Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Analysis ID:	756003
MD5:	f64f729e0ba974c578afaac25665e067
SHA1:	d1225322fd5f16eb18a90ec4a4b007a010e2d51a
SHA256:	680f16527c5dc7e7e32bb27b99dcbc85c75282d853cb9a27c186963dae883d2e
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Yara detected AntiVM3

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for dropped file

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Adds a directory exclusion to Windows Defender

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe (PID: 5644 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe MD5: F64F729E0BA974C578AFAAC25665E067)

powershell.exe (PID: 3216 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 3644 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe (PID: 5340 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe MD5: F64F729E0BA974C578AFAAC25665E067)

UmpBcHBDbXhaX.exe (PID: 624 cmdline: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe MD5: F64F729E0BA974C578AFAAC25665E067)

schtasks.exe (PID: 3540 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp8847.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

UmpBcHBDbXhaX.exe (PID: 5468 cmdline: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe MD5: F64F729E0BA974C578AFAAC25665E067)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5796842243:AAESM2w0ubqts6zEsE_xN4PZ56pLfxQ9e7M/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5796842243:AAESM2w0ubqts6zEsE_xN4PZ56pLfxQ9e7M/sendMessage?chat_id=5733364805"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31883:$a13: get_DnsResolver 0x2ff53:$a20: get_LastAccessed 0x322b1:$a27: set_InternalServerPort 0x325e6:$a30: set_GuidMasterKey 0x30065:$a33: get_Clipboard 0x30073:$a34: get_Keyboard 0x3147d:$a35: get_ShiftKeyDown 0x3148e:$a36: get_AltKeyDown 0x30080:$a37: get_Password 0x30bd8:$a38: get_PasswordHash 0x31ce5:$a39: get_DefaultCredentials
0000000A.00000002.592547674.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.592981435.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.368700625.0000000002D78000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x154b83:$a13: get_DnsResolver 0x18ada3:$a13: get_DnsResolver 0x1c0dc3:$a13: get_DnsResolver 0x153253:$a20: get_LastAccessed 0x189473:$a20: get_LastAccessed 0x1bf493:$a20: get_LastAccessed 0x1555b1:$a27: set_InternalServerPort 0x18b7d1:$a27: set_InternalServerPort 0x1c17f1:$a27: set_InternalServerPort 0x1558e6:$a30: set_GuidMasterKey 0x18bb06:$a30: set_GuidMasterKey 0x1c1b26:$a30: set_GuidMasterKey 0x153365:$a33: get_Clipboard 0x189585:$a33: get_Clipboard 0x1bf5a5:$a33: get_Clipboard 0x153373:$a34: get_Keyboard 0x189593:$a34: get_Keyboard 0x1bf5b3:$a34: get_Keyboard 0x15477d:$a35: get_ShiftKeyDown 0x18a99d:$a35: get_ShiftKeyDown 0x1c09bd:$a35: get_ShiftKeyDown
00000005.00000002.406721462.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5644	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5644	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5644	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x68486:$a13: get_DnsResolver 0x67434:$a20: get_LastAccessed 0x68b28:$a27: set_InternalServerPort 0x68d0f:$a30: set_GuidMasterKey 0x6751a:$a33: get_Clipboard 0x67528:$a34: get_Keyboard 0x68203:$a35: get_ShiftKeyDown 0x68214:$a36: get_AltKeyDown 0x67535:$a37: get_Password 0x67c89:$a38: get_PasswordHash 0x68746:$a39: get_DefaultCredentials
Process Memory Space: UmpBcHBDbXhaX.exe PID: 624	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x477e:$a13: get_DnsResolver 0x30ae:$a20: get_LastAccessed 0x515b:$a27: set_InternalServerPort 0x53c2:$a30: set_GuidMasterKey 0x31a9:$a33: get_Clipboard 0x31b7:$a34: get_Keyboard 0x4414:$a35: get_ShiftKeyDown 0x4425:$a36: get_AltKeyDown 0x31c4:$a37: get_Password 0x3c78:$a38: get_PasswordHash 0x4bb4:$a39: get_DefaultCredentials
Process Memory Space: UmpBcHBDbXhaX.exe PID: 5468	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: UmpBcHBDbXhaX.exe PID: 5468	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: UmpBcHBDbXhaX.exe PID: 5468	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x327c4:$s10: logins 0x3223e:$s11: credential 0x2e465:$g1: get_Clipboard 0x2e473:$g2: get_Keyboard 0x2e480:$g3: get_Password 0x2f86d:$g4: get_CtrlKeyDown 0x2f87d:$g5: get_ShiftKeyDown 0x2f88e:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2fc83:$a13: get_DnsResolver 0x2e353:$a20: get_LastAccessed 0x306b1:$a27: set_InternalServerPort 0x309e6:$a30: set_GuidMasterKey 0x2e465:$a33: get_Clipboard 0x2e473:$a34: get_Keyboard 0x2f87d:$a35: get_ShiftKeyDown 0x2f88e:$a36: get_AltKeyDown 0x2e480:$a37: get_Password 0x2efd8:$a38: get_PasswordHash 0x300e5:$a39: get_DefaultCredentials
6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x345c4:$s10: logins 0x3403e:$s11: credential 0x30265:$g1: get_Clipboard 0x30273:$g2: get_Keyboard 0x30280:$g3: get_Password 0x3166d:$g4: get_CtrlKeyDown 0x3167d:$g5: get_ShiftKeyDown 0x3168e:$g6: get_AltKeyDown
6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31a83:$a13: get_DnsResolver 0x30153:$a20: get_LastAccessed 0x324b1:$a27: set_InternalServerPort 0x327e6:$a30: set_GuidMasterKey 0x30265:$a33: get_Clipboard 0x30273:$a34: get_Keyboard 0x3167d:$a35: get_ShiftKeyDown 0x3168e:$a36: get_AltKeyDown 0x30280:$a37: get_Password 0x30dd8:$a38: get_PasswordHash 0x31ee5:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x126204:$s10: logins 0x15c424:$s10: logins 0x192444:$s10: logins 0x125c7e:$s11: credential 0x15be9e:$s11: credential 0x191ebe:$s11: credential 0x121ea5:$g1: get_Clipboard 0x1580c5:$g1: get_Clipboard 0x18e0e5:$g1: get_Clipboard 0x121eb3:$g2: get_Keyboard 0x1580d3:$g2: get_Keyboard 0x18e0f3:$g2: get_Keyboard 0x121ec0:$g3: get_Password 0x1580e0:$g3: get_Password 0x18e100:$g3: get_Password 0x1232ad:$g4: get_CtrlKeyDown 0x1594cd:$g4: get_CtrlKeyDown 0x18f4ed:$g4: get_CtrlKeyDown 0x1232bd:$g5: get_ShiftKeyDown 0x1594dd:$g5: get_ShiftKeyDown 0x18f4fd:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x34f1b:$s1: file:/// 0x34e2b:$s2: {11111-22222-10009-11112} 0x34eab:$s3: {11111-22222-50001-00000} 0x34071:$s4: get_Module 0x343ec:$s5: Reverse 0x122456:$s5: Reverse 0x158676:$s5: Reverse 0x18e696:$s5: Reverse 0x2f58a:$s6: BlockCopy 0x1244d9:$s6: BlockCopy 0x15a6f9:$s6: BlockCopy 0x190719:$s6: BlockCopy 0x122714:$s7: ReadByte 0x158934:$s7: ReadByte 0x18e954:$s7: ReadByte 0x34f2d:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x1236c3:$a13: get_DnsResolver 0x1598e3:$a13: get_DnsResolver 0x18f903:$a13: get_DnsResolver 0x121d93:$a20: get_LastAccessed 0x157fb3:$a20: get_LastAccessed 0x18dfd3:$a20: get_LastAccessed 0x1240f1:$a27: set_InternalServerPort 0x15a311:$a27: set_InternalServerPort 0x190331:$a27: set_InternalServerPort 0x124426:$a30: set_GuidMasterKey 0x15a646:$a30: set_GuidMasterKey 0x190666:$a30: set_GuidMasterKey 0x121ea5:$a33: get_Clipboard 0x1580c5:$a33: get_Clipboard 0x18e0e5:$a33: get_Clipboard 0x121eb3:$a34: get_Keyboard 0x1580d3:$a34: get_Keyboard 0x18e0f3:$a34: get_Keyboard 0x1232bd:$a35: get_ShiftKeyDown 0x1594dd:$a35: get_ShiftKeyDown 0x18f4fd:$a35: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x91fe4:$s10: logins 0xc8204:$s10: logins 0xfe224:$s10: logins 0x91a5e:$s11: credential 0xc7c7e:$s11: credential 0xfdc9e:$s11: credential 0x8dc85:$g1: get_Clipboard 0xc3ea5:$g1: get_Clipboard 0xf9ec5:$g1: get_Clipboard 0x8dc93:$g2: get_Keyboard 0xc3eb3:$g2: get_Keyboard 0xf9ed3:$g2: get_Keyboard 0x8dca0:$g3: get_Password 0xc3ec0:$g3: get_Password 0xf9ee0:$g3: get_Password 0x8f08d:$g4: get_CtrlKeyDown 0xc52ad:$g4: get_CtrlKeyDown 0xfb2cd:$g4: get_CtrlKeyDown 0x8f09d:$g5: get_ShiftKeyDown 0xc52bd:$g5: get_ShiftKeyDown 0xfb2dd:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x8f4a3:$a13: get_DnsResolver 0xc56c3:$a13: get_DnsResolver 0xfb6e3:$a13: get_DnsResolver 0x8db73:$a20: get_LastAccessed 0xc3d93:$a20: get_LastAccessed 0xf9db3:$a20: get_LastAccessed 0x8fed1:$a27: set_InternalServerPort 0xc60f1:$a27: set_InternalServerPort 0xfc111:$a27: set_InternalServerPort 0x90206:$a30: set_GuidMasterKey 0xc6426:$a30: set_GuidMasterKey 0xfc446:$a30: set_GuidMasterKey 0x8dc85:$a33: get_Clipboard 0xc3ea5:$a33: get_Clipboard 0xf9ec5:$a33: get_Clipboard 0x8dc93:$a34: get_Keyboard 0xc3eb3:$a34: get_Keyboard 0xf9ed3:$a34: get_Keyboard 0x8f09d:$a35: get_ShiftKeyDown 0xc52bd:$a35: get_ShiftKeyDown 0xfb2dd:$a35: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x345c4:$s10: logins 0x6a7e4:$s10: logins 0xa0804:$s10: logins 0x3403e:$s11: credential 0x6a25e:$s11: credential 0xa027e:$s11: credential 0x30265:$g1: get_Clipboard 0x66485:$g1: get_Clipboard 0x9c4a5:$g1: get_Clipboard 0x30273:$g2: get_Keyboard 0x66493:$g2: get_Keyboard 0x9c4b3:$g2: get_Keyboard 0x30280:$g3: get_Password 0x664a0:$g3: get_Password 0x9c4c0:$g3: get_Password 0x3166d:$g4: get_CtrlKeyDown 0x6788d:$g4: get_CtrlKeyDown 0x9d8ad:$g4: get_CtrlKeyDown 0x3167d:$g5: get_ShiftKeyDown 0x6789d:$g5: get_ShiftKeyDown 0x9d8bd:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31a83:$a13: get_DnsResolver 0x67ca3:$a13: get_DnsResolver 0x9dcc3:$a13: get_DnsResolver 0x30153:$a20: get_LastAccessed 0x66373:$a20: get_LastAccessed 0x9c393:$a20: get_LastAccessed 0x324b1:$a27: set_InternalServerPort 0x686d1:$a27: set_InternalServerPort 0x9e6f1:$a27: set_InternalServerPort 0x327e6:$a30: set_GuidMasterKey 0x68a06:$a30: set_GuidMasterKey 0x9ea26:$a30: set_GuidMasterKey 0x30265:$a33: get_Clipboard 0x66485:$a33: get_Clipboard 0x9c4a5:$a33: get_Clipboard 0x30273:$a34: get_Keyboard 0x66493:$a34: get_Keyboard 0x9c4b3:$a34: get_Keyboard 0x3167d:$a35: get_ShiftKeyDown 0x6789d:$a35: get_ShiftKeyDown 0x9d8bd:$a35: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2bb0724.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2bb0724.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd1b6:$v1: SbieDll.dll 0xd1d0:$v2: USER 0xd1dc:$v3: SANDBOX 0xd1ee:$v4: VIRUS 0xd23e:$v4: VIRUS 0xd1fc:$v5: MALWARE 0xd20e:$v6: SCHMIDTI 0xd222:$v7: CURRENTUSER
5.2.UmpBcHBDbXhaX.exe.2a20620.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
5.2.UmpBcHBDbXhaX.exe.2a20620.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd1b6:$v1: SbieDll.dll 0xd1d0:$v2: USER 0xd1dc:$v3: SANDBOX 0xd1ee:$v4: VIRUS 0xd23e:$v4: VIRUS 0xd1fc:$v5: MALWARE 0xd20e:$v6: SCHMIDTI 0xd222:$v7: CURRENTUSER
5.2.UmpBcHBDbXhaX.exe.2a02e50.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
5.2.UmpBcHBDbXhaX.exe.2a02e50.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2a986:$v1: SbieDll.dll 0x2a9a0:$v2: USER 0x2a9ac:$v3: SANDBOX 0x2a9be:$v4: VIRUS 0x2aa0e:$v4: VIRUS 0x2a9cc:$v5: MALWARE 0x2a9de:$v6: SCHMIDTI 0x2a9f2:$v7: CURRENTUSER
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2b92f54.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2b92f54.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2a986:$v1: SbieDll.dll 0x2a9a0:$v2: USER 0x2a9ac:$v3: SANDBOX 0x2a9be:$v4: VIRUS 0x2aa0e:$v4: VIRUS 0x2a9cc:$v5: MALWARE 0x2a9de:$v6: SCHMIDTI 0x2a9f2:$v7: CURRENTUSER
Click to see the 24 entries

Sigma Signatures

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, ParentProcessId: 5644, ParentProcessName: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp, ProcessId: 3644, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

ReversingLabs: Detection: 31%

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

Joe Sandbox ML: detected

Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5796842243:AAESM2w0ubqts6zEsE_xN4PZ56pLfxQ9e7M/sendMessage?chat_id=5733364805"}
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.5340.6.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5796842243:AAESM2w0ubqts6zEsE_xN4PZ56pLfxQ9e7M/sendMessage"}

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://SDRcFr.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.366428290.0000000001207000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5796842243:AAESM2w0ubqts6zEsE_xN4PZ56pLfxQ9e7M/
Source: UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5796842243:AAESM2w0ubqts6zEsE_xN4PZ56pLfxQ9e7M/5733364805%discordapi%yyy
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.365703754.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2bb0724.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 5.2.UmpBcHBDbXhaX.exe.2a20620.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 5.2.UmpBcHBDbXhaX.exe.2a02e50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2b92f54.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5644, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3E12ED6Cu002dD3A3u002d460Eu002dAA91u002d617C2FC494E6u007d/D32C3C92u002d6775u002d47B3u002dB316u002d8190B687AACD.cs

Large array initialization: .cctor: array initializer size 10967

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2bb0724.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 5.2.UmpBcHBDbXhaX.exe.2a20620.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 5.2.UmpBcHBDbXhaX.exe.2a02e50.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2b92f54.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5644, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 0_2_00EEC164
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 0_2_00EEE5A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 0_2_00EEE5B0
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Code function: 5_2_0121C164
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Code function: 5_2_0121E5A1
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Code function: 5_2_0121E5B0
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Code function: 5_2_05AC0E9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_010BFA20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_010BBB68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_05D2BD98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_05D2CAE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_05D20040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_05D229F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_05D20910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060F0300
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060F03E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060F61D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060FAE20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060F9BA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060F7208
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060F72B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060FAD2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_060FBB10

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000000.323275662.00000000007DA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDPxD.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec03bef3a-96ec-4973-ae0d-73bcad213f0f.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec03bef3a-96ec-4973-ae0d-73bcad213f0f.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.365703754.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.375394541.00000000073A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000002.589454463.0000000000CF8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000000.363775300.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec03bef3a-96ec-4973-ae0d-73bcad213f0f.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Binary or memory string: OriginalFilenameDPxD.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: UmpBcHBDbXhaX.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp8847.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process created: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp8847.tmp
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process created: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

File created: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

File created: C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/9@0/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000000.323009902.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, UmpBcHBDbXhaX.exe.0.dr	Binary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000000.323009902.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, UmpBcHBDbXhaX.exe.0.dr	Binary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000000.323009902.00000000006F2000.00000002.00000001.01000000.00000003.sdmp, UmpBcHBDbXhaX.exe.0.dr	Binary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000002.593323499.0000000002C40000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 0000000A.00000002.592905426.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_01
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Mutant created: \Sessions\1\BaseNamedObjects\eIuimuWJTjwFo
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1348:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5484:120:WilError_01

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000003.364514254.00000000071A0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: PP99Q.vBPmm8Q

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	String found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	String found in binary or memory: Username:-AddusertextBoxUsernameCash

Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 0_2_00EEF972 pushad ; iretd
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Code function: 5_2_05AC65A0 pushfd ; retf
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Code function: 6_2_05D2A6CD push 8B000005h; retf

Source: initial sample	Static PE information: section name: .text entropy: 7.663847187465398
Source: initial sample	Static PE information: section name: .text entropy: 7.663847187465398

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

File created: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon (7).png

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2bb0724.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.UmpBcHBDbXhaX.exe.2a20620.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.UmpBcHBDbXhaX.exe.2a02e50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.2b92f54.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.368700625.0000000002D78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.406721462.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UmpBcHBDbXhaX.exe PID: 624, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.368700625.0000000002D78000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 00000005.00000002.406721462.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.368700625.0000000002D78000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 00000005.00000002.406721462.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe TID: 5752	Thread sleep time: -38122s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe TID: 1968	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5520	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe TID: 1400	Thread sleep time: -38122s >= -30000s
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe TID: 5504	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe TID: 4840	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe TID: 4808	Thread sleep count: 9742 > 30
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe TID: 4116	Thread sleep time: -19369081277395017s >= -30000s
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe TID: 4124	Thread sleep count: 9722 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9312
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Window / User API: threadDelayed 9742
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Window / User API: threadDelayed 9722

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Thread delayed: delay time: 38122
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Thread delayed: delay time: 38122
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Thread delayed: delay time: 922337203685477

Source: UmpBcHBDbXhaX.exe, 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: UmpBcHBDbXhaX.exe, 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: UmpBcHBDbXhaX.exe, 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: UmpBcHBDbXhaX.exe, 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp8847.tmp
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Process created: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UmpBcHBDbXhaX.exe PID: 5468, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.592547674.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.592981435.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UmpBcHBDbXhaX.exe PID: 5468, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: Yara match	File source: 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UmpBcHBDbXhaX.exe PID: 5468, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UmpBcHBDbXhaX.exe PID: 5468, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3e4f4c0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3ee36e0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.3f41100.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.592547674.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.592981435.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe PID: 5340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: UmpBcHBDbXhaX.exe PID: 5468, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	11 Masquerading	1 OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Disable or Modify Tools	111 Input Capture	1 Process Discovery	Remote Desktop Protocol	111 Input Capture	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Data from Local System	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	1 Clipboard Data	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	114 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	32%	ReversingLabs	Win32.Trojan.Woreflint
SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe	32%	ReversingLabs	Win32.Trojan.Woreflint

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
6.0.SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://SDRcFr.com	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.comF	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.366428290.0000000001207000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot5796842243:AAESM2w0ubqts6zEsE_xN4PZ56pLfxQ9e7M/	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.telegram.org/bot5796842243:AAESM2w0ubqts6zEsE_xN4PZ56pLfxQ9e7M/5733364805%discordapi%yyy	UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, UmpBcHBDbXhaX.exe, 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe, 00000000.00000002.373712902.0000000006BF2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://SDRcFr.com	UmpBcHBDbXhaX.exe, 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756003
Start date and time:	2022-11-29 13:49:14 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 35s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@15/9@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:50:24	API Interceptor	591x Sleep call for process: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe modified
13:50:30	API Interceptor	19x Sleep call for process: powershell.exe modified
13:50:32	Task Scheduler	Run new task: UmpBcHBDbXhaX path: C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
13:50:39	API Interceptor	467x Sleep call for process: UmpBcHBDbXhaX.exe modified

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UmpBcHBDbXhaX.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21876
Entropy (8bit):	5.601829389408276
Encrypted:	false
SSDEEP:	384:3tCRdN02OVJ/cVCyYnP0SBxniju57iJ9gvRSJ3uyO1+m0S1AVrdtGuA+inYQ:r/cG84xiS57JcuG7lQ
MD5:	2E9B889A60208A20362A3E53763B6013
SHA1:	7F1F939BC9A458DEE7D453964AEBF1D7FAFAA80C
SHA-256:	BFDABCA0F512BD8D3E9CB576755745431D206F0A62227CB17F878E7941D02AB2
SHA-512:	A17F20FF83AF7CBF72DD1796377E0A251E61A06BF4A3AD258694BDBCCD231BCC5A2C5B61D4DCE7F8444D967F26F739D19E8C8701F31021B692EB9AEA753F0379
Malicious:	false
Preview:	@...e...............................:.B..............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2sdibjn1.iex.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1bp3fok.q3g.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.148849411848415
Encrypted:	false
SSDEEP:	24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaZJxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTW/v
MD5:	82365BDA4E63EF625F4390CA5F4CF939
SHA1:	C08BB866E48BEC9B106EE09266328F367FF663C3
SHA-256:	089F94C9BFBD16049A4B211D130CE625DFD4C2761C988E08CE58712C1DC9A6BC
SHA-512:	E3017A4E3E3A66F46488418531719D3B10D2D838D9E81BFDCAF9F8A83B3B483D5361D869C1BDAA2C9E1541F2B16F94C4EC573CD3A94E1AA3A4EBA40ECD753186
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Local\Temp\tmp8847.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1600
Entropy (8bit):	5.148849411848415
Encrypted:	false
SSDEEP:	24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaZJxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTW/v
MD5:	82365BDA4E63EF625F4390CA5F4CF939
SHA1:	C08BB866E48BEC9B106EE09266328F367FF663C3
SHA-256:	089F94C9BFBD16049A4B211D130CE625DFD4C2761C988E08CE58712C1DC9A6BC
SHA-512:	E3017A4E3E3A66F46488418531719D3B10D2D838D9E81BFDCAF9F8A83B3B483D5361D869C1BDAA2C9E1541F2B16F94C4EC573CD3A94E1AA3A4EBA40ECD753186
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	951296
Entropy (8bit):	7.6550716384576925
Encrypted:	false
SSDEEP:	12288:kBuqU+PCH5W8IgKprPRibKTh6SoqZpK3tUjjAK7nYbSuSmFbWNHrDdzoa1cfN:Idrlf6SoqbK3InYUJDdEPf
MD5:	F64F729E0BA974C578AFAAC25665E067
SHA1:	D1225322FD5F16EB18A90EC4A4B007A010E2D51A
SHA-256:	680F16527C5DC7E7E32BB27B99DCBC85C75282D853CB9A27C186963DAE883D2E
SHA-512:	6BF0F4A2567736CDFA5E422E23F1F43A593699A1276654264A619E2F1B4690AF911E04508D0928C3A84EA658C022DC4B44F4F0467254C72BB92191E212E029C8
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..c..............0..j............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....j... ...j.................. ..`.rsrc................l..............@..@.reloc..............................@..B.......................H.......<...........l...8u..p...........................................^..}.....(.......(......0...........s......o......(........0...........s......o......(........0...........s......o......(........0...........s......o......(........0..+.........,..{.......+....,...{....o........(.......0..r.............(....s......s....}.....s....}.....s....}.....s....}.....(......{....(....o......{.....o......{.....o .....{....r...p"..@A...s!...o".....{....(#...o$.....{.... .... ..

C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.6550716384576925
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
File size:	951296
MD5:	f64f729e0ba974c578afaac25665e067
SHA1:	d1225322fd5f16eb18a90ec4a4b007a010e2d51a
SHA256:	680f16527c5dc7e7e32bb27b99dcbc85c75282d853cb9a27c186963dae883d2e
SHA512:	6bf0f4a2567736cdfa5e422e23f1f43a593699a1276654264a619e2f1b4690af911e04508d0928c3a84ea658c022dc4b44f4f0467254c72bb92191e212e029c8
SSDEEP:	12288:kBuqU+PCH5W8IgKprPRibKTh6SoqZpK3tUjjAK7nYbSuSmFbWNHrDdzoa1cfN:Idrlf6SoqbK3InYUJDdEPf
TLSH:	FC15D08023A6AF70F5386BF37521904827763C6E94F1D2296DDDB0DE2A76B5049F0B27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..c..............0..j............... ........@.. ....................................@................................

File Icon


Icon Hash:	63e6a3a1a6bdbdbb

Static PE Info

General

Entrypoint:	0x4e89fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6385A66A [Tue Nov 29 06:27:54 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe89a8	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xea000	0x14d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xec000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe6a00	0xe6a00	False	0.8274824271680217	data	7.663847187465398	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xea000	0x14d0	0x1600	False	0.5793678977272727	data	5.573635871144453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xec000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xea0e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096
RT_GROUP_ICON	0xeb190	0x14	data
RT_VERSION	0xeb1a4	0x32c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Target ID:	0
Start time:	13:50:16
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Imagebase:	0x6f0000
File size:	951296 bytes
MD5 hash:	F64F729E0BA974C578AFAAC25665E067
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.368700625.0000000002D78000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.370626906.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.367157703.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: powershell.exePID: 3216, Parent PID: 5644

General

Target ID:	1
Start time:	13:50:27
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Imagebase:	0xd00000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: conhost.exePID: 5284, Parent PID: 3216

General

Target ID:	2
Start time:	13:50:27
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: schtasks.exePID: 3644, Parent PID: 5644

General

Target ID:	3
Start time:	13:50:28
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp
Imagebase:	0xcb0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 5484, Parent PID: 3644

General

Target ID:	4
Start time:	13:50:28
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: UmpBcHBDbXhaX.exePID: 624, Parent PID: 1088

General

Target ID:	5
Start time:	13:50:34
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Imagebase:	0x690000
File size:	951296 bytes
MD5 hash:	F64F729E0BA974C578AFAAC25665E067
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.406721462.0000000002BE2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000005.00000002.405119003.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 32%, ReversingLabs
Reputation:	low

Analysis Process: SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exePID: 5340, Parent PID: 5644

General

Target ID:	6
Start time:	13:50:35
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe
Imagebase:	0x7b0000
File size:	951296 bytes
MD5 hash:	F64F729E0BA974C578AFAAC25665E067
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000006.00000000.363415114.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.592981435.0000000002BF8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.592124173.0000000002B51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: schtasks.exePID: 3540, Parent PID: 624

General

Target ID:	8
Start time:	13:50:46
Start date:	29/11/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UmpBcHBDbXhaX" /XML "C:\Users\user\AppData\Local\Temp\tmp8847.tmp
Imagebase:	0xcb0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 1348, Parent PID: 3540

General

Target ID:	9
Start time:	13:50:46
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: UmpBcHBDbXhaX.exePID: 5468, Parent PID: 624

General

Target ID:	10
Start time:	13:50:48
Start date:	29/11/2022
Path:	C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe
Imagebase:	0x740000
File size:	951296 bytes
MD5 hash:	F64F729E0BA974C578AFAAC25665E067
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.592547674.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.592099137.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UmpBcHBDbXhaX.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2sdibjn1.iex.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1bp3fok.q3g.psm1

C:\Users\user\AppData\Local\Temp\tmp4E8A.tmp

C:\Users\user\AppData\Local\Temp\tmp8847.tmp

C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe

C:\Users\user\AppData\Roaming\UmpBcHBDbXhaX.exe:Zone.Identifier

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.12778.11165.exe

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre