBF1FB48324F14852AE815A7380D7789846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F3583F Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00F358CA

Memory Dump Source

Source File: 00000007.00000002.540657893.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f30000_SecuriteInfo.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: d1a1b923303ace873b53a904e6409d83da40e199a17d06146f2661f9d5065eec
Instruction ID: 968baab1a3af78be257d9fe69be744b7b1dbd97fa517cb7299722efa44c9cb8a
Opcode Fuzzy Hash: d1a1b923303ace873b53a904e6409d83da40e199a17d06146f2661f9d5065eec
Instruction Fuzzy Hash: 36218B74C053898FDF11DFA9D4483DEBFF4EB89728F14846AC444A3241D739694ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 059C6160 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 059C7348

Memory Dump Source

Source File: 00000007.00000002.558460723.00000000059C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_59c0000_SecuriteInfo.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: b86756328496293e025e1ca78a32515de8b6343f7a9fdf8fa1c47f81b6aacc85
Instruction ID: 5dd463bcf318981a66e7f7f700387e25533382aa02bd4513c9460a50b0d54d08
Opcode Fuzzy Hash: b86756328496293e025e1ca78a32515de8b6343f7a9fdf8fa1c47f81b6aacc85
Instruction Fuzzy Hash: 812156B1C0461A8BCB10CF9AD4447EEFBF4FB48320F05816AD919B7240D778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F35850 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00F358CA

Memory Dump Source

Source File: 00000007.00000002.540657893.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f30000_SecuriteInfo.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: cb9b7351a6e62111408efbc8af05bb7682212d248e1fe1fbc99250645e5d071d
Instruction ID: 285f80c5c4b20fe634a37c435e8a9cd18223f4dc35ebc998f4d480a94bcffd6f
Opcode Fuzzy Hash: cb9b7351a6e62111408efbc8af05bb7682212d248e1fe1fbc99250645e5d071d
Instruction Fuzzy Hash: 4D119A74D01349CFDF10DFA9D40879EBBF4EB88725F14842AC404A3240D778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F30AA0 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 00F30B0E

Memory Dump Source

Source File: 00000007.00000002.540657893.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f30000_SecuriteInfo.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 7f93a722308e572c7d274d45aca7aa6e66d308d6d6f74c4daa9d69ccab634225
Instruction ID: f159ad6811ca0bde0652629e7c0c77c1af144e426d57b2d58f7d89d9340650b2
Opcode Fuzzy Hash: 7f93a722308e572c7d274d45aca7aa6e66d308d6d6f74c4daa9d69ccab634225
Instruction Fuzzy Hash: 241104B59002499FCB10CF9AD844BDEBFF8FB88324F148419E519A7250C775A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F30B53 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 00F30BB7

Memory Dump Source

Source File: 00000007.00000002.540657893.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f30000_SecuriteInfo.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 215d6f165d145227d88c67001748bfefb8176641b25f0cb611ef2feec06af52f
Instruction ID: d587178b40374835ad9b032536c4b0f7e13e391ed3eca3d306fc3e6e0b4bd115
Opcode Fuzzy Hash: 215d6f165d145227d88c67001748bfefb8176641b25f0cb611ef2feec06af52f
Instruction Fuzzy Hash: D81100B58002488FDB20DF9AD484BDEFBF4AB98324F14845AD959A7740C7B56948CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F30B58 Relevance: 1.3, APIs: 1, Instructions: 41sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 00F30BB7

Memory Dump Source

Source File: 00000007.00000002.540657893.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_f30000_SecuriteInfo.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 09a43d6d46e4a69fcf75b67ee379e6002d9ae527afa42c8da86a0e377cdbb9a9
Instruction ID: 5b996fd9962ca5982ff301aaca153a062ab6a2830eff79278eda0b9d0ce449e3
Opcode Fuzzy Hash: 09a43d6d46e4a69fcf75b67ee379e6002d9ae527afa42c8da86a0e377cdbb9a9
Instruction Fuzzy Hash: CD11EEB58002498FDB20DF9AD484BDEFBF8EB88324F14845AD569A7340C7B5A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2DA00 Relevance: 1.2, Instructions: 1169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.540165962.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c2d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7fc642e92e67b0cf20ac4b86d8e734a2fd5ac4f366b1b6ffd29bc4ef7a60a9
Instruction ID: 0739c46789e93e4b4cb632c341af0fd7a24091a47ec9d57dcaea96a7c38d09d0
Opcode Fuzzy Hash: 2a7fc642e92e67b0cf20ac4b86d8e734a2fd5ac4f366b1b6ffd29bc4ef7a60a9
Instruction Fuzzy Hash: 1D324F7294D3C18FE7438BB48C627813FB0EF17225F0A41E7C5829A1A3D15D995ACB6B

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.540013646.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c1d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bddeb0286ec74ed5a0b134b4e8e124470210db4f6ab8dac5c8edb61b47a5f67a
Instruction ID: 56790796eec6d2ecf6e99f2dc2114db5a89c805a1d0970f8ce182034827ab038
Opcode Fuzzy Hash: bddeb0286ec74ed5a0b134b4e8e124470210db4f6ab8dac5c8edb61b47a5f67a
Instruction Fuzzy Hash: 02213AB1504204DFDB04DF10D8C0B66BB65FB99324F24C569E90A4B206C33AE896EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2E3DC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.540165962.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c2d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe651d808094c766ac085241696482bc6f661767021d10a2b76bc7df7c5994c
Instruction ID: 9b2939969fbc49332e4ae8b76fef81accc397eb3498da2668e8723b028efe540
Opcode Fuzzy Hash: abe651d808094c766ac085241696482bc6f661767021d10a2b76bc7df7c5994c
Instruction Fuzzy Hash: FF2146B1504200DFDB04EF60E8C4B26BB65FB88324F24C6ADE9095B746C73AD846CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C1D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.540013646.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c1d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
Instruction ID: 53ee86af52ec98c0c8a596a0729f14a1d4aa23d311d3951375d0340498ade77b
Opcode Fuzzy Hash: 8d778767f53fd0a6c663cb8d613203c36db215e48ccc3c7032546bce1bc62798
Instruction Fuzzy Hash: FF11E676404280DFCF15CF10D5C4B56BF72FB99320F28C6A9D8490B616C33AE996DBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wPBZqbH.exe.log

C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe

C:\Users\user\AppData\Roaming\wPBZqbH\wPBZqbH.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.11851.17452.exe

Function 02E1B6C1 Relevance: 6.1, APIs: 4, Instructions: 122
threadCOMMON

Function 02E1B6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 02E1FCD8 Relevance: 1.6, APIs: 1, Instructions: 146
COMMON

Function 02E1FD38 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 02E15364 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Function 02E13DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02E1B8F2 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Function 02E1B8F8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 02E194B8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 02E19B30 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 02E198B0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre