Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Analysis ID:	756003
MD5:	f64f729e0ba974c578afaac25665e067
SHA1:	d1225322fd5f16eb18a90ec4a4b007a010e2d51a
SHA256:	680f16527c5dc7e7e32bb27b99dcbc85c75282d853cb9a27c186963dae883d2e
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Yara detected AntiVM3

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for dropped file

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Adds a directory exclusion to Windows Defender

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe (PID: 5644 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe MD5: F64F729E0BA974C578AFAAC25665E067)

powershell.exe (PID: 3216 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 3644 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe (PID: 5340 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe MD5: F64F729E0BA974C578AFAAC25665E067)

UmpBcHBDbXhaX.exe (PID: 624 cmdline: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe MD5: F64F729E0BA974C578AFAAC25665E067)

schtasks.exe (PID: 3540 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp8847.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

UmpBcHBDbXhaX.exe (PID: 5468 cmdline: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe MD5: F64F729E0BA974C578AFAAC25665E067)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5796842243:AAESM2w0ubqts6zEsE_xN4PZ56pLfxQ9e7M/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5796842243:AAESM2w0ubqts6zEsE_xN4PZ56pLfxQ9e7M/sendMessage?chat_id=5733364805"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31883:$a13: get_DnsResolver 0x2ff53:$a20: get_LastAccessed 0x322b1:$a27: set_InternalServerPort 0x325e6:$a30: set_GuidMasterKey 0x30065:$a33: get_Clipboard 0x30073:$a34: get_Keyboard 0x3147d:$a35: get_ShiftKeyDown 0x3148e:$a36: get_AltKeyDown 0x30080:$a37: get_Password 0x30bd8:$a38: get_PasswordHash 0x31ce5:$a39: get_DefaultCredentials
0000000A.00000002.592547674.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.592981435.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.368700625.0000000002D78000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x154b83:$a13: get_DnsResolver 0x18ada3:$a13: get_DnsResolver 0x1c0dc3:$a13: get_DnsResolver 0x153253:$a20: get_LastAccessed 0x189473:$a20: get_LastAccessed 0x1bf493:$a20: get_LastAccessed 0x1555b1:$a27: set_InternalServerPort 0x18b7d1:$a27: set_InternalServerPort 0x1c17f1:$a27: set_InternalServerPort 0x1558e6:$a30: set_GuidMasterKey 0x18bb06:$a30: set_GuidMasterKey 0x1c1b26:$a30: set_GuidMasterKey 0x153365:$a33: get_Clipboard 0x189585:$a33: get_Clipboard 0x1bf5a5:$a33: get_Clipboard 0x153373:$a34: get_Keyboard 0x189593:$a34: get_Keyboard 0x1bf5b3:$a34: get_Keyboard 0x15477d:$a35: get_ShiftKeyDown 0x18a99d:$a35: get_ShiftKeyDown 0x1c09bd:$a35: get_ShiftKeyDown
00000005.00000002.406721462.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5644	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5644	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5644	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x68486:$a13: get_DnsResolver 0x67434:$a20: get_LastAccessed 0x68b28:$a27: set_InternalServerPort 0x68d0f:$a30: set_GuidMasterKey 0x6751a:$a33: get_Clipboard 0x67528:$a34: get_Keyboard 0x68203:$a35: get_ShiftKeyDown 0x68214:$a36: get_AltKeyDown 0x67535:$a37: get_Password 0x67c89:$a38: get_PasswordHash 0x68746:$a39: get_DefaultCredentials
Process Memory Space: UmpBcHBDbXhaX.exe PID: 624	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x477e:$a13: get_DnsResolver 0x30ae:$a20: get_LastAccessed 0x515b:$a27: set_InternalServerPort 0x53c2:$a30: set_GuidMasterKey 0x31a9:$a33: get_Clipboard 0x31b7:$a34: get_Keyboard 0x4414:$a35: get_ShiftKeyDown 0x4425:$a36: get_AltKeyDown 0x31c4:$a37: get_Password 0x3c78:$a38: get_PasswordHash 0x4bb4:$a39: get_DefaultCredentials
Process Memory Space: UmpBcHBDbXhaX.exe PID: 5468	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: UmpBcHBDbXhaX.exe PID: 5468	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: UmpBcHBDbXhaX.exe PID: 5468	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x327c4:$s10: logins 0x3223e:$s11: credential 0x2e465:$g1: get_Clipboard 0x2e473:$g2: get_Keyboard 0x2e480:$g3: get_Password 0x2f86d:$g4: get_CtrlKeyDown 0x2f87d:$g5: get_ShiftKeyDown 0x2f88e:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2fc83:$a13: get_DnsResolver 0x2e353:$a20: get_LastAccessed 0x306b1:$a27: set_InternalServerPort 0x309e6:$a30: set_GuidMasterKey 0x2e465:$a33: get_Clipboard 0x2e473:$a34: get_Keyboard 0x2f87d:$a35: get_ShiftKeyDown 0x2f88e:$a36: get_AltKeyDown 0x2e480:$a37: get_Password 0x2efd8:$a38: get_PasswordHash 0x300e5:$a39: get_DefaultCredentials
6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x345c4:$s10: logins 0x3403e:$s11: credential 0x30265:$g1: get_Clipboard 0x30273:$g2: get_Keyboard 0x30280:$g3: get_Password 0x3166d:$g4: get_CtrlKeyDown 0x3167d:$g5: get_ShiftKeyDown 0x3168e:$g6: get_AltKeyDown
6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31a83:$a13: get_DnsResolver 0x30153:$a20: get_LastAccessed 0x324b1:$a27: set_InternalServerPort 0x327e6:$a30: set_GuidMasterKey 0x30265:$a33: get_Clipboard 0x30273:$a34: get_Keyboard 0x3167d:$a35: get_ShiftKeyDown 0x3168e:$a36: get_AltKeyDown 0x30280:$a37: get_Password 0x30dd8:$a38: get_PasswordHash 0x31ee5:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x126204:$s10: logins 0x15c424:$s10: logins 0x192444:$s10: logins 0x125c7e:$s11: credential 0x15be9e:$s11: credential 0x191ebe:$s11: credential 0x121ea5:$g1: get_Clipboard 0x1580c5:$g1: get_Clipboard 0x18e0e5:$g1: get_Clipboard 0x121eb3:$g2: get_Keyboard 0x1580d3:$g2: get_Keyboard 0x18e0f3:$g2: get_Keyboard 0x121ec0:$g3: get_Password 0x1580e0:$g3: get_Password 0x18e100:$g3: get_Password 0x1232ad:$g4: get_CtrlKeyDown 0x1594cd:$g4: get_CtrlKeyDown 0x18f4ed:$g4: get_CtrlKeyDown 0x1232bd:$g5: get_ShiftKeyDown 0x1594dd:$g5: get_ShiftKeyDown 0x18f4fd:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x34f1b:$s1: file:/// 0x34e2b:$s2: {11111-22222-10009-11112} 0x34eab:$s3: {11111-22222-50001-00000} 0x34071:$s4: get_Module 0x343ec:$s5: Reverse 0x122456:$s5: Reverse 0x158676:$s5: Reverse 0x18e696:$s5: Reverse 0x2f58a:$s6: BlockCopy 0x1244d9:$s6: BlockCopy 0x15a6f9:$s6: BlockCopy 0x190719:$s6: BlockCopy 0x122714:$s7: ReadByte 0x158934:$s7: ReadByte 0x18e954:$s7: ReadByte 0x34f2d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1236c3:$a13: get_DnsResolver 0x1598e3:$a13: get_DnsResolver 0x18f903:$a13: get_DnsResolver 0x121d93:$a20: get_LastAccessed 0x157fb3:$a20: get_LastAccessed 0x18dfd3:$a20: get_LastAccessed 0x1240f1:$a27: set_InternalServerPort 0x15a311:$a27: set_InternalServerPort 0x190331:$a27: set_InternalServerPort 0x124426:$a30: set_GuidMasterKey 0x15a646:$a30: set_GuidMasterKey 0x190666:$a30: set_GuidMasterKey 0x121ea5:$a33: get_Clipboard 0x1580c5:$a33: get_Clipboard 0x18e0e5:$a33: get_Clipboard 0x121eb3:$a34: get_Keyboard 0x1580d3:$a34: get_Keyboard 0x18e0f3:$a34: get_Keyboard 0x1232bd:$a35: get_ShiftKeyDown 0x1594dd:$a35: get_ShiftKeyDown 0x18f4fd:$a35: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x91fe4:$s10: logins 0xc8204:$s10: logins 0xfe224:$s10: logins 0x91a5e:$s11: credential 0xc7c7e:$s11: credential 0xfdc9e:$s11: credential 0x8dc85:$g1: get_Clipboard 0xc3ea5:$g1: get_Clipboard 0xf9ec5:$g1: get_Clipboard 0x8dc93:$g2: get_Keyboard 0xc3eb3:$g2: get_Keyboard 0xf9ed3:$g2: get_Keyboard 0x8dca0:$g3: get_Password 0xc3ec0:$g3: get_Password 0xf9ee0:$g3: get_Password 0x8f08d:$g4: get_CtrlKeyDown 0xc52ad:$g4: get_CtrlKeyDown 0xfb2cd:$g4: get_CtrlKeyDown 0x8f09d:$g5: get_ShiftKeyDown 0xc52bd:$g5: get_ShiftKeyDown 0xfb2dd:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x8f4a3:$a13: get_DnsResolver 0xc56c3:$a13: get_DnsResolver 0xfb6e3:$a13: get_DnsResolver 0x8db73:$a20: get_LastAccessed 0xc3d93:$a20: get_LastAccessed 0xf9db3:$a20: get_LastAccessed 0x8fed1:$a27: set_InternalServerPort 0xc60f1:$a27: set_InternalServerPort 0xfc111:$a27: set_InternalServerPort 0x90206:$a30: set_GuidMasterKey 0xc6426:$a30: set_GuidMasterKey 0xfc446:$a30: set_GuidMasterKey 0x8dc85:$a33: get_Clipboard 0xc3ea5:$a33: get_Clipboard 0xf9ec5:$a33: get_Clipboard 0x8dc93:$a34: get_Keyboard 0xc3eb3:$a34: get_Keyboard 0xf9ed3:$a34: get_Keyboard 0x8f09d:$a35: get_ShiftKeyDown 0xc52bd:$a35: get_ShiftKeyDown 0xfb2dd:$a35: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x345c4:$s10: logins 0x6a7e4:$s10: logins 0xa0804:$s10: logins 0x3403e:$s11: credential 0x6a25e:$s11: credential 0xa027e:$s11: credential 0x30265:$g1: get_Clipboard 0x66485:$g1: get_Clipboard 0x9c4a5:$g1: get_Clipboard 0x30273:$g2: get_Keyboard 0x66493:$g2: get_Keyboard 0x9c4b3:$g2: get_Keyboard 0x30280:$g3: get_Password 0x664a0:$g3: get_Password 0x9c4c0:$g3: get_Password 0x3166d:$g4: get_CtrlKeyDown 0x6788d:$g4: get_CtrlKeyDown 0x9d8ad:$g4: get_CtrlKeyDown 0x3167d:$g5: get_ShiftKeyDown 0x6789d:$g5: get_ShiftKeyDown 0x9d8bd:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31a83:$a13: get_DnsResolver 0x67ca3:$a13: get_DnsResolver 0x9dcc3:$a13: get_DnsResolver 0x30153:$a20: get_LastAccessed 0x66373:$a20: get_LastAccessed 0x9c393:$a20: get_LastAccessed 0x324b1:$a27: set_InternalServerPort 0x686d1:$a27: set_InternalServerPort 0x9e6f1:$a27: set_InternalServerPort 0x327e6:$a30: set_GuidMasterKey 0x68a06:$a30: set_GuidMasterKey 0x9ea26:$a30: set_GuidMasterKey 0x30265:$a33: get_Clipboard 0x66485:$a33: get_Clipboard 0x9c4a5:$a33: get_Clipboard 0x30273:$a34: get_Keyboard 0x66493:$a34: get_Keyboard 0x9c4b3:$a34: get_Keyboard 0x3167d:$a35: get_ShiftKeyDown 0x6789d:$a35: get_ShiftKeyDown 0x9d8bd:$a35: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2bb0724.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2bb0724.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd1b6:$v1: SbieDll.dll 0xd1d0:$v2: USER 0xd1dc:$v3: SANDBOX 0xd1ee:$v4: VIRUS 0xd23e:$v4: VIRUS 0xd1fc:$v5: MALWARE 0xd20e:$v6: SCHMIDTI 0xd222:$v7: CURRENTUSER
5.2.UmpBcHBDbXhaX.exe.2a20620.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
5.2.UmpBcHBDbXhaX.exe.2a20620.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd1b6:$v1: SbieDll.dll 0xd1d0:$v2: USER 0xd1dc:$v3: SANDBOX 0xd1ee:$v4: VIRUS 0xd23e:$v4: VIRUS 0xd1fc:$v5: MALWARE 0xd20e:$v6: SCHMIDTI 0xd222:$v7: CURRENTUSER
5.2.UmpBcHBDbXhaX.exe.2a02e50.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
5.2.UmpBcHBDbXhaX.exe.2a02e50.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2a986:$v1: SbieDll.dll 0x2a9a0:$v2: USER 0x2a9ac:$v3: SANDBOX 0x2a9be:$v4: VIRUS 0x2aa0e:$v4: VIRUS 0x2a9cc:$v5: MALWARE 0x2a9de:$v6: SCHMIDTI 0x2a9f2:$v7: CURRENTUSER
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2b92f54.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2b92f54.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2a986:$v1: SbieDll.dll 0x2a9a0:$v2: USER 0x2a9ac:$v3: SANDBOX 0x2a9be:$v4: VIRUS 0x2aa0e:$v4: VIRUS 0x2a9cc:$v5: MALWARE 0x2a9de:$v6: SCHMIDTI 0x2a9f2:$v7: CURRENTUSER
Click to see the 24 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, ParentProcessId: 5644, ParentProcessName: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp, ProcessId: 3644, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

ReversingLabs: Detection: 31%

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

Joe Sandbox ML: detected

Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5796842243:AAESM2w0ubqts6zEsE_xN4PZ56pLfxQ9e7M/sendMessage?chat_id=5733364805"}
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.5340.6.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5796842243:AAESM2w0ubqts6zEsE_xN4PZ56pLfxQ9e7M/sendMessage"}

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://SDRcFr.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.366428290.0000000001207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5796842243:AAESM2w0ubqts6zEsE_xN4PZ56pLfxQ9e7M/
Source: UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5796842243:AAESM2w0ubqts6zEsE_xN4PZ56pLfxQ9e7M/5733364805%discordapi%yyy
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.365703754.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2bb0724.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 5.2.UmpBcHBDbXhaX.exe.2a20620.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 5.2.UmpBcHBDbXhaX.exe.2a02e50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2b92f54.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5644, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3E12ED6Cu002dD3A3u002d460Eu002dAA91u002d617C2FC494E6u007d/D32C3C92u002d6775u002d47B3u002dB316u002d8190B687AACD.cs

Large array initialization: .cctor: array initializer size 10967

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2bb0724.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 5.2.UmpBcHBDbXhaX.exe.2a20620.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 5.2.UmpBcHBDbXhaX.exe.2a02e50.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2b92f54.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5644, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 0_2_00EEC164	0_2_00EEC164
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 0_2_00EEE5A2	0_2_00EEE5A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 0_2_00EEE5B0	0_2_00EEE5B0
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Code function: 5_2_0121C164	5_2_0121C164
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Code function: 5_2_0121E5A1	5_2_0121E5A1
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Code function: 5_2_0121E5B0	5_2_0121E5B0
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Code function: 5_2_05AC0E9B	5_2_05AC0E9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_010BFA20	6_2_010BFA20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_010BBB68	6_2_010BBB68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_05D2BD98	6_2_05D2BD98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_05D2CAE8	6_2_05D2CAE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_05D20040	6_2_05D20040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_05D229F8	6_2_05D229F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_05D20910	6_2_05D20910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060F0300	6_2_060F0300
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060F03E0	6_2_060F03E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060F61D8	6_2_060F61D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060FAE20	6_2_060FAE20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060F9BA4	6_2_060F9BA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060F7208	6_2_060F7208
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060F72B8	6_2_060F72B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060FAD2F	6_2_060FAD2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060FBB10	6_2_060FBB10

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000000.323275662.00000000007DA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDPxD.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec03bef3a-96ec-4973-ae0d-73bcad213f0f.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec03bef3a-96ec-4973-ae0d-73bcad213f0f.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.365703754.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.375394541.00000000073A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000002.589454463.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000000.363775300.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec03bef3a-96ec-4973-ae0d-73bcad213f0f.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Binary or memory string: OriginalFilenameDPxD.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: UmpBcHBDbXhaX.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp8847.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process created: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp8847.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process created: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

File created: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

File created: C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/9@0/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000000.323009902.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, UmpBcHBDbXhaX.exe.0.dr	Binary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000000.323009902.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, UmpBcHBDbXhaX.exe.0.dr	Binary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000000.323009902.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, UmpBcHBDbXhaX.exe.0.dr	Binary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000002.593323499.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 0000000A.00000002.592905426.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_01
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Mutant created: \Sessions\1\BaseNamedObjects\eIuimuWJTjwFo
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1348:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_01

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000003.364514254.00000000071A0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: PP99Q.vBPmm8Q

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	String found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	String found in binary or memory: Username:-AddusertextBoxUsernameCash

Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 0_2_00EEF972 pushad ; iretd	0_2_00EEF979
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Code function: 5_2_05AC65A0 pushfd ; retf	5_2_05AC65A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_05D2A6CD push 8B000005h; retf	6_2_05D2A6D7

Source: initial sample	Static PE information: section name: .text entropy: 7.663847187465398
Source: initial sample	Static PE information: section name: .text entropy: 7.663847187465398

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

File created: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon (7).png

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2bb0724.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.UmpBcHBDbXhaX.exe.2a20620.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.UmpBcHBDbXhaX.exe.2a02e50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2b92f54.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.368700625.0000000002D78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.406721462.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UmpBcHBDbXhaX.exe PID: 624, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.368700625.0000000002D78000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 00000005.00000002.406721462.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.368700625.0000000002D78000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 00000005.00000002.406721462.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe TID: 5752	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe TID: 1968	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5520	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe TID: 1400	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe TID: 5504	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe TID: 4840	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe TID: 4808	Thread sleep count: 9742 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe TID: 4116	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe TID: 4124	Thread sleep count: 9722 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9312	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Window / User API: threadDelayed 9742	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Window / User API: threadDelayed 9722

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Thread delayed: delay time: 922337203685477

Source: UmpBcHBDbXhaX.exe, 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: UmpBcHBDbXhaX.exe, 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: UmpBcHBDbXhaX.exe, 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: UmpBcHBDbXhaX.exe, 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp8847.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process created: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UmpBcHBDbXhaX.exe PID: 5468, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.592547674.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.592981435.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UmpBcHBDbXhaX.exe PID: 5468, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UmpBcHBDbXhaX.exe PID: 5468, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UmpBcHBDbXhaX.exe PID: 5468, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.592547674.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.592981435.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UmpBcHBDbXhaX.exe PID: 5468, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	11 Masquerading	1 OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Disable or Modify Tools	111 Input Capture	1 Process Discovery	Remote Desktop Protocol	111 Input Capture	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Data from Local System	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	1 Clipboard Data	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	114 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	32%	ReversingLabs	Win32.Trojan.Woreflint
SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	32%	ReversingLabs	Win32.Trojan.Woreflint

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://SDRcFr.com	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comF	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.366428290.0000000001207000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot5796842243:AAESM2w0ubqts6zEsE_xN4PZ56pLfxQ9e7M/	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot5796842243:AAESM2w0ubqts6zEsE_xN4PZ56pLfxQ9e7M/5733364805%discordapi%yyy	UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://SDRcFr.com	UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756003
Start date and time:	2022-11-29 13:49:14 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@15/9@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 115 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:50:24	API Interceptor	591x Sleep call for process: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe modified
13:50:30	API Interceptor	19x Sleep call for process: powershell.exe modified
13:50:32	Task Scheduler	Run new task: UmpBcHBDbXhaX path: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
13:50:39	API Interceptor	467x Sleep call for process: UmpBcHBDbXhaX.exe modified

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UmpBcHBDbXhaX.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21876
Entropy (8bit):	5.601829389408276
Encrypted:	false
SSDEEP:	384:3tCRdN02OVJ/cVCyYnP0SBxniju57iJ9gvRSJ3uyO1+m0S1AVrdtGuA+inYQ:r/cG84xiS57JcuG7lQ
MD5:	2E9B889A60208A20362A3E53763B6013
SHA1:	7F1F939BC9A458DEE7D453964AEBF1D7FAFAA80C
SHA-256:	BFDABCA0F512BD8D3E9CB576755745431D206F0A62227CB17F878E7941D02AB2
SHA-512:	A17F20FF83AF7CBF72DD1796377E0A251E61A06BF4A3AD258694BDBCCD231BCC5A2C5B61D4DCE7F8444D967F26F739D19E8C8701F31021B692EB9AEA753F0379
Malicious:	false
Preview:	@...e...............................:.B..............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2sdibjn1.iex.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1bp3fok.q3g.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.148849411848415
Encrypted:	false
SSDEEP:	24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaZJxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTW/v
MD5:	82365BDA4E63EF625F4390CA5F4CF939
SHA1:	C08BB866E48BEC9B106EE09266328F367FF663C3
SHA-256:	089F94C9BFBD16049A4B211D130CE625DFD4C2761C988E08CE58712C1DC9A6BC
SHA-512:	E3017A4E3E3A66F46488418531719D3B10D2D838D9E81BFDCAF9F8A83B3B483D5361D869C1BDAA2C9E1541F2B16F94C4EC573CD3A94E1AA3A4EBA40ECD753186
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Local\Temp\tmp8847.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.148849411848415
Encrypted:	false
SSDEEP:	24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaZJxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTW/v
MD5:	82365BDA4E63EF625F4390CA5F4CF939
SHA1:	C08BB866E48BEC9B106EE09266328F367FF663C3
SHA-256:	089F94C9BFBD16049A4B211D130CE625DFD4C2761C988E08CE58712C1DC9A6BC
SHA-512:	E3017A4E3E3A66F46488418531719D3B10D2D838D9E81BFDCAF9F8A83B3B483D5361D869C1BDAA2C9E1541F2B16F94C4EC573CD3A94E1AA3A4EBA40ECD753186
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	951296
Entropy (8bit):	7.6550716384576925
Encrypted:	false
SSDEEP:	12288:kBuqU+PCH5W8IgKprPRibKTh6SoqZpK3tUjjAK7nYbSuSmFbWNHrDdzoa1cfN:Idrlf6SoqbK3InYUJDdEPf
MD5:	F64F729E0BA974C578AFAAC25665E067
SHA1:	D1225322FD5F16EB18A90EC4A4B007A010E2D51A
SHA-256:	680F16527C5DC7E7E32BB27B99DCBC85C75282D853CB9A27C186963DAE883D2E
SHA-512:	6BF0F4A2567736CDFA5E422E23F1F43A593699A1276654264A619E2F1B4690AF911E04508D0928C3A84EA658C022DC4B44F4F0467254C72BB92191E212E029C8
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..c..............0..j............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....j... ...j.................. ..`.rsrc................l..............@..@.reloc..............................@..B.......................H.......<...........l...8u..p...........................................^..}.....(.......(......0...........s......o......(........0...........s......o......(........0...........s......o......(........0...........s......o......(........0..+.........,..{.......+....,...{....o........(.......0..r.............(....s......s....}.....s....}.....s....}.....s....}.....(......{....(....o......{.....o......{.....o .....{....r...p"..@A...s!...o".....{....(#...o$.....{.... .... ..

C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.6550716384576925
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
File size:	951296
MD5:	f64f729e0ba974c578afaac25665e067
SHA1:	d1225322fd5f16eb18a90ec4a4b007a010e2d51a
SHA256:	680f16527c5dc7e7e32bb27b99dcbc85c75282d853cb9a27c186963dae883d2e
SHA512:	6bf0f4a2567736cdfa5e422e23f1f43a593699a1276654264a619e2f1b4690af911e04508d0928c3a84ea658c022dc4b44f4f0467254c72bb92191e212e029c8
SSDEEP:	12288:kBuqU+PCH5W8IgKprPRibKTh6SoqZpK3tUjjAK7nYbSuSmFbWNHrDdzoa1cfN:Idrlf6SoqbK3InYUJDdEPf
TLSH:	FC15D08023A6AF70F5386BF37521904827763C6E94F1D2296DDDB0DE2A76B5049F0B27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..c..............0..j............... ........@.. ....................................@................................

File Icon


Icon Hash:	63e6a3a1a6bdbdbb

Static PE Info

General

Entrypoint:	0x4e89fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6385A66A [Tue Nov 29 06:27:54 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe89a8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xea000	0x14d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xec000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe6a00	0xe6a00	False	0.8274824271680217	data	7.663847187465398	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xea000	0x14d0	0x1600	False	0.5793678977272727	data	5.573635871144453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xec000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xea0e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096
RT_GROUP_ICON	0xeb190	0x14	data
RT_VERSION	0xeb1a4	0x32c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	13:50:16
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Imagebase:	0x6f0000
File size:	951296 bytes
MD5 hash:	F64F729E0BA974C578AFAAC25665E067
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.368700625.0000000002D78000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	13:50:27
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Imagebase:	0xd00000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	13:50:27
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	13:50:28
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp
Imagebase:	0xcb0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	13:50:28
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	5
Start time:	13:50:34
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Imagebase:	0x690000
File size:	951296 bytes
MD5 hash:	F64F729E0BA974C578AFAAC25665E067
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.406721462.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, ReversingLabs
Reputation:	low

Show Windows behavior

Target ID:	6
Start time:	13:50:35
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Imagebase:	0x7b0000
File size:	951296 bytes
MD5 hash:	F64F729E0BA974C578AFAAC25665E067
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.592981435.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Target ID:	8
Start time:	13:50:46
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp8847.tmp
Imagebase:	0xcb0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	13:50:46
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	13:50:48
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Imagebase:	0x740000
File size:	951296 bytes
MD5 hash:	F64F729E0BA974C578AFAAC25665E067
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.592547674.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	10.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	111
Total number of Limit Nodes:	8

Executed Functions

Function 00EEB6C1 Relevance: 6.1, APIs: 4, Instructions: 124
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00EEB730
GetCurrentThread.KERNEL32 ref: 00EEB76D
GetCurrentProcess.KERNEL32 ref: 00EEB7AA
GetCurrentThreadId.KERNEL32 ref: 00EEB803

Memory Dump Source

Source File: 00000000.00000002.365648585.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: dbe48d4c0398d4459ea3f709f727bbbba26db30ca023b62e197c69aa57538c40
Instruction ID: eea09bd2bf9f1ec0ed054d85d0bc588ef991ed5c293179e8e3204bda5150411d
Opcode Fuzzy Hash: dbe48d4c0398d4459ea3f709f727bbbba26db30ca023b62e197c69aa57538c40
Instruction Fuzzy Hash: C95156B0D007498FDB10DFAAD548B9EBBF2AF88314F20855AE419B7251D7746884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00EEB6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00EEB730
GetCurrentThread.KERNEL32 ref: 00EEB76D
GetCurrentProcess.KERNEL32 ref: 00EEB7AA
GetCurrentThreadId.KERNEL32 ref: 00EEB803

Memory Dump Source

Source File: 00000000.00000002.365648585.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 67d1596b270be3344c968d3d7df88b5f0e403eed3f5d589c22b2fafdd13f1e52
Instruction ID: 81600c27ba3bcee6ef52ff33301ff469d607bb01ead468b3fcc6de3616653c6e
Opcode Fuzzy Hash: 67d1596b270be3344c968d3d7df88b5f0e403eed3f5d589c22b2fafdd13f1e52
Instruction Fuzzy Hash: 035164B0D00649CFDB10CFAAD588B9EBBF2AF88308F20855AE419B7350D7746884CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00EEFD2C Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00EEFE4A

Memory Dump Source

Source File: 00000000.00000002.365648585.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: aa7a7f3a94d64d8f9889b6b046af836bdf99aee86578d4b1f3e11c440df7e202
Instruction ID: 0075e71f0bc568e85c0e73dd4825c4df7907fa384b94b37d7fc3a432d2a4b411
Opcode Fuzzy Hash: aa7a7f3a94d64d8f9889b6b046af836bdf99aee86578d4b1f3e11c440df7e202
Instruction Fuzzy Hash: E151B1B1D103499FDB14CF9AD884ADEBBB1BF88314F24812AE419AB211D775A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EEFD38 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00EEFE4A

Memory Dump Source

Source File: 00000000.00000002.365648585.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4091f286b1d6636e2517cc458783e57eedf898096de7aa90962b7358b220c111
Instruction ID: 20a20855e0794a0fd8ad7e14eb846f8e1a0d4037c5d09fe83ef681c181d76578
Opcode Fuzzy Hash: 4091f286b1d6636e2517cc458783e57eedf898096de7aa90962b7358b220c111
Instruction Fuzzy Hash: A841C0B1D10349DFDF14CF9AD884ADEBBB5BF88314F24812AE419AB211D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EE5364 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00EE5421

Memory Dump Source

Source File: 00000000.00000002.365648585.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9c3e3d46e66971cef640a9bdf21e6b4f978033c9943e8047533c660688033949
Instruction ID: 009d9ca03d3f03024abd83fede94e10cc57c06f1f0db8bec295f9c34e44fc8ac
Opcode Fuzzy Hash: 9c3e3d46e66971cef640a9bdf21e6b4f978033c9943e8047533c660688033949
Instruction Fuzzy Hash: D441F271C00659CADB24CFA6C8447DEBBB5BF88308F10815AD419BB251DB756986CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00EE3DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00EE5421

Memory Dump Source

Source File: 00000000.00000002.365648585.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f4502da6fdbe278644a3cb160ec7f2177b01a5f577b5c8728a85a8587d92290f
Instruction ID: 330f17acbf508f276b32601158770b9b3be7ff5f6bbab0d5d529da1ab323d9ce
Opcode Fuzzy Hash: f4502da6fdbe278644a3cb160ec7f2177b01a5f577b5c8728a85a8587d92290f
Instruction Fuzzy Hash: AE410271C0065CCBDB24CFAAC84479EBBB5BF48308F50815AD419BB251DBB56985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00EEB8F2 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EEB97F

Memory Dump Source

Source File: 00000000.00000002.365648585.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1a609390e4c5ba417cf0120826f0845bea1a62e924ef0f983d2d4cc8730506f9
Instruction ID: 2c74549fbe586cb95a638b7d00029984d75fbe715814d4fbdef2ff21eef7f755
Opcode Fuzzy Hash: 1a609390e4c5ba417cf0120826f0845bea1a62e924ef0f983d2d4cc8730506f9
Instruction Fuzzy Hash: 5821E3B59002489FDB10CF9AD884ADEBBF9EB48324F14801AE958B7310D375A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EEB8F8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EEB97F

Memory Dump Source

Source File: 00000000.00000002.365648585.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 604c46ff60e3e02bce6bde4a1176290538996df9f60154f1083dbb264457bcce
Instruction ID: 144894b85fd4e780096b9a6088604688ae70daeaeb4d89387490388ed528fc19
Opcode Fuzzy Hash: 604c46ff60e3e02bce6bde4a1176290538996df9f60154f1083dbb264457bcce
Instruction Fuzzy Hash: A721C2B5D002589FDB10CFAAD884ADEFBF9EB48324F14841AE918B7310D375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00EE9B30 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00EE9991,00000800,00000000,00000000), ref: 00EE9BA2

Memory Dump Source

Source File: 00000000.00000002.365648585.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fc4e0f7a9c6f09e39c83ae038a74d69c26a10d0d5705f65d1df02b491fce8724
Instruction ID: cea7089bb0ee298c547dac2372294d173b39f069cb351c045da7e4384f43d39b
Opcode Fuzzy Hash: fc4e0f7a9c6f09e39c83ae038a74d69c26a10d0d5705f65d1df02b491fce8724
Instruction Fuzzy Hash: 601100B6D002488FCB10DF9AD448BDEFBF5EB88324F00842AD859BB200C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00EE94B8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00EE9991,00000800,00000000,00000000), ref: 00EE9BA2

Memory Dump Source

Source File: 00000000.00000002.365648585.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fb502790b81c0350c42a46c32390bc1e9702fafd4a5c529bcf4bd56b49b092c4
Instruction ID: 60bcb7ab4c3853fc25a658497b2f46a79a8b940aa51ecf8519534495075976ad
Opcode Fuzzy Hash: fb502790b81c0350c42a46c32390bc1e9702fafd4a5c529bcf4bd56b49b092c4
Instruction Fuzzy Hash: 0D1114B2D002488FCB10CF9AD444BDEFBF5EB88324F14842AD819B7200C3B5A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00EE98B0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EE9916

Memory Dump Source

Source File: 00000000.00000002.365648585.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1da6b3bcf34b3cb3707b25f8c2be31bb696f783e950bf6ec97108937d294e124
Instruction ID: e60a429f13bf12fd399f53d1d0b1bd09222a5a06ec7c0ffbe1a0720abc06d231
Opcode Fuzzy Hash: 1da6b3bcf34b3cb3707b25f8c2be31bb696f783e950bf6ec97108937d294e124
Instruction Fuzzy Hash: 881110B1D006498FCB10DF9AD444BDEFBF5EB89324F10841AD429B7201C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E8D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.365450251.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e8d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e120351ae1d69376326af2480e564f31a5ccb07f8719750b7bb0a589f71d41
Instruction ID: d11c5cb3fff8129611164b5d9f1dc87ddcd46931f3a612da1e55754ecff2ed9e
Opcode Fuzzy Hash: c2e120351ae1d69376326af2480e564f31a5ccb07f8719750b7bb0a589f71d41
Instruction Fuzzy Hash: B12106B1508240DFDB15EF10DDC0F26BB65FB88328F24856AE90D6B286C336D856C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00E9D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.365491836.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e9d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d165e399e8e5515e18b778e6e17f769b2065d10ea0a6eddc4ede60037deda5f
Instruction ID: b7027fa7d8d39a00c801095f4eebb723b0dc08fc8a43ff048df74bd808b33046
Opcode Fuzzy Hash: 6d165e399e8e5515e18b778e6e17f769b2065d10ea0a6eddc4ede60037deda5f
Instruction Fuzzy Hash: 6421B375508340DFDF14DF14D9C4B26BB66FB88318F24C969D9495B246C33AD846CA62

Uniqueness

Uniqueness Score: -1.00%

Function 00E9D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.365491836.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e9d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6632bea028ac5442025b87f454d160db14a151cadf049c6e9cd2c07f158cb43
Instruction ID: 824892dc7a368a7ad3b7c987f6d905d1a39f89e651f4addcefa72497363bace6
Opcode Fuzzy Hash: b6632bea028ac5442025b87f454d160db14a151cadf049c6e9cd2c07f158cb43
Instruction Fuzzy Hash: 6C2107B1508340EFDF05DF50DDC4B66BBA5FB88318F24C969E9095B256C336D846CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E9D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.365491836.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e9d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29b87e9db460512c7377330a7c6b61f174f034a8369886c55b237c651a242e4
Instruction ID: 3dbc07e5d251f8e8aa254494f7ee862f81eca4756e0f13aa1bacfbd7a17bf942
Opcode Fuzzy Hash: b29b87e9db460512c7377330a7c6b61f174f034a8369886c55b237c651a242e4
Instruction Fuzzy Hash: 4721927550D3C08FDB12CF24D994715BF71EB46314F28C5EAD8498B697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E8D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.365450251.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e8d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550b37b6964cef88e04bf56cf3ed8c93bbb64104914b8e9b4460ec88b1e882bf
Instruction ID: b7ad08bce86aba6e6157fa681153cffbbd46c17d80e1c2fa1c86996c6c39a133
Opcode Fuzzy Hash: 550b37b6964cef88e04bf56cf3ed8c93bbb64104914b8e9b4460ec88b1e882bf
Instruction Fuzzy Hash: C311E676404280DFDF11DF10D9C4B16BF71FB84328F24C6AAD8495B656C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00E9D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.365491836.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e9d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 468a72cb4856f06587c9b45c1d269c741de08ada7c9987b899fda78c1d2ca129
Instruction ID: e8d8e0ccc32cd400c6579efab265595c5274b2610658c9b9c1aae7752e164c75
Opcode Fuzzy Hash: 468a72cb4856f06587c9b45c1d269c741de08ada7c9987b899fda78c1d2ca129
Instruction Fuzzy Hash: 7411BB75908280DFDF11CF10C9C4B15BBB1FB84328F28C6A9D8495B6A6C33AD85ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00E8D745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.365450251.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e8d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3299d4fb04e618fb45048fd75b794b4d28db3b0b43c7f85142dd78bba16aa39c
Instruction ID: 6af4262f70040b4f417616d54d762b6273aef7b310b4d3bef4bad5c62016cd71
Opcode Fuzzy Hash: 3299d4fb04e618fb45048fd75b794b4d28db3b0b43c7f85142dd78bba16aa39c
Instruction Fuzzy Hash: 5501F77110C3849AE7106E66CC84BA6BBA8DF45378F18851BEA0C6B286C37A9844C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00E8D744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.365450251.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e8d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e488dba1ff4c2ccb0b5a455a18b522f977baa2590f3892caa2fe778ca09c2718
Instruction ID: 7399c6b3072e09920f00caada888fdefea4e947046ae8c3cfbab775024aad51f
Opcode Fuzzy Hash: e488dba1ff4c2ccb0b5a455a18b522f977baa2590f3892caa2fe778ca09c2718
Instruction Fuzzy Hash: FCF062715083949AE7109E16DC88B66FBA8EB45778F18C45BED0C5B286C3799844CBB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00EEE5B0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.365648585.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85650a32202cf4a0c303370d4656037ca90aac9d35ad0bb856876b33bd70549f
Instruction ID: e0203823bf5003264bfa8b3d5162011cb1c8697bcd27cc37a261f60d3190837e
Opcode Fuzzy Hash: 85650a32202cf4a0c303370d4656037ca90aac9d35ad0bb856876b33bd70549f
Instruction Fuzzy Hash: 4B12D8F94117468BD3B8CF65E9981893B63F745B28FA04328D2712BAD9D7B811CACF44

Uniqueness

Uniqueness Score: -1.00%

Function 00EEC164 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.365648585.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921aff4dc89fe0fb643852590347b8aa8c34106150d2526a6d7e92eda9646e79
Instruction ID: eb84b09c2e716f3d8ba76d5940d4562fda0d7552b29ec012ac6df98ee1d86e6b
Opcode Fuzzy Hash: 921aff4dc89fe0fb643852590347b8aa8c34106150d2526a6d7e92eda9646e79
Instruction Fuzzy Hash: 2CA19036E006598FCF19DFA6C8445DEB7F2FF88304B25856AE905BB261EB31E945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00EEE5A2 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.365648585.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f052ae0d19a04e6bdfd7728dc383df9834d00c5fbc7b792f9126216fb03334a9
Instruction ID: d56d2bd2558a0c848a427aa1601a4d8735f207283fcb9e9241178698cb703aa4
Opcode Fuzzy Hash: f052ae0d19a04e6bdfd7728dc383df9834d00c5fbc7b792f9126216fb03334a9
Instruction Fuzzy Hash: A3C14DB94117458BD7A8CF64E8981897B73FB85B28F604328D2712FAD9D7B410CACF84

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: UmpBcHBDbXhaX.exePID: 624, Parent PID: 1088COMMON

Execution Graph

Execution Coverage:	12.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	121
Total number of Limit Nodes:	10

Executed Functions

Function 0121FD2C Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0121FE4A

Memory Dump Source

Source File: 00000005.00000002.404890284.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1210000_UmpBcHBDbXhaX.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 0ecfd19880944e77924fd327270147b487561ab63509e8b1b7789160ba8773f8
Instruction ID: 1e8aa8ffcf6e0f4456d3af71145707dbfe8c943740e78736d7f3fafb842ae4f4
Opcode Fuzzy Hash: 0ecfd19880944e77924fd327270147b487561ab63509e8b1b7789160ba8773f8
Instruction Fuzzy Hash: B151C0B1D102099FDF14CFA9C980ADEBBB1BF48314F64812AE819AB215D7749846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0121DE0C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0121FE4A

Memory Dump Source

Source File: 00000005.00000002.404890284.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1210000_UmpBcHBDbXhaX.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e0e4ec5146f8fbce98eecccbdfb3ba91b34b290cc505ce8d830db73de696badd
Instruction ID: 7dfb042570115ae86e772e1940d41a135fcd3164c2fc328e15f81df4498a987a
Opcode Fuzzy Hash: e0e4ec5146f8fbce98eecccbdfb3ba91b34b290cc505ce8d830db73de696badd
Instruction Fuzzy Hash: D851EFB1D10309DFDB14CF99C984ADEBBF1BF58314F24812AE919AB214D774A885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01215364 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01215421

Memory Dump Source

Source File: 00000005.00000002.404890284.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1210000_UmpBcHBDbXhaX.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 8c3b320d994da995ba90cd8df03a088aaeb812c5d5cefb97438340d5f710850a
Instruction ID: b04407925060f50ede98982ca7d129cebf55f2a319331d987b8b91cfb4dff558
Opcode Fuzzy Hash: 8c3b320d994da995ba90cd8df03a088aaeb812c5d5cefb97438340d5f710850a
Instruction Fuzzy Hash: E2410271D00618CFDB24DFA9C8847CDBBB1FF99308F1081A9D518AB251DB756946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01213DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01215421

Memory Dump Source

Source File: 00000005.00000002.404890284.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1210000_UmpBcHBDbXhaX.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 7d2e344f2c85b7c6989fed004415b89155b8eb6e0f8cfb33d5cbd4347b435ad0
Instruction ID: 9cd4df844583167f023842e26f32724f7be962d04108c2a8be0c17683a27fa77
Opcode Fuzzy Hash: 7d2e344f2c85b7c6989fed004415b89155b8eb6e0f8cfb33d5cbd4347b435ad0
Instruction Fuzzy Hash: 93412270D00218CFEB20DFA9C84478EBBF1FF89308F1081AAD508AB251DBB46946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 01219840 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0121B8BE,?,?,?,?,?), ref: 0121B97F

Memory Dump Source

Source File: 00000005.00000002.404890284.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1210000_UmpBcHBDbXhaX.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2a46f914a69b424aee3175eee87d7d24b04a2011c819bd56234d5a4039b4aba5
Instruction ID: 9d3f2191edb504b8b25fd196a709279e4923416090227e62893c26c0e0346df2
Opcode Fuzzy Hash: 2a46f914a69b424aee3175eee87d7d24b04a2011c819bd56234d5a4039b4aba5
Instruction Fuzzy Hash: 962103B5D102089FDB10CF9AD484ADEBBF5EB48324F14801AE918B3310D374A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0121B8F3 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0121B8BE,?,?,?,?,?), ref: 0121B97F

Memory Dump Source

Source File: 00000005.00000002.404890284.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1210000_UmpBcHBDbXhaX.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0dadc6d8cf7402a07421c9dda90ad3e4aca1ef9fda3ab77e1a007e1b9162826c
Instruction ID: fcf8e0b4e74337a1c30f70c872578ff02be2d8460559e058e6a8bc61b7a30467
Opcode Fuzzy Hash: 0dadc6d8cf7402a07421c9dda90ad3e4aca1ef9fda3ab77e1a007e1b9162826c
Instruction Fuzzy Hash: 5721E2B5D002099FDB10CFAAD484ADEFBF5FB48324F14801AE918A7310D374A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01219B30 Relevance: 1.6, APIs: 1, Instructions: 58
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01219991,00000800,00000000,00000000), ref: 01219BA2

Memory Dump Source

Source File: 00000005.00000002.404890284.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1210000_UmpBcHBDbXhaX.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f8a4190d6fd3b9c499adc139516f2bf59810e6ae7c3e910e0c6abc3a21783cc6
Instruction ID: 1e1c8b872981bcbe70a60d4b7af263af3358f72b42ba9fc84ba363306a17b042
Opcode Fuzzy Hash: f8a4190d6fd3b9c499adc139516f2bf59810e6ae7c3e910e0c6abc3a21783cc6
Instruction Fuzzy Hash: 682136B6C003498FDB10CFAAC444ADEFBF5EB99314F05846AD519A7600D374A98ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012194B8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,01219991,00000800,00000000,00000000), ref: 01219BA2

Memory Dump Source

Source File: 00000005.00000002.404890284.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1210000_UmpBcHBDbXhaX.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 61c6643ab107b4aef5cf12e508aa929fd6d35b749cbadb95350ae9654e388f12
Instruction ID: 688db5e1c74881ba861c8f3222e904c5b4d0e8239170f2cb3c401a5b547a50a0
Opcode Fuzzy Hash: 61c6643ab107b4aef5cf12e508aa929fd6d35b749cbadb95350ae9654e388f12
Instruction Fuzzy Hash: B41103B69002099FDB10DF9AC444ADEFBF5EB98324F14842AD919A7200D374AA85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012198A8 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,012192DB), ref: 01219916

Memory Dump Source

Source File: 00000005.00000002.404890284.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1210000_UmpBcHBDbXhaX.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bd04501a34cea11c9bc1e1ae16740289502ee73e795d92fe36015d00030d208f
Instruction ID: 7e6a5d1c4834eb55960e7994ae6ba7c12383798866a9f4d269d6d68596998826
Opcode Fuzzy Hash: bd04501a34cea11c9bc1e1ae16740289502ee73e795d92fe36015d00030d208f
Instruction Fuzzy Hash: 161142B1C002498FDB11CF9AC4847CEBBF5EF89224F11805AD928A7201C378A586CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 01218240 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,012192DB), ref: 01219916

Memory Dump Source

Source File: 00000005.00000002.404890284.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1210000_UmpBcHBDbXhaX.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 72dd4d2f97332d6bb69ebe36cb943d6d388841ea25b4012754d1198f6820f4db
Instruction ID: 57fa7656b7425ecd4dc20a3f5b1c746bc3c99f84252e769059d2ee493942664d
Opcode Fuzzy Hash: 72dd4d2f97332d6bb69ebe36cb943d6d388841ea25b4012754d1198f6820f4db
Instruction Fuzzy Hash: 5D1132B5D006498FDF10DF9AC444BDEFBF5EB89228F10802AD929B7600C374A586CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05AC9DC8 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 05AC9E20

Memory Dump Source

Source File: 00000005.00000002.411987992.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5ac0000_UmpBcHBDbXhaX.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 081a16fce556cec399332e7de13cc3aab9621dbfa23191b51ec15b67f78f32af
Instruction ID: 99d9f1534fc417ea49132c61acf245585201ccadc140c3883b1d694cccbc40a2
Opcode Fuzzy Hash: 081a16fce556cec399332e7de13cc3aab9621dbfa23191b51ec15b67f78f32af
Instruction Fuzzy Hash: 341133B18007098FCB20DF9AC444BDEBBF4EB48324F14845AD568A7340C338A984CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 05AC93D8 Relevance: 1.5, APIs: 1, Instructions: 44
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostMessageW.USER32(?,?,?,?), ref: 05AC9435

Memory Dump Source

Source File: 00000005.00000002.411987992.0000000005AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5ac0000_UmpBcHBDbXhaX.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 02599b8fbba9fe912fbadb52c4b420e144e995ddfce86475cf741a8e33f9b419
Instruction ID: 0c7d90a487da633d6981885efdc5288534ee539c36636fb21d5877f3246e1d10
Opcode Fuzzy Hash: 02599b8fbba9fe912fbadb52c4b420e144e995ddfce86475cf741a8e33f9b419
Instruction Fuzzy Hash: 0011D0B58002499FDB10DF9AC984BDEBFF8FB48324F10845AE559A7600C374A994CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.403681541.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bcd000_UmpBcHBDbXhaX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 746e020e961bd77ce0b16d14018d68ef68b4ab630aabb65f7bad15206ed34bda
Instruction ID: 5988e2f7c93ff50eed6e991ae8329e790fe9277d9f6fb83194a669904f0f7f01
Opcode Fuzzy Hash: 746e020e961bd77ce0b16d14018d68ef68b4ab630aabb65f7bad15206ed34bda
Instruction Fuzzy Hash: B4210675504240DFDB15DF10D9C0F26BBA5FB98328F2485BDE9094B246C336D856C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.403681541.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bcd000_UmpBcHBDbXhaX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550b37b6964cef88e04bf56cf3ed8c93bbb64104914b8e9b4460ec88b1e882bf
Instruction ID: b6c9ab81262f24f3b6411b1f87411ce0f4ac2220f269d6903dd14aeb3659f992
Opcode Fuzzy Hash: 550b37b6964cef88e04bf56cf3ed8c93bbb64104914b8e9b4460ec88b1e882bf
Instruction Fuzzy Hash: 4411B176504280CFDB11CF10D9C4B16BFB1FB94324F24C6ADD8450B656C336D856CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD745 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.403681541.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bcd000_UmpBcHBDbXhaX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509c2c1a5643478cc4a523ead03d9cb9e61b4addabb80f6d15ee88ac96b65cc9
Instruction ID: 3a90aef6f38862a78dbc3f93c48242925775b55779469703a9afe37a1859619e
Opcode Fuzzy Hash: 509c2c1a5643478cc4a523ead03d9cb9e61b4addabb80f6d15ee88ac96b65cc9
Instruction Fuzzy Hash: 3E01F275508340AAE7115E26CCC4F66BBE8EF45368F1885AFEA085B246D7789C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00BCD744 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.403681541.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_bcd000_UmpBcHBDbXhaX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a289537f02d53181f337d25d54180d574a1900e62f4ea3109a5e5e4a39fbc12e
Instruction ID: 0537eba0a6d53dce6b6798906651a26d1eefc1590b90ceba497a770e12841b45
Opcode Fuzzy Hash: a289537f02d53181f337d25d54180d574a1900e62f4ea3109a5e5e4a39fbc12e
Instruction Fuzzy Hash: 52F0C275504244AAEB108E15CCC8B62FFE8EB41374F18C59AED081B686C378AC44CAB0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exePID: 5340, Parent PID: 5644COMMON

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	212
Total number of Limit Nodes:	18

Executed Functions

Function 05D2BD98 Relevance: 4.6, Strings: 3, Instructions: 885COMMON

Download Yara Rule

Strings

D0rl, xrefs: 05D2C26D
D0rl, xrefs: 05D2C1E0
D0rl, xrefs: 05D2C36D

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: D0rl$D0rl$D0rl
API String ID: 0-100519504
Opcode ID: 6290bae4e85e39a5d5582de65774ea0e14490e436ae05a5a329e7ea477e8fc8d
Instruction ID: a5d785b23ec6a1ecc027dc8a0bcc1f93d139b438c4cc94288cb47419d3e5eba0
Opcode Fuzzy Hash: 6290bae4e85e39a5d5582de65774ea0e14490e436ae05a5a329e7ea477e8fc8d
Instruction Fuzzy Hash: F7727170A14229AFCB14CF69C844AAEBBF2FF98304F15846AE506EB365DB34DD41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05D2CAE8 Relevance: .9, Instructions: 906COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b89e24b958ebd6d384d83aaa8df8d607741c8acd21612c6eedbd60cd03b252cc
Instruction ID: 9d2a87b83b99d0a1c0f53dd70cd7b5bbd86d2539f3026750bd7de5cb1117aee6
Opcode Fuzzy Hash: b89e24b958ebd6d384d83aaa8df8d607741c8acd21612c6eedbd60cd03b252cc
Instruction Fuzzy Hash: 6B826D30A04219DFCB14DF68C984AAEBBF2FF59319F15855AE40ADB2A1C731EC42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05D264B8 Relevance: 6.7, Strings: 5, Instructions: 420
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xml, xrefs: 05D26808
xml, xrefs: 05D26789
xml, xrefs: 05D2661D
xml, xrefs: 05D26744
xml, xrefs: 05D268A5

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: xml$xml$xml$xml$xml
API String ID: 0-1082835255
Opcode ID: f4f24082d2a787d5a44019645205f26b520862d68319f018198a262d3ec04ddc
Instruction ID: 09db6990cb742c1e0f870ea37bea04ca819dbc5498a853e9fc5c41a1fec36ab9
Opcode Fuzzy Hash: f4f24082d2a787d5a44019645205f26b520862d68319f018198a262d3ec04ddc
Instruction Fuzzy Hash: C9E1B030A043508BDB34AB7CC4557AE76A2EB96318F10493ED05ADB790DF39DC85CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05D26490 Relevance: 6.6, Strings: 5, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

xml, xrefs: 05D26808
xml, xrefs: 05D26789
xml, xrefs: 05D2661D
xml, xrefs: 05D26744
xml, xrefs: 05D268A5

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: xml$xml$xml$xml$xml
API String ID: 0-1082835255
Opcode ID: 438bbcc16e99ef920bfcab323d38a582624788f120c9c2e8fff52a09a4672ac8
Instruction ID: 5749f3d7994133f267d89c45761a698986ff7ad194edc7bb867642b8a1be0467
Opcode Fuzzy Hash: 438bbcc16e99ef920bfcab323d38a582624788f120c9c2e8fff52a09a4672ac8
Instruction Fuzzy Hash: 3DC1B334A043508BDB34AB7CC0556ADB6B2EB95318F10493ED05ADB790DF39DC85CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 05D28921 Relevance: 2.9, Strings: 1, Instructions: 1698COMMON

Download Yara Rule

Strings

\ml, xrefs: 05D29A1A

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: \ml
API String ID: 0-2093625911
Opcode ID: 17500fe923f5457944ea301bbddabf166b402dfaec36c869d2be91b99e2ac274
Instruction ID: ba67599920dfcddd883531cc25750adee8e9b76ef113f67a280886db6ebf9a3b
Opcode Fuzzy Hash: 17500fe923f5457944ea301bbddabf166b402dfaec36c869d2be91b99e2ac274
Instruction Fuzzy Hash: 8EC20630B0D3854FD7069774CC65BAA7BF2AB96304F1A84B7E548DB392DA28DC4AC711

Uniqueness

Uniqueness Score: -1.00%

Function 05D2B873 Relevance: 2.7, Strings: 2, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Xcrl, xrefs: 05D2B9F1
Xcrl, xrefs: 05D2B9FB

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Xcrl$Xcrl
API String ID: 0-1547875148
Opcode ID: 6ca7e3edf528919b4cb2f840c2a6cf9cd7fceea506e1f2fe766fac9400577f4b
Instruction ID: 31658fc4862730dafbf56568426b0739219c29f3d306a58b98ef0feda70346b0
Opcode Fuzzy Hash: 6ca7e3edf528919b4cb2f840c2a6cf9cd7fceea506e1f2fe766fac9400577f4b
Instruction Fuzzy Hash: EE81D334B04125CFEB14CF69C885A6AB7B2FF98218F158167D416EB361DBB1E841CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 060FA4F0 Relevance: 1.8, APIs: 1, Instructions: 300
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 060FA896

Memory Dump Source

Source File: 00000006.00000002.595301167.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_60f0000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1d8eda56a0b1f1cf80fac0ef6f45b9060e05f07f1936cb3594ef5cf8e23e9ad8
Instruction ID: 59f143f4b67a0946a1e296451955dd77e483f4b8ae48e56f90dee05db7c39985
Opcode Fuzzy Hash: 1d8eda56a0b1f1cf80fac0ef6f45b9060e05f07f1936cb3594ef5cf8e23e9ad8
Instruction Fuzzy Hash: 36B19270B107058FCB94DF79C894A5EBBF2FF88214B008969D51ADB755DB34E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05D2778F Relevance: 1.8, Strings: 1, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

<, xrefs: 05D277A0

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: e929d8873c50643bb991d23942bba59636014730524f7845ea33f63e8655db02
Instruction ID: 5e62591d46799f7e52cf80dba26fa8c2f848554ec33fc663eb2f1586ab0ddf6f
Opcode Fuzzy Hash: e929d8873c50643bb991d23942bba59636014730524f7845ea33f63e8655db02
Instruction Fuzzy Hash: 0C324C74B002199FDB24AB64EC997AD77B2FF88300F5041AAD80AE3394DF315E858F59

Uniqueness

Uniqueness Score: -1.00%

Function 010B0878 Relevance: 1.8, APIs: 1, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.591581077.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10b0000_SecuriteInfo.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: d7225b4751e0c637d2bb91a0e97161cf1fd0fb9d49d097da65e8ef523f7a7723
Instruction ID: 365ffcda48dce06819b2870ff885cf727db0616ece6d1396d3fdffac892994f8
Opcode Fuzzy Hash: d7225b4751e0c637d2bb91a0e97161cf1fd0fb9d49d097da65e8ef523f7a7723
Instruction Fuzzy Hash: CC81B070E002488FDF61CFA9D8807DEBBF0EF89324F2045AAE549E7299D7359845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 05D298D0 Relevance: 1.7, Strings: 1, Instructions: 413
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\ml, xrefs: 05D29A1A

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: \ml
API String ID: 0-2093625911
Opcode ID: 5d2d3daf3948b28e31d7d50ce496fbd52dbead81242c67ecf9c7d9c0bfef2ac7
Instruction ID: 684cb78fc167496636b36a2526749879c00187024bd79279e141b5d140c4c6c1
Opcode Fuzzy Hash: 5d2d3daf3948b28e31d7d50ce496fbd52dbead81242c67ecf9c7d9c0bfef2ac7
Instruction Fuzzy Hash: 40E18434B042149FDB24DF68D8A4B6DBBB2FF89314F14843AE406EB394DA75DC818B91

Uniqueness

Uniqueness Score: -1.00%

Function 060FB791 Relevance: 1.7, APIs: 1, Instructions: 152
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 060FB922

Memory Dump Source

Source File: 00000006.00000002.595301167.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_60f0000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 908571513c0f205b63ebfba50136922bb2a2deeadf27720a1c8b0b58f7e15754
Instruction ID: 7ea2ab8f9b90f2910f146f3cc41d3a0ff3e5b7fe44cbad65eb656bd91598cba1
Opcode Fuzzy Hash: 908571513c0f205b63ebfba50136922bb2a2deeadf27720a1c8b0b58f7e15754
Instruction Fuzzy Hash: 4E5112B1C04249AFDF01CFA9C884ADDBFB2FF48314F15856AE908AB261D7759895CF90

Uniqueness

Uniqueness Score: -1.00%

Function 060F9B54 Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 060FB922

Memory Dump Source

Source File: 00000006.00000002.595301167.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_60f0000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b32687612c0afedd5f519c8e54565cd10476b248fc50f764148f31f62ec63311
Instruction ID: 00a81eb5e100b0f3633b41fcd5217d6b4a2c89ae9bdeb9639b53817eeee6fd56
Opcode Fuzzy Hash: b32687612c0afedd5f519c8e54565cd10476b248fc50f764148f31f62ec63311
Instruction Fuzzy Hash: 2D51CEB1D10349AFDB14CF99C884ADEBFB5FF88310F24852AE919AB250D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 060FCEB4 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 060FE261

Memory Dump Source

Source File: 00000006.00000002.595301167.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_60f0000_SecuriteInfo.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: a198075c1ba2ea2eca02711e74fe09e7af7cfa3d631d70d65e881ad04d74397f
Instruction ID: 86f96b9bf7519effae698defef6660ce030307f16337d2beab3594d11c162ef3
Opcode Fuzzy Hash: a198075c1ba2ea2eca02711e74fe09e7af7cfa3d631d70d65e881ad04d74397f
Instruction Fuzzy Hash: F8415AB4950305DFDB80CF99C488BAAFBF5FB88314F148459E519A7721D735A841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010BB754 Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 010BD762

Memory Dump Source

Source File: 00000006.00000002.591581077.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10b0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d8420f250714c839228498317a5a05e051272be8454b0ca9e7dc8f76327172ae
Instruction ID: 31a328d4be067e519200e5ae73e6b3c7afa578b1238da7406605ad603274437e
Opcode Fuzzy Hash: d8420f250714c839228498317a5a05e051272be8454b0ca9e7dc8f76327172ae
Instruction Fuzzy Hash: 2D3113B4D402899FDB14CFA9C8857DEFBF1BB08318F148529E855AB280E7789445CF95

Uniqueness

Uniqueness Score: -1.00%

Function 010BD68D Relevance: 1.6, APIs: 1, Instructions: 89
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?), ref: 010BD762

Memory Dump Source

Source File: 00000006.00000002.591581077.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10b0000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3dba39052b203fdbdbdeebce3836b8312730c07652a090fb4108272745ff4ed5
Instruction ID: 5414eacfde17b47ccf1538df55496dc604919be0ac83a40e4804834781ff8602
Opcode Fuzzy Hash: 3dba39052b203fdbdbdeebce3836b8312730c07652a090fb4108272745ff4ed5
Instruction Fuzzy Hash: 063134B4D002899FDB14CFA9C8857DEFBF1BB08318F148529E855AB280E7789445CF95

Uniqueness

Uniqueness Score: -1.00%

Function 060FEB08 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 060FF100

Memory Dump Source

Source File: 00000006.00000002.595301167.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_60f0000_SecuriteInfo.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 63972fc393c13d9a05b196d82c48b6ebd6acabbb18c9d343bc1b48c68532c357
Instruction ID: d716539ee5e65859c0454b66049447d3fe7727ce43a914f273eb356324ccc3e9
Opcode Fuzzy Hash: 63972fc393c13d9a05b196d82c48b6ebd6acabbb18c9d343bc1b48c68532c357
Instruction Fuzzy Hash: 5731F2B0D40209DFDB50DF99C884BDEBBF5BB48318F148029E504AB390D7B4A989CB95

Uniqueness

Uniqueness Score: -1.00%

Function 060FF075 Relevance: 1.6, APIs: 1, Instructions: 70comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 060FF100

Memory Dump Source

Source File: 00000006.00000002.595301167.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_60f0000_SecuriteInfo.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 6405de7977181761b5802aeb47c543038725ce90f15e44f21ddc18a137402b8f
Instruction ID: 54322f83e52e7d35b7274b6be8383d4f10443b11698012a1e4d4ace7b17af9d3
Opcode Fuzzy Hash: 6405de7977181761b5802aeb47c543038725ce90f15e44f21ddc18a137402b8f
Instruction Fuzzy Hash: 8B31D0B0D40209DFDB50CF98C985BDEBBF5BB48318F148419E504AB290D7749989CB51

Uniqueness

Uniqueness Score: -1.00%

Function 060FCC68 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,060FD2AE,?,?,?,?,?), ref: 060FD36F

Memory Dump Source

Source File: 00000006.00000002.595301167.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_60f0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: bcf7799dfce97185c521ae498b0447db206b754ed7a651132b5353ead3e9d5cb
Instruction ID: f352be3b3dbcdd64d562367e3d86f3547ddabcb00bc7d05791a7df2d5d7d0e3c
Opcode Fuzzy Hash: bcf7799dfce97185c521ae498b0447db206b754ed7a651132b5353ead3e9d5cb
Instruction Fuzzy Hash: 0021E5B5D002089FDB50CF99D884ADEBBF5EB48324F14841AE915A7350D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 060FE57A Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,060FE567), ref: 060FE5FF

Memory Dump Source

Source File: 00000006.00000002.595301167.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_60f0000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6a16a0cea31d75979094c5b99a396c2ed4f219db5ae1b3b1cbb3157acfa6d0da
Instruction ID: f18c6c50cb404cdf496a9ae7c7d4bbfae7226936587d651d034ed15b5dc10646
Opcode Fuzzy Hash: 6a16a0cea31d75979094c5b99a396c2ed4f219db5ae1b3b1cbb3157acfa6d0da
Instruction Fuzzy Hash: 9A1176B9D003489FCB10DFA9D849BCEBBF4EB48324F14885AE519A7250C778A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010B0A8B Relevance: 1.6, APIs: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 010B0B0E

Memory Dump Source

Source File: 00000006.00000002.591581077.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10b0000_SecuriteInfo.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: b0981cd0797ba49d73ac2aaf8f1ccda82b205c9fdcb2585ef904f35d698a15c8
Instruction ID: 2f3070522011f74a965c5ae05f1a2b905ecdb2311d32a919b5363bc489234e87
Opcode Fuzzy Hash: b0981cd0797ba49d73ac2aaf8f1ccda82b205c9fdcb2585ef904f35d698a15c8
Instruction Fuzzy Hash: 1B2133719003499FCB10CFA9D884BDFBFF4EB88324F10881AE519A7260C3759954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 060FD2E7 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,060FD2AE,?,?,?,?,?), ref: 060FD36F

Memory Dump Source

Source File: 00000006.00000002.595301167.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_60f0000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7127559696a59c2e032365c99ab1f428ff343db21a46d583243ab964545b5dde
Instruction ID: b69a17e2f1b22a5a5deca134ac34bc449d745da8c74d18a14a9a4dd59373cba7
Opcode Fuzzy Hash: 7127559696a59c2e032365c99ab1f428ff343db21a46d583243ab964545b5dde
Instruction Fuzzy Hash: BF21B3B5D002089FDB10CFA9D984ADEBBF5EB48314F14841AE914A7250D374A954CF61

Uniqueness

Uniqueness Score: -1.00%

Function 010B57AF Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 010B583A

Memory Dump Source

Source File: 00000006.00000002.591581077.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10b0000_SecuriteInfo.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 8de1897d4a93b09ccbdc79cb0ca8fb1dcc8ee66c52a69cecb8ae6fa73980d42b
Instruction ID: 93b4952ca8de0382af1019a3bb03e7cd9b73daee21e1de338187d05a21cae5b9
Opcode Fuzzy Hash: 8de1897d4a93b09ccbdc79cb0ca8fb1dcc8ee66c52a69cecb8ae6fa73980d42b
Instruction Fuzzy Hash: E821B8B58013458FCB10DFA9D8883DABFF4EB09314F14889AD444F7241C7386648CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010B042C Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(?,?,?,?,?,?), ref: 010B0B0E

Memory Dump Source

Source File: 00000006.00000002.591581077.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10b0000_SecuriteInfo.jbxd

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 60c8b7393bdbc22428824005ebc75b74aaeea747ecf163766def116b071b155e
Instruction ID: 370f81e7b545d93895e7fa72726ce18a94d5c21f14dc1180f7e4f5fd0cc0e27c
Opcode Fuzzy Hash: 60c8b7393bdbc22428824005ebc75b74aaeea747ecf163766def116b071b155e
Instruction Fuzzy Hash: 3C1123719006099FCB10DF9AD884BDFBBF5EB48324F108819E559B7250C375A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010B57C0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 010B583A

Memory Dump Source

Source File: 00000006.00000002.591581077.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10b0000_SecuriteInfo.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 06ea086f184b4b66d00db077794e7d310421dffa1efecee0abea52f68b6241e3
Instruction ID: ef9a6f621801c2174886e524adadc2900569a37709c90adaf7586f2ffaf209be
Opcode Fuzzy Hash: 06ea086f184b4b66d00db077794e7d310421dffa1efecee0abea52f68b6241e3
Instruction Fuzzy Hash: D01197759003098FDB60DFAAD8487DEBBF4EB08314F248969D445F7640D738A648CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 060FCF4C Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,060FE567), ref: 060FE5FF

Memory Dump Source

Source File: 00000006.00000002.595301167.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_60f0000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 094fba23d88d71e1029c6402119e70515c910df2ea1534f5f0ebfac08d9af139
Instruction ID: 0d0d5f804fb9a955348811be2f8fe8eeb616f80064567a8f14cb3fb81451f285
Opcode Fuzzy Hash: 094fba23d88d71e1029c6402119e70515c910df2ea1534f5f0ebfac08d9af139
Instruction Fuzzy Hash: C01125B19042099FCB50DF9AD84879EFBF4EB48324F10881AE619A7750D778A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 060FD0A4 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 060FEF85

Memory Dump Source

Source File: 00000006.00000002.595301167.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_60f0000_SecuriteInfo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a4685e29194ec996126d3c4cee44bc12b00c9d21c67fd41630ca6ebdadb2fce9
Instruction ID: 56cfdb14f0ee7693d9542082778e7f9190e881103fcedcdc7a5d5865ae242234
Opcode Fuzzy Hash: a4685e29194ec996126d3c4cee44bc12b00c9d21c67fd41630ca6ebdadb2fce9
Instruction Fuzzy Hash: 3A1133B08443489FCB50DF99D844B9EBBF4EB48224F10881AE519A7640C374A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 060FEF29 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 060FEF85

Memory Dump Source

Source File: 00000006.00000002.595301167.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_60f0000_SecuriteInfo.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 1cf5835c4b664d1891c47bfc645294f2163ae53aac8b06e1419c3c0dd05b2dd1
Instruction ID: 1cb366d749c7db012b0e0c9f8f3cb03f838a5ccca846d2b7032d59f7bcf1ef68
Opcode Fuzzy Hash: 1cf5835c4b664d1891c47bfc645294f2163ae53aac8b06e1419c3c0dd05b2dd1
Instruction Fuzzy Hash: 841112B5C00748CFCB50DFA9D849BCEBBF4EB48324F14881AE519A7650C378A548CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010B0554 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?), ref: 010B0BB7

Memory Dump Source

Source File: 00000006.00000002.591581077.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10b0000_SecuriteInfo.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7bc71fb3dfe1ce605c79c3d7be453759e5519d751cc24dba4c39cecdb861e4cf
Instruction ID: 84d0bb5010ddd837c5722e1e3f2d819167cd0976cf11fa8c4f8f2027dda6131b
Opcode Fuzzy Hash: 7bc71fb3dfe1ce605c79c3d7be453759e5519d751cc24dba4c39cecdb861e4cf
Instruction Fuzzy Hash: E01100B08046498FDB20DF9AD888BDEFBF4EB48324F10845AE559A7340C774A944CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 010B0B52 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?), ref: 010B0BB7

Memory Dump Source

Source File: 00000006.00000002.591581077.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10b0000_SecuriteInfo.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0442e9cdbc29eb0eec4f0c414be84a1dfa937ce999a1b2b3ded7af7c75dde619
Instruction ID: 7d8a6f94f1f20cdf5e7adef98438ecdff5a16c14c0de55f62282fb1ecb63909b
Opcode Fuzzy Hash: 0442e9cdbc29eb0eec4f0c414be84a1dfa937ce999a1b2b3ded7af7c75dde619
Instruction Fuzzy Hash: 8611F2B58006498FDB20DF9AD884BDEFBF4EB48324F14845AD559A7240C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05D277B0 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a09a2acf0102504a8e7ea4d2627e4e2b2fd1ba9cb5179f4110173082a81ee11
Instruction ID: 732e5d9f7f5d14703f4d1e9df96b2019aaaa545fcdba7e4972b5d730234685f2
Opcode Fuzzy Hash: 1a09a2acf0102504a8e7ea4d2627e4e2b2fd1ba9cb5179f4110173082a81ee11
Instruction Fuzzy Hash: 6B324D74B002199FDB24AB64EC997AD77B6FF88300F5041AAD80AE3394DF315E858F59

Uniqueness

Uniqueness Score: -1.00%

Function 05D2ED3F Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6874e9483b1273743294612f44087b0b8e31ddd4892ed3455d980f6e3a3394f7
Instruction ID: f1bdc0b8167a3640f7b85fd50f9d85d3ad5ba3b9205cc6db110e7b309994cc55
Opcode Fuzzy Hash: 6874e9483b1273743294612f44087b0b8e31ddd4892ed3455d980f6e3a3394f7
Instruction Fuzzy Hash: 13D13975E002299FCB04CF68C985AADBBF2FF58314F16849AE515AB361C731EC81CB55

Uniqueness

Uniqueness Score: -1.00%

Function 05D2CAD8 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7265013ed8da76ee6bf66a4daf0af407df799c7a1eb1ec37a6dfb9fc7ededc7
Instruction ID: 48889ed37f6bf3016dcb65ba34cbbea1779dfe1be9e87eb5aff9f8add32336bc
Opcode Fuzzy Hash: b7265013ed8da76ee6bf66a4daf0af407df799c7a1eb1ec37a6dfb9fc7ededc7
Instruction Fuzzy Hash: 98C16930A14219AFCB14CF69D984EAEBBF2BF58318F15855AE909EB361D731EC41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 05D2F828 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b4624d6cf2f1ecacc61b441030d2c3bcb2efcc779fe6ffe633d38ff853fed3
Instruction ID: 459401e042387e3c0af6124dcea64876e37948022dda954606003cf61edde26a
Opcode Fuzzy Hash: f4b4624d6cf2f1ecacc61b441030d2c3bcb2efcc779fe6ffe633d38ff853fed3
Instruction Fuzzy Hash: 4D91D571A04226EFCB14CF68C885E6EBBB1FF58314F06886AE9559B361D731EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05D2B5E0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493d9d1b39bce62255ce0e7de59d8f7005e8b8fc2ef1d1b33d12835491c7901b
Instruction ID: a0c910b9e257447cf52d342108e61201c09046106068631fd60fb27a0d8864fa
Opcode Fuzzy Hash: 493d9d1b39bce62255ce0e7de59d8f7005e8b8fc2ef1d1b33d12835491c7901b
Instruction Fuzzy Hash: 1871C1347042218FD728AB68C894A3EB7A7BFC8209F04847AE5568F795DF75DC418B91

Uniqueness

Uniqueness Score: -1.00%

Function 05D28127 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f361b12da691ea4d71fc971330347915c815c3ab0aa321f090a1d11c53afc0a2
Instruction ID: a1f71521cccff4ec9a0e6b15b683ab79c57cb0da4b8f3608a95b3af0090c579b
Opcode Fuzzy Hash: f361b12da691ea4d71fc971330347915c815c3ab0aa321f090a1d11c53afc0a2
Instruction Fuzzy Hash: 0DA1CB34946328CFD765DB68D854ADC77B2BF8A30AF2080EAD54996300CB36DD86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D28110 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a5b2a4ee592a395e707c349dd3322208fa5adbb2ad05f42ba1644e2912096b
Instruction ID: 2cd0b4e02fc7fc5526f8ac44d14c814bae8d80ef4d2a2efae7457a9c56d95071
Opcode Fuzzy Hash: 58a5b2a4ee592a395e707c349dd3322208fa5adbb2ad05f42ba1644e2912096b
Instruction Fuzzy Hash: 7591BB34946328DFD765DB28D854ADC77B2BF8A30AF2080EAD54996300CB36DD86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D28162 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c64c8762435ab2eecae736546e8df122814aa0bb9ac749e20922f1776bc2e5e
Instruction ID: 3439bfb60144e620139135b406a50bd45535721e5c8bf896425bf9c48ff5c6cd
Opcode Fuzzy Hash: 9c64c8762435ab2eecae736546e8df122814aa0bb9ac749e20922f1776bc2e5e
Instruction Fuzzy Hash: 9791BB34946328CFD765DB24D854ADC77B2BF8A30AF2080EAD54996300CB36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D2B468 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde66d1540605f7309d8d70b162f242b1a9649bb065838336698f124c89cfb99
Instruction ID: ad02719aac6f3e51f9063b6690ad112f9670ac1ec97f876042602f58f179647e
Opcode Fuzzy Hash: cde66d1540605f7309d8d70b162f242b1a9649bb065838336698f124c89cfb99
Instruction Fuzzy Hash: 1251E3713042259FEB15CF24D888B7E7BE2FF98309F05892AE4568B390DB75D845CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05D281A7 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb5dff17ea9595286daece609d7be321acf43fa05a4824f72881ca3f9891a81
Instruction ID: 6922e529c8d2f1b476b62000ffe1cb1337fbe55c664a3becac448bd73e891c07
Opcode Fuzzy Hash: beb5dff17ea9595286daece609d7be321acf43fa05a4824f72881ca3f9891a81
Instruction Fuzzy Hash: CF91AB34946329CFD764DB24D8946DC77B2BF8630AF2040EAD54996300CB36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D281EC Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55f13b387f6cad1534677dd636fd05b0b1d7c0274bb27ca7cb613b0684379bee
Instruction ID: c9733d594110cce5e74237daec1d14e72b313e27851dfb32621f1bae9a076ffc
Opcode Fuzzy Hash: 55f13b387f6cad1534677dd636fd05b0b1d7c0274bb27ca7cb613b0684379bee
Instruction Fuzzy Hash: 9D81AB34946368CFD765DB28D8946DCB7B2BF8630AF2040EAD54996300CB36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D2D860 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883aff48393ee6812de65d619d2b84c1227ace4b1bf654f0042d32bd87773992
Instruction ID: bb38b1088bcaf12a55e596e87ad5dc6f66fe6f11300beeafbe43f176f69fcce7
Opcode Fuzzy Hash: 883aff48393ee6812de65d619d2b84c1227ace4b1bf654f0042d32bd87773992
Instruction Fuzzy Hash: 8C517031318121DFD714EF39C884E6ABBEBBF5864871944BAF45ACB265DB31DC028B50

Uniqueness

Uniqueness Score: -1.00%

Function 05D28231 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe5b83824cc3aaa5b97c7a453b015e4eacfdde992b87b49612c0cc88a984a06
Instruction ID: e1254e76a6491471d6866e49befbb48916a392352df4d00e11494c3c737a2d44
Opcode Fuzzy Hash: 1fe5b83824cc3aaa5b97c7a453b015e4eacfdde992b87b49612c0cc88a984a06
Instruction Fuzzy Hash: B181BB34946328CFD765DB25D8946DC77B2BF8A30AF1040EAD54996300CB36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D28276 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6b3c4ad2b5a3a4505eb6fa64f4513103888d22881052e6c482b40a65bf8adf
Instruction ID: 717d7a9d7403b4664341da2d34e9e564e3bbb630ba8e4c1d1402d1ff9d64d8e5
Opcode Fuzzy Hash: 5d6b3c4ad2b5a3a4505eb6fa64f4513103888d22881052e6c482b40a65bf8adf
Instruction Fuzzy Hash: 5771BB34946329CFD765DB28D894ADD77B2BF8A30AF2040EAD54996300CB36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D282B2 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b3ceb1741c86b13ccf4b88c8a9f977774f943a6487110a0c26f54aed45aecc9
Instruction ID: 954994888d75603e1d9792b2c4f1951f3dec82eada8e00bd04b30fa4533187a6
Opcode Fuzzy Hash: 0b3ceb1741c86b13ccf4b88c8a9f977774f943a6487110a0c26f54aed45aecc9
Instruction Fuzzy Hash: F571BA34946329CFD765DB28D894ADD77B2BF8A30AF2040EAD54996300CB36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D282EE Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c56b26463acb537a6b6c13b04abe68efc9720c7547803c2fc68d613d0914429
Instruction ID: ba692e8a075208cf3a10b5078e7595332adeaeafb65c3f01fdd0501c8b7340ef
Opcode Fuzzy Hash: 0c56b26463acb537a6b6c13b04abe68efc9720c7547803c2fc68d613d0914429
Instruction Fuzzy Hash: 6061BB34946329CFD765DB28D8946DD77B2BF8630AF2040EAD54996300CB36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D28333 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519b974c31c09e2bb1c63048b46f7dcc9f457cf82f564b701c5e7f17238ab5b2
Instruction ID: 212acb09f663e57de99263806cde750658ed2b4bc60ad885b6ae3aea382f3065
Opcode Fuzzy Hash: 519b974c31c09e2bb1c63048b46f7dcc9f457cf82f564b701c5e7f17238ab5b2
Instruction Fuzzy Hash: 6E61BC34A46329CFD765DB28D8946DD77B2BF8A30AF2040EAD54996300CB36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D28378 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed43e55ef0c831329be806413f3a89f2ff75e1eb9458971d29114db13844fdd5
Instruction ID: 183f38a5d661367d03849346e993d49cbcb0e94d3dad9a55cbe1c0178e899e80
Opcode Fuzzy Hash: ed43e55ef0c831329be806413f3a89f2ff75e1eb9458971d29114db13844fdd5
Instruction Fuzzy Hash: 6151BB34A46329CFD765DB28D8846DD77B2BF8630AF2080EAD54996300CB36DD86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D283B4 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00655d251e20d8f07aea8e8700088b125d32397aa8674ec90e787bacb1d44ae4
Instruction ID: 7fd7ae067daf8a671d14fd699bc263a4c5919474d2e13196b5156d6ea3601ae8
Opcode Fuzzy Hash: 00655d251e20d8f07aea8e8700088b125d32397aa8674ec90e787bacb1d44ae4
Instruction Fuzzy Hash: 0551BB34A46329CFD764DB68D8846DD77B2BF8630AF2040EAD54996300CB36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D2B240 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 826be9f36df749b58e1eb2b121f7276d02fb990d1ccd1bd1bd35c018fcc8ab51
Instruction ID: 88e4a9e4ec01e489737249d52c77ea4d48df20bde44ad616072092550988f79c
Opcode Fuzzy Hash: 826be9f36df749b58e1eb2b121f7276d02fb990d1ccd1bd1bd35c018fcc8ab51
Instruction Fuzzy Hash: 9A41D23130421A9FDB069F64D851BBE3BA6FF58304F048427F905CB2A1CB75C8668BA1

Uniqueness

Uniqueness Score: -1.00%

Function 05D283F9 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f70d669afbe20f45c6404f876451f1f904967c2e6c78ef660bb611616ba413
Instruction ID: b9f2dedb7a2feac104597070abb04523b46dccc8c98d43f18131f161339c4ba7
Opcode Fuzzy Hash: e8f70d669afbe20f45c6404f876451f1f904967c2e6c78ef660bb611616ba413
Instruction Fuzzy Hash: 7751CB34A46329CFD764DB68D8846DC77B2BF8630AF2080EAD54992300CB36DD82CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05D2843E Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf286df5e4804abe0a42028a530c29b097fe19405ba98fb4e20a317062776319
Instruction ID: 1fc950e012f32aec5b7abe86703c1ec564f2d599b334661b5707278921a214cb
Opcode Fuzzy Hash: cf286df5e4804abe0a42028a530c29b097fe19405ba98fb4e20a317062776319
Instruction Fuzzy Hash: 5051CB34946369CFD765DB68D8846DC77B2BF8A30AF1080EAD54992300CB36DD82CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05D2D670 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a6bbe18ee8e68a6b1ff7857af8805dc45910b594f57390a8d38899e10c466c7
Instruction ID: 09ec1525d071b60b0c3740f662419a23c4ec5d07cc9c8c9470ba07a1d96b68cb
Opcode Fuzzy Hash: 5a6bbe18ee8e68a6b1ff7857af8805dc45910b594f57390a8d38899e10c466c7
Instruction Fuzzy Hash: EF414C75604125DFCB15EF69D848A6A7BB6FF48315F11446AF916CB3A0CB34DC82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05D28483 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6430eb1fbeeb81ebdd05638855fd4f95fd3e19e3c1ac6fc943fbea3fdaf7db
Instruction ID: 3d44c7ee37b90e96c23f75a7f862201ea4cee62bb1643f3eea12ea466702eea7
Opcode Fuzzy Hash: af6430eb1fbeeb81ebdd05638855fd4f95fd3e19e3c1ac6fc943fbea3fdaf7db
Instruction Fuzzy Hash: CD41BA34946369CFD764DB68D8846DC77B2BF8630AF2080EAD50992340CB36DD86CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D2EB50 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1d3de88994b05fd2778b351fb6f19ca5d4a1837652e626aff7f094526c80e4
Instruction ID: f0dcce6c2b2feaec46efad2a7cab36c057d7a8865e3158717d1d074d0e2ee1ee
Opcode Fuzzy Hash: ca1d3de88994b05fd2778b351fb6f19ca5d4a1837652e626aff7f094526c80e4
Instruction Fuzzy Hash: E031C1357042149FCB189B78D855BAE7BB7EF88210F148469E516EB394CF319C068BA1

Uniqueness

Uniqueness Score: -1.00%

Function 05D284C8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b0204c4f684e1ce73ae5d702fed958b57d28de390784f56f1e25e6a7f62e61
Instruction ID: e90ef3d46a65c8ced596e302ff873892a97528ff871e295d6c239377aa5e49de
Opcode Fuzzy Hash: 07b0204c4f684e1ce73ae5d702fed958b57d28de390784f56f1e25e6a7f62e61
Instruction Fuzzy Hash: 1D41BA34946369CBD764DB68D8856DC77B2BB8630AF2080EAD54992340CB36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D2850D Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 823b3c929008cd86a967aaa849a7aa4b9652d25af0ac61cbe3e8a2140dd662bf
Instruction ID: 8cc827f1390cfd49875864adac6eef51498e1ad55708f6bdf0450688aba9d744
Opcode Fuzzy Hash: 823b3c929008cd86a967aaa849a7aa4b9652d25af0ac61cbe3e8a2140dd662bf
Instruction Fuzzy Hash: 0A41BA34A46329CBD754DB68D8856DC77B2BB8630AF1080EAD50992340CB36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D2DAA0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bac20161cf0ad3db2d53f160dc6bd0586a8789be869a2459dde52eac194d6db
Instruction ID: 0a2822008cee7781040eb3dc1010f4cafddcd9343f65fab181be0908c6dfd071
Opcode Fuzzy Hash: 8bac20161cf0ad3db2d53f160dc6bd0586a8789be869a2459dde52eac194d6db
Instruction Fuzzy Hash: D421D3313042254BDB24763998B4E3926BBEFD411FB14407AD506CBBA5EF25CC039796

Uniqueness

Uniqueness Score: -1.00%

Function 05D2DAB0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf3b93cabe82df12b8032ce07e6a49c45daabc8cbe25ba99d923d6847591807a
Instruction ID: 99d13cb5511bb4f1c99ca51d61aba54708e999c34c0d128281d98356ae29efb8
Opcode Fuzzy Hash: bf3b93cabe82df12b8032ce07e6a49c45daabc8cbe25ba99d923d6847591807a
Instruction Fuzzy Hash: 9B21C5313042254BEB24762998B4A7A36BBEFD465FF14807AD506CBBA4DE35CC439385

Uniqueness

Uniqueness Score: -1.00%

Function 05D28552 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4085511ea9e77d235ab4a6b9c3adb11d7b27322d5294e7fe4179951858cf00d8
Instruction ID: 22c30b3582ee0d4b78730bb050431350c46cff7bce79ee7d2e70a49f9c82e93c
Opcode Fuzzy Hash: 4085511ea9e77d235ab4a6b9c3adb11d7b27322d5294e7fe4179951858cf00d8
Instruction Fuzzy Hash: C531DA34A46329CBD754DB78D885ADC77B2BB8630AF1080EAD50992340CB36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D2D9A8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f81ce753a316e05879b09966abcf2bff53de2278612835a474de61e6a6bbea9
Instruction ID: 7cb4331db341ec256ba2fe017664bcfe97c13b6c82029927edc55a1b5b794539
Opcode Fuzzy Hash: 4f81ce753a316e05879b09966abcf2bff53de2278612835a474de61e6a6bbea9
Instruction Fuzzy Hash: 2321943170C6659FDB10EE299840E7B7BE7AB75248B0D4427F846C7644DB30C842C760

Uniqueness

Uniqueness Score: -1.00%

Function 05D28597 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab3dc889e054fb30d8997b885a8e8a807d26b7e7d14b082dbefa63874904e79a
Instruction ID: d97f0238047a953dc93cec3a704577e6d0d37f6c465ea4eb7e17d2c659a68d2e
Opcode Fuzzy Hash: ab3dc889e054fb30d8997b885a8e8a807d26b7e7d14b082dbefa63874904e79a
Instruction Fuzzy Hash: B231A934A46329CBD754DB78D884ADC77B2BB9630AF2180AAD54992340CB36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D272C8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5ac223113d87f0f600bc2f2963478e89ccabc9d2fcfb05950652066b6c17659
Instruction ID: 26d7dc13d88204ce5d175c874f1727b81db8349a7e8e78663193fa2a765ee2f5
Opcode Fuzzy Hash: d5ac223113d87f0f600bc2f2963478e89ccabc9d2fcfb05950652066b6c17659
Instruction Fuzzy Hash: 9E119131B04370DBEF3441A8D845B7D3692FB6232CF140427FD66C6380E625C881CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 05D285DC Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b8161b39aa783d1a3b946af5358878241ec8055ddaa82673d78be070cc2ad2
Instruction ID: 2bed3836635c9c51dd5a2565019f33337f85c5382facdad10140db65430a29b1
Opcode Fuzzy Hash: 41b8161b39aa783d1a3b946af5358878241ec8055ddaa82673d78be070cc2ad2
Instruction Fuzzy Hash: FF31CA34A46329CBD754DB78D8846DC77B2BB9630AF2140AAD54992340CF36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D28621 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d793e01a2ff642e56a3549432bd41e21d6d2e3b9bd48e3e82623ab702696f7
Instruction ID: 7a71be6b4f61e35df17afb26b60c46595b9cada5fdc3af5f933c1fd53b6a048e
Opcode Fuzzy Hash: 99d793e01a2ff642e56a3549432bd41e21d6d2e3b9bd48e3e82623ab702696f7
Instruction Fuzzy Hash: 1821DB34A02329CBC754DB78D8846DC77B2BB9630AF2180AAD54992300CF36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D2B791 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359883039c07568755ff79243464f5332726ba2e8fb40d21a94e02bf682f7930
Instruction ID: ad22d537301e95b3786314dc19263de9a791770848d78c3e40978e41d2812580
Opcode Fuzzy Hash: 359883039c07568755ff79243464f5332726ba2e8fb40d21a94e02bf682f7930
Instruction Fuzzy Hash: F111E3357016228FD728AA29C89493BB766FFC4259B08407BE81ADB790DF72DC01C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 05D2EB43 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9522bd4ab4aff0318e8d45e508620667a6fb11c32e032f10188dd07a433496da
Instruction ID: 0533a39bd4480cf9850e4c08c98863e5bbde1bcaa15dd0f66107939d056ff0b4
Opcode Fuzzy Hash: 9522bd4ab4aff0318e8d45e508620667a6fb11c32e032f10188dd07a433496da
Instruction Fuzzy Hash: 5D118136B00218AFDB14DE69D944BAEBBBAFF8C310F144169E916E7350CA31AC51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05D29D18 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3486ee58a8209f565f497596a1301eaae997d4bca4b4ee8812f0a02f9ef3de37
Instruction ID: 378c357d6739b892196ef8cc1c0fa3cf47d89d7feab8859e331dda65b7810268
Opcode Fuzzy Hash: 3486ee58a8209f565f497596a1301eaae997d4bca4b4ee8812f0a02f9ef3de37
Instruction Fuzzy Hash: 8301493130C2941FCB19527AA8696BBBFABDFDA210F09447BE146C7395DE348C4583B5

Uniqueness

Uniqueness Score: -1.00%

Function 05D272D8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809dc527680d5e9ac93f7ac8dbfe701475ed00500a3a7e5437c2b98179e46bf6
Instruction ID: 0053aa5c155b2d23d7419028f82746ff380a4dbf286bfde71b2964eba29a2110
Opcode Fuzzy Hash: 809dc527680d5e9ac93f7ac8dbfe701475ed00500a3a7e5437c2b98179e46bf6
Instruction Fuzzy Hash: C6118430704330CBEF3545A89459B7D2592F76632CF100427FD6BC6340D625C881CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 05D28666 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9681d6e390d75adaa6475f427b9f86047ce2399b21f783290804393d60bb0a7
Instruction ID: 9b0e0fa657839a5aec863c1a5628032c8fe38869c4a3327d450250e58672699f
Opcode Fuzzy Hash: f9681d6e390d75adaa6475f427b9f86047ce2399b21f783290804393d60bb0a7
Instruction Fuzzy Hash: 6B21C935A01329CBC714EB78D8846DC77B2BB9630AF2180AAD54A92300CF36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D2F9F0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25e5d843e14ee386c1e7aab20e8276313fd3f56e00f00e8ca0ce71ffc6a459b0
Instruction ID: 3698597a6d0ddb3ff99969f2000e23edc6f6cb53397f28ac125955de02fce652
Opcode Fuzzy Hash: 25e5d843e14ee386c1e7aab20e8276313fd3f56e00f00e8ca0ce71ffc6a459b0
Instruction Fuzzy Hash: AC118275E0011ADFCB04DFA9D845AAEBBF9FB58200F10842BE525E3200D7748A15CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05D286A1 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c4e98227b88fbfed466578494ba41711067dd722eeb53fb6b92b767ee77bf8c
Instruction ID: d6af441eb82523fbaa03e5ac4ec88e6c78abfccac6421700d25d86c33920f2ec
Opcode Fuzzy Hash: 0c4e98227b88fbfed466578494ba41711067dd722eeb53fb6b92b767ee77bf8c
Instruction Fuzzy Hash: 62111F34A4131ACBC714DB79D8456DC77B2AF85309F2040AAD50993700DF36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D2B3D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d973bb84d547616c6b951d045b5a7078d6b39eabd83376dad76db57fc0611cbb
Instruction ID: f93de9a4eff9aa73588cbad235cf1e81ccc96da8495f180fe9be71921b72a488
Opcode Fuzzy Hash: d973bb84d547616c6b951d045b5a7078d6b39eabd83376dad76db57fc0611cbb
Instruction Fuzzy Hash: 1501D632604129AFDB19CE559C00BEE3B6AEBC8350F148136F615D7290C672C9139BA0

Uniqueness

Uniqueness Score: -1.00%

Function 05D2B3E8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e15e0537aea2379c513f82c266e4687e0591ba904e333157939f720eb3fdf77
Instruction ID: 4b78d90051d479085cb63c55c1ba03b5e207c276fba44c352e34400e1b7973b3
Opcode Fuzzy Hash: 6e15e0537aea2379c513f82c266e4687e0591ba904e333157939f720eb3fdf77
Instruction Fuzzy Hash: D801F932B041296F9B19DE599C10AEF3BABFBC8750F14812AF515D7284DF72CD129BA0

Uniqueness

Uniqueness Score: -1.00%

Function 05D286DC Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d4a892f7a22ef343c8be8f211696e85672ca975c5216cf81b7fc431e64b3409
Instruction ID: 860a4ed09fff4a955d43a4e90150394b42c3102cb2902e23bf7a6b9bdee31768
Opcode Fuzzy Hash: 5d4a892f7a22ef343c8be8f211696e85672ca975c5216cf81b7fc431e64b3409
Instruction Fuzzy Hash: 27111C34A4132ACBC764DB78D8846DC77B2AB85309F2140AAD10993700DF36DD86CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05D28717 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c79823ce7a437092bf60dc8aa6a6ba3317c05b9cb3f054962b81c4f8a4e22c
Instruction ID: d6a7c2a5f100383ffcaef56e8ee8896c9961edab0fdf0392f6180cac522c4d44
Opcode Fuzzy Hash: 88c79823ce7a437092bf60dc8aa6a6ba3317c05b9cb3f054962b81c4f8a4e22c
Instruction Fuzzy Hash: E3010835A4232ACBC724EB78D8856ED77B2AF95309F1040AAD509A3700DB36DD82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D28752 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ddf8cca9bf99a0d3a5c3486634fcea58c255fc2d7918740520b0d6ecd113eb
Instruction ID: 7ab69c13b6fc6de537f3254f593eaae133fa20413816816bad1ecb5e1728322d
Opcode Fuzzy Hash: e3ddf8cca9bf99a0d3a5c3486634fcea58c255fc2d7918740520b0d6ecd113eb
Instruction Fuzzy Hash: 91F01D35A4122ACBC724DB68D8806DC77B2BF95309F1040AAD10993700DB32DD82CF55

Uniqueness

Uniqueness Score: -1.00%

Function 05D2878D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97915339c63129ac097012724dcd217e5fb8543c9ca35919e9b5b66d6fcc854
Instruction ID: d46cffb79863b60318eed91213d31fbd58c9378e2650e56a2d904cff97f6791d
Opcode Fuzzy Hash: f97915339c63129ac097012724dcd217e5fb8543c9ca35919e9b5b66d6fcc854
Instruction Fuzzy Hash: ACF0DA35E01229CBDB10EB69E881ADCB7B5AF95315F1084EAD50EA2340DB329D82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 05D287CB Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef148c6a3aa3f0a04f5114eddd6e07f68e7a39d34ecc61dabe4e688331341e09
Instruction ID: a446f90801028ff58e63ae693f839fe64b47b24182205b4de3a8fc696c0e98cb
Opcode Fuzzy Hash: ef148c6a3aa3f0a04f5114eddd6e07f68e7a39d34ecc61dabe4e688331341e09
Instruction Fuzzy Hash: 04E0ED35E012298BCB50EB68D8806DCB371EF45215F1084E6D10DA2240DF329D86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05D2BB30 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e739a56cd4f6f3a0a720f0919138c3c868d5ff29f5d61bfe28293209526705ec
Instruction ID: 7319e813a75abf3d8f9230b53edaf25b41433d8728e9bf208d74fe74d0848529
Opcode Fuzzy Hash: e739a56cd4f6f3a0a720f0919138c3c868d5ff29f5d61bfe28293209526705ec
Instruction Fuzzy Hash: 6FC012343683094BCA84FB71F953525332AEAC52083408921D11D4A46ADFB455054B9A

Uniqueness

Uniqueness Score: -1.00%

Function 05D2BB32 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874d2c35811574b4a3668c356ed29c839bcaa5623ff8e20639a1e329886103e7
Instruction ID: 9ea2b2a4845d7be69b525ab81705ccdee35c5ef2778cb0f521e2a2242a1ff88c
Opcode Fuzzy Hash: 874d2c35811574b4a3668c356ed29c839bcaa5623ff8e20639a1e329886103e7
Instruction Fuzzy Hash: 93C012383683054BCA84FB71FA921693726EAC52083008A22D11D8A8AADFB585068B5A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 05D2BD08 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

ml, xrefs: 05D2BD3A
ml, xrefs: 05D2BD14
ml, xrefs: 05D2BD1E
ml, xrefs: 05D2BD46

Memory Dump Source

Source File: 00000006.00000002.595048648.0000000005D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5d20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ml$ml$ml$ml
API String ID: 0-2968258151
Opcode ID: f3d18f635660847e200536e0dbcd72c288ca879819e8ebd43e15bcc80a266224
Instruction ID: eb02c8ccbfcf5389d66d2f646d6ba3e49791bc34c58527b9ad70a8a6f61fb95b
Opcode Fuzzy Hash: f3d18f635660847e200536e0dbcd72c288ca879819e8ebd43e15bcc80a266224
Instruction Fuzzy Hash: C50192317104218FA7248A2CC441AAA73EAFFAA76831A40A7E007CF370DAB4EC418790

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UmpBcHBDbXhaX.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2sdibjn1.iex.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1bp3fok.q3g.psm1

C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp

C:\Users\user\AppData\Local\Temp\tmp8847.tmp

C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Function 00EEB6C1 Relevance: 6.1, APIs: 4, Instructions: 124
threadCOMMON

Function 00EEB6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 00EEFD2C Relevance: 1.6, APIs: 1, Instructions: 115
COMMON

Function 00EEFD38 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 00EE5364 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 00EE3DE4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 00EEB8F2 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 00EEB8F8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 00EE9B30 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Function 00EE94B8 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 00EE98B0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre