Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Analysis ID:	756011
MD5:	277a9cd8ef361888eb41a6b7d0d94e26
SHA1:	9b703e613307793cd9f0309eb458d5f12f8400dd
SHA256:	8cdfbe67b609226da852adf3db3098941cffda7cea7443b935e1eed5fdae0bf3
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe (PID: 4356 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe MD5: 277A9CD8EF361888EB41A6B7D0D94E26)

SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe (PID: 4596 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe MD5: 277A9CD8EF361888EB41A6B7D0D94E26)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail2.bpk-spb.ru", "Username": "grafkina.gg@sasta.ru", "Password": "SGZ3574344"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31cfe:$a13: get_DnsResolver 0x303f3:$a20: get_LastAccessed 0x3272c:$a27: set_InternalServerPort 0x32a61:$a30: set_GuidMasterKey 0x30505:$a33: get_Clipboard 0x30513:$a34: get_Keyboard 0x318f8:$a35: get_ShiftKeyDown 0x31909:$a36: get_AltKeyDown 0x30520:$a37: get_Password 0x31053:$a38: get_PasswordHash 0x32160:$a39: get_DefaultCredentials
00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x14f81e:$a13: get_DnsResolver 0x18603e:$a13: get_DnsResolver 0x1bc65e:$a13: get_DnsResolver 0x14df13:$a20: get_LastAccessed 0x184733:$a20: get_LastAccessed 0x1bad53:$a20: get_LastAccessed 0x15024c:$a27: set_InternalServerPort 0x186a6c:$a27: set_InternalServerPort 0x1bd08c:$a27: set_InternalServerPort 0x150581:$a30: set_GuidMasterKey 0x186da1:$a30: set_GuidMasterKey 0x1bd3c1:$a30: set_GuidMasterKey 0x14e025:$a33: get_Clipboard 0x184845:$a33: get_Clipboard 0x1bae65:$a33: get_Clipboard 0x14e033:$a34: get_Keyboard 0x184853:$a34: get_Keyboard 0x1bae73:$a34: get_Keyboard 0x14f418:$a35: get_ShiftKeyDown 0x185c38:$a35: get_ShiftKeyDown 0x1bc258:$a35: get_ShiftKeyDown
00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x8a6fa:$a13: get_DnsResolver 0x896cd:$a20: get_LastAccessed 0x8ad9c:$a27: set_InternalServerPort 0x8af83:$a30: set_GuidMasterKey 0x897b3:$a33: get_Clipboard 0x897c1:$a34: get_Keyboard 0x8a477:$a35: get_ShiftKeyDown 0x8a488:$a36: get_AltKeyDown 0x897ce:$a37: get_Password 0x89efd:$a38: get_PasswordHash 0x8a9ba:$a39: get_DefaultCredentials
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x55c8d:$a13: get_DnsResolver 0x545e2:$a20: get_LastAccessed 0x5666a:$a27: set_InternalServerPort 0x568d1:$a30: set_GuidMasterKey 0x546dd:$a33: get_Clipboard 0x546eb:$a34: get_Keyboard 0x55923:$a35: get_ShiftKeyDown 0x55934:$a36: get_AltKeyDown 0x546f8:$a37: get_Password 0x55187:$a38: get_PasswordHash 0x560c3:$a39: get_DefaultCredentials
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.28b0724.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.28b0724.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd16e:$v1: SbieDll.dll 0xd188:$v2: USER 0xd194:$v3: SANDBOX 0xd1a6:$v4: VIRUS 0xd1f6:$v4: VIRUS 0xd1b4:$v5: MALWARE 0xd1c6:$v6: SCHMIDTI 0xd1da:$v7: CURRENTUSER
1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a40:$s10: logins 0x344ba:$s11: credential 0x30705:$g1: get_Clipboard 0x30713:$g2: get_Keyboard 0x30720:$g3: get_Password 0x31ae8:$g4: get_CtrlKeyDown 0x31af8:$g5: get_ShiftKeyDown 0x31b09:$g6: get_AltKeyDown
1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31efe:$a13: get_DnsResolver 0x305f3:$a20: get_LastAccessed 0x3292c:$a27: set_InternalServerPort 0x32c61:$a30: set_GuidMasterKey 0x30705:$a33: get_Clipboard 0x30713:$a34: get_Keyboard 0x31af8:$a35: get_ShiftKeyDown 0x31b09:$a36: get_AltKeyDown 0x30720:$a37: get_Password 0x31253:$a38: get_PasswordHash 0x32360:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c40:$s10: logins 0x326ba:$s11: credential 0x2e905:$g1: get_Clipboard 0x2e913:$g2: get_Keyboard 0x2e920:$g3: get_Password 0x2fce8:$g4: get_CtrlKeyDown 0x2fcf8:$g5: get_ShiftKeyDown 0x2fd09:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.2892f54.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x300fe:$a13: get_DnsResolver 0x2e7f3:$a20: get_LastAccessed 0x30b2c:$a27: set_InternalServerPort 0x30e61:$a30: set_GuidMasterKey 0x2e905:$a33: get_Clipboard 0x2e913:$a34: get_Keyboard 0x2fcf8:$a35: get_ShiftKeyDown 0x2fd09:$a36: get_AltKeyDown 0x2e920:$a37: get_Password 0x2f453:$a38: get_PasswordHash 0x30560:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.2892f54.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2a93e:$v1: SbieDll.dll 0x2a958:$v2: USER 0x2a964:$v3: SANDBOX 0x2a976:$v4: VIRUS 0x2a9c6:$v4: VIRUS 0x2a984:$v5: MALWARE 0x2a996:$v6: SCHMIDTI 0x2a9aa:$v7: CURRENTUSER
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a40:$s10: logins 0x6b260:$s10: logins 0xa1880:$s10: logins 0x344ba:$s11: credential 0x6acda:$s11: credential 0xa12fa:$s11: credential 0x30705:$g1: get_Clipboard 0x66f25:$g1: get_Clipboard 0x9d545:$g1: get_Clipboard 0x30713:$g2: get_Keyboard 0x66f33:$g2: get_Keyboard 0x9d553:$g2: get_Keyboard 0x30720:$g3: get_Password 0x66f40:$g3: get_Password 0x9d560:$g3: get_Password 0x31ae8:$g4: get_CtrlKeyDown 0x68308:$g4: get_CtrlKeyDown 0x9e928:$g4: get_CtrlKeyDown 0x31af8:$g5: get_ShiftKeyDown 0x68318:$g5: get_ShiftKeyDown 0x9e938:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31efe:$a13: get_DnsResolver 0x6871e:$a13: get_DnsResolver 0x9ed3e:$a13: get_DnsResolver 0x305f3:$a20: get_LastAccessed 0x66e13:$a20: get_LastAccessed 0x9d433:$a20: get_LastAccessed 0x3292c:$a27: set_InternalServerPort 0x6914c:$a27: set_InternalServerPort 0x9f76c:$a27: set_InternalServerPort 0x32c61:$a30: set_GuidMasterKey 0x69481:$a30: set_GuidMasterKey 0x9faa1:$a30: set_GuidMasterKey 0x30705:$a33: get_Clipboard 0x66f25:$a33: get_Clipboard 0x9d545:$a33: get_Clipboard 0x30713:$a34: get_Keyboard 0x66f33:$a34: get_Keyboard 0x9d553:$a34: get_Keyboard 0x31af8:$a35: get_ShiftKeyDown 0x68318:$a35: get_ShiftKeyDown 0x9e938:$a35: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xcba60:$s10: logins 0x102280:$s10: logins 0x1388a0:$s10: logins 0xcb4da:$s11: credential 0x101cfa:$s11: credential 0x13831a:$s11: credential 0xc7725:$g1: get_Clipboard 0xfdf45:$g1: get_Clipboard 0x134565:$g1: get_Clipboard 0xc7733:$g2: get_Keyboard 0xfdf53:$g2: get_Keyboard 0x134573:$g2: get_Keyboard 0xc7740:$g3: get_Password 0xfdf60:$g3: get_Password 0x134580:$g3: get_Password 0xc8b08:$g4: get_CtrlKeyDown 0xff328:$g4: get_CtrlKeyDown 0x135948:$g4: get_CtrlKeyDown 0xc8b18:$g5: get_ShiftKeyDown 0xff338:$g5: get_ShiftKeyDown 0x135958:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x3501f:$s1: file:/// 0x34f2f:$s2: {11111-22222-10009-11112} 0x34faf:$s3: {11111-22222-50001-00000} 0x341d9:$s4: get_Module 0x34554:$s5: Reverse 0xc7cee:$s5: Reverse 0xfe50e:$s5: Reverse 0x134b2e:$s5: Reverse 0x2f62d:$s6: BlockCopy 0xc9d34:$s6: BlockCopy 0x100554:$s6: BlockCopy 0x136b74:$s6: BlockCopy 0xc7fac:$s7: ReadByte 0xfe7cc:$s7: ReadByte 0x134dec:$s7: ReadByte 0x35031:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xc8f1e:$a13: get_DnsResolver 0xff73e:$a13: get_DnsResolver 0x135d5e:$a13: get_DnsResolver 0xc7613:$a20: get_LastAccessed 0xfde33:$a20: get_LastAccessed 0x134453:$a20: get_LastAccessed 0xc994c:$a27: set_InternalServerPort 0x10016c:$a27: set_InternalServerPort 0x13678c:$a27: set_InternalServerPort 0xc9c81:$a30: set_GuidMasterKey 0x1004a1:$a30: set_GuidMasterKey 0x136ac1:$a30: set_GuidMasterKey 0xc7725:$a33: get_Clipboard 0xfdf45:$a33: get_Clipboard 0x134565:$a33: get_Clipboard 0xc7733:$a34: get_Keyboard 0xfdf53:$a34: get_Keyboard 0x134573:$a34: get_Keyboard 0xc8b18:$a35: get_ShiftKeyDown 0xff338:$a35: get_ShiftKeyDown 0x135958:$a35: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x151850:$s10: logins 0x188070:$s10: logins 0x1be690:$s10: logins 0x1512ca:$s11: credential 0x187aea:$s11: credential 0x1be10a:$s11: credential 0x14d515:$g1: get_Clipboard 0x183d35:$g1: get_Clipboard 0x1ba355:$g1: get_Clipboard 0x14d523:$g2: get_Keyboard 0x183d43:$g2: get_Keyboard 0x1ba363:$g2: get_Keyboard 0x14d530:$g3: get_Password 0x183d50:$g3: get_Password 0x1ba370:$g3: get_Password 0x14e8f8:$g4: get_CtrlKeyDown 0x185118:$g4: get_CtrlKeyDown 0x1bb738:$g4: get_CtrlKeyDown 0x14e908:$g5: get_ShiftKeyDown 0x185128:$g5: get_ShiftKeyDown 0x1bb748:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xbae0f:$s1: file:/// 0xbad1f:$s2: {11111-22222-10009-11112} 0xbad9f:$s3: {11111-22222-50001-00000} 0xb9fc9:$s4: get_Module 0xba344:$s5: Reverse 0x14dade:$s5: Reverse 0x1842fe:$s5: Reverse 0x1ba91e:$s5: Reverse 0xb541d:$s6: BlockCopy 0x14fb24:$s6: BlockCopy 0x186344:$s6: BlockCopy 0x1bc964:$s6: BlockCopy 0x14dd9c:$s7: ReadByte 0x1845bc:$s7: ReadByte 0x1babdc:$s7: ReadByte 0xbae21:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x14ed0e:$a13: get_DnsResolver 0x18552e:$a13: get_DnsResolver 0x1bbb4e:$a13: get_DnsResolver 0x14d403:$a20: get_LastAccessed 0x183c23:$a20: get_LastAccessed 0x1ba243:$a20: get_LastAccessed 0x14f73c:$a27: set_InternalServerPort 0x185f5c:$a27: set_InternalServerPort 0x1bc57c:$a27: set_InternalServerPort 0x14fa71:$a30: set_GuidMasterKey 0x186291:$a30: set_GuidMasterKey 0x1bc8b1:$a30: set_GuidMasterKey 0x14d515:$a33: get_Clipboard 0x183d35:$a33: get_Clipboard 0x1ba355:$a33: get_Clipboard 0x14d523:$a34: get_Keyboard 0x183d43:$a34: get_Keyboard 0x1ba363:$a34: get_Keyboard 0x14e908:$a35: get_ShiftKeyDown 0x185128:$a35: get_ShiftKeyDown 0x1bb748:$a35: get_ShiftKeyDown
Click to see the 21 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	ReversingLabs: Detection: 34%
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Virustotal: Detection: 27%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Joe Sandbox ML: detected

Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail2.bpk-spb.ru", "Username": "grafkina.gg@sasta.ru", "Password": "SGZ3574344"}

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.5:49702 -> 78.140.195.54:587

Source: global traffic

TCP traffic: 192.168.2.5:49702 -> 78.140.195.54:587

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579642195.0000000006BBD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385128719.0000000001504000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573185738.000000000150C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385052025.00000000014F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384518788.0000000006EA3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383888553.0000000006BFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fhESbX.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail2.bpk-spb.ru
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.580423251.0000000006E91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.coC?
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384119215.0000000006BE4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384993675.0000000006E0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385128719.0000000001504000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573185738.000000000150C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385128719.0000000001504000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573185738.000000000150C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384993675.0000000006E0D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384119215.0000000006BE4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384432501.0000000006BA5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579625475.0000000006BA5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579642195.0000000006BBD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579642195.0000000006BBD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.eme.lv/repository0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579679447.0000000006BDF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579679447.0000000006BDF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oaticerts.com/repository.
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385288042.0000000006B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384504580.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.rcsc.lt/repository0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384119215.0000000006BE4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384119215.0000000006BE4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000003.309946235.0000000000ECC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.coma-e
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573111699.00000000014FC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385052025.00000000014F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573111699.00000000014FC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385052025.00000000014F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://eca.hinet.net/repository0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ffKDeOcgRB9.org
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Source: unknown

DNS traffic detected: queries for: mail2.bpk-spb.ru

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.28b0724.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.2892f54.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6C97159Du002d948Au002d4C34u002d8EDEu002dBB37431C88DCu007d/u0037D11B9D8u002d0763u002d4715u002d8625u002d2EAD2336D536.cs

Large array initialization: .cctor: array initializer size 10930

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.28b0724.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.2892f54.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 0_2_00B9C164	0_2_00B9C164
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 0_2_00B9E5B0	0_2_00B9E5B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061AC358	1_2_061AC358
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061AD0A8	1_2_061AD0A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061A0040	1_2_061A0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061A0910	1_2_061A0910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061A29F8	1_2_061A29F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647A613	1_2_0647A613
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_06477AB8	1_2_06477AB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_06470040	1_2_06470040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647F868	1_2_0647F868
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_06479568	1_2_06479568
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_06475110	1_2_06475110
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_06474758	1_2_06474758
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_06471F88	1_2_06471F88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647F470	1_2_0647F470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_064A2E08	1_2_064A2E08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_064AAF98	1_2_064AAF98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_064AD898	1_2_064AD898
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_064A8908	1_2_064A8908
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_064A6598	1_2_064A6598
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_064A2DA4	1_2_064A2DA4

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename81a6843b-1903-472e-8fd2-c4bedf070891.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.347920571.0000000007120000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345204816.0000000004E10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename81a6843b-1903-472e-8fd2-c4bedf070891.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000000.300564846.0000000000372000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameqzSt.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000000.334183368.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename81a6843b-1903-472e-8fd2-c4bedf070891.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.571795820.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Binary or memory string: OriginalFilenameqzSt.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	ReversingLabs: Detection: 34%
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Virustotal: Detection: 27%

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2CA3.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@1/2

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000000.300564846.0000000000372000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000000.300564846.0000000000372000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000000.300564846.0000000000372000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	String found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	String found in binary or memory: Username:-AddusertextBoxUsernameCash

Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061AAEC0 push 8BD08B66h; retf	1_2_061AAEC5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061AAC98 push 8B000005h; retf	1_2_061AAC9F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061A5C90 push eax; iretd	1_2_061A5C9D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061AB569 push es; ret	1_2_061AB5BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_06470040 push es; iretd	1_2_06470EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D646 push es; iretd	1_2_0647D64C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D64E push es; iretd	1_2_0647D650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D656 push es; iretd	1_2_0647D658
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D652 push es; iretd	1_2_0647D654
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D65E push es; iretd	1_2_0647D660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D65A push es; iretd	1_2_0647D65C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D662 push es; iretd	1_2_0647D684
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D60E push es; iretd	1_2_0647D610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D612 push es; iretd	1_2_0647D614
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6D6 push es; iretd	1_2_0647D6D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6D2 push es; iretd	1_2_0647D6D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6DE push es; iretd	1_2_0647D6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6DA push es; iretd	1_2_0647D6DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6E6 push es; iretd	1_2_0647D6EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6E2 push es; iretd	1_2_0647D6E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6EE push es; iretd	1_2_0647D6F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6F6 push es; iretd	1_2_0647D6F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6F2 push es; iretd	1_2_0647D6F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647DAF0 push es; retf	1_2_0647E8A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6FA push es; iretd	1_2_0647D71C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6A6 push es; iretd	1_2_0647D6A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6AE push es; iretd	1_2_0647D6D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6AA push es; iretd	1_2_0647D6AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D746 push es; iretd	1_2_0647D768
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D742 push es; iretd	1_2_0647D744
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D76E push es; iretd	1_2_0647D770

Source: initial sample

Static PE information: section name: .text entropy: 7.671253644478303

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.28b0724.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.2892f54.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 5928	Thread sleep time: -38122s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 4464	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 4012	Thread sleep count: 9518 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -99703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -99466s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -99320s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -99197s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -99038s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -98496s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -98372s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -98265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -98150s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -97957s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -97437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -96916s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -96789s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -96605s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -96482s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -96359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -96246s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -96135s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -96028s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -95903s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -95780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -95671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 5880	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -95555s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -95427s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -95297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -95155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -94976s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -94750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -94530s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -94421s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -94250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -94140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -94000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -93843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -93654s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -93515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -93406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -93296s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -93183s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -93062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -92952s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -92843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -92714s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -92592s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Window / User API: threadDelayed 9518

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 38122	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 99703	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 99466	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 99320	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 99197	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 99038	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 98496	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 98372	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 98265	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 98150	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 97957	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 97437	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 96916	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 96789	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 96605	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 96482	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 96359	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 96246	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 96135	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 96028	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 95903	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 95780	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 95671	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 95555	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 95427	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 95297	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 95155	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 94976	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 94750	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 94530	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 94421	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 94250	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 94140	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 94000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 93843	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 93654	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 93515	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 93406	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 93296	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 93183	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 93062	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 92952	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 92843	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 92714	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 92592	Jump to behavior

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579940741.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579940741.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-QoS Packet Scheduler-00009

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Code function: 1_2_06475110 LdrInitializeThunk,

1_2_06475110

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match	File source: 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	111 Process Injection	1 Masquerading	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Credentials in Registry	211 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Software Packing	DCSync	114 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	34%	ReversingLabs	ByteCode-MSIL.Infostealer.DarkStealer
SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	28%	Virustotal		Browse
SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
c-0001.c-msedge.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://ocsp.suscerte.gob.ve0	0%	URL Reputation	safe
http://www.postsignum.cz/crl/psrootqca2.crl02	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/lcr0#	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://postsignum.ttc.cz/crl/psrootqca2.crl0	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	0%	URL Reputation	safe
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl0	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.defence.gov.au/pki0	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://www.ssc.lt/cps03	0%	URL Reputation	safe
http://ocsp.pki.gva.es0	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	URL Reputation	safe
http://ca.mtin.es/mtin/ocsp0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://web.ncdc.gov.sa/crl/nrcacomb1.crl0	0%	URL Reputation	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	URL Reputation	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
http://www.dnie.es/dpc0	0%	URL Reputation	safe
http://www.dnie.es/dpc0	0%	URL Reputation	safe
http://www.globaltrust.info0=	0%	Avira URL Cloud	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	URL Reputation	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	URL Reputation	safe
http://microsoft.coC?	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://fhESbX.com	0%	Avira URL Cloud	safe
http://ca.mtin.es/mtin/DPCyPoliticas0	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3TS.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3TS.crl0	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://ac.economia.gob.mx/last.crl0G	0%	URL Reputation	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
http://www.disig.sk/ca0f	0%	URL Reputation	safe
http://www.sk.ee/juur/crl/0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersignroot.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crl0	0%	URL Reputation	safe
http://crl.oces.trust2408.com/oces.crl0	0%	URL Reputation	safe
http://www.quovadis.bm0	0%	URL Reputation	safe
http://crl.ssc.lt/root-a/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-a/cacrl.crl0	0%	URL Reputation	safe
http://certs.oaticerts.com/repository/OATICA2.crl	0%	URL Reputation	safe
http://www.trustdst.com/certificates/policy/ACES-index.html0	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crt0	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crt0	0%	URL Reputation	safe
http://www.accv.es00	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy-G20	0%	URL Reputation	safe
https://www.netlock.net/docs	0%	URL Reputation	safe
http://www.e-trust.be/CPS/QNcerts	0%	URL Reputation	safe
http://ocsp.ncdc.gov.sa0	0%	URL Reputation	safe
http://mail2.bpk-spb.ru	0%	Avira URL Cloud	safe
http://fedir.comsign.co.il/crl/ComSignCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignCA.crl0	0%	URL Reputation	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	0%	URL Reputation	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	0%	URL Reputation	safe
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;	0%	URL Reputation	safe
https://repository.luxtrust.lu0	0%	URL Reputation	safe
http://www.tiro.coma-e	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
c-0001.c-msedge.net	13.107.4.50	true	false	0%, Virustotal, Browse	unknown
mail2.bpk-spb.ru	78.140.195.54	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383888553.0000000006BFC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.e-me.lv/repository0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.acabogacia.org/doc0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.suscerte.gob.ve0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384119215.0000000006BE4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.postsignum.cz/crl/psrootqca2.crl02	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.dhimyotis.com/certignarootca.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://repository.swisssign.com/0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.suscerte.gob.ve/lcr0#	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384119215.0000000006BE4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ssc.lt/root-c/cacrl.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://postsignum.ttc.cz/crl/psrootqca2.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579642195.0000000006BBD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3P.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.suscerte.gob.ve/dpc0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384119215.0000000006BE4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fhESbX.com	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certplus.com/CRL/class2.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.disig.sk/ca/crl/ca_disig.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579642195.0000000006BBD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.defence.gov.au/pki0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sk.ee/cps/0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.globaltrust.info0=	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579679447.0000000006BDF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.anf.es	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://microsoft.coC?	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.580423251.0000000006E91000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.registradores.org/normativa/index.htm0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.root-x1.letsencrypt.org0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://policy.camerfirma.com0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ssc.lt/cps03	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.pki.gva.es0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.anf.es/es/address-direccion.html	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.anf.es/address/)1(0&	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	false		high
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.coma-e	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000003.309946235.0000000000ECC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ca.mtin.es/mtin/ocsp0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cps.letsencrypt.org0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385128719.0000000001504000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573185738.000000000150C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ssc.lt/root-b/cacrl.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://web.ncdc.gov.sa/crl/nrcacomb1.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certicamara.com/dpc/0Z	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.wellsfargo.com/wsprca.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.dnie.es/dpc0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail2.bpk-spb.ru	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ca.mtin.es/mtin/DPCyPoliticas0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.anf.es/AC/ANFServerCA.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.globaltrust.info0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579679447.0000000006BDF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certificates.starfieldtech.com/repository/1604	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://acedicom.edicomgroup.com/doc0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.certplus.com/CRL/class3TS.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://crl.anf.es/AC/ANFServerCA.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://ac.economia.gob.mx/last.crl0G	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.catcert.net/verarrel	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.disig.sk/ca0f	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579642195.0000000006BBD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.e-szigno.hu/RootCA.crl	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sk.ee/juur/crl/0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.chambersign.org/chambersignroot.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oati.net/repository/OATICA2.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.oces.trust2408.com/oces.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.quovadis.bm0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://eca.hinet.net/repository0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ssc.lt/root-a/cacrl.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://certs.oaticerts.com/repository/OATICA2.crl	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.trustdst.com/certificates/policy/ACES-index.html0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oati.net/repository/OATICA2.crt0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.accv.es00	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy-G20	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.netlock.net/docs	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384504580.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.e-trust.be/CPS/QNcerts	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.ncdc.gov.sa0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fedir.comsign.co.il/crl/ComSignCA.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false		high
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.datev.de/zertifikat-policy-int0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384432501.0000000006BA5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579625475.0000000006BA5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
78.140.195.54	mail2.bpk-spb.ru	Russian Federation		35000	PROMETEYPROMETEYLLCRU	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756011
Start date and time:	2022-11-29 13:52:42 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/3@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 38 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.4.50, 209.197.3.8
Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:53:54	API Interceptor	652x Sleep call for process: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
c-0001.c-msedge.net	http://xmas-art.ru/fo/ufmavtiwaehat-sejautfoja/haotwaep/376197/?T=44g47k0c-8q-1q1QZ44igflammatiojb&vfilclszdwwrqimq5-t-nsnba=contyasseursSZ6J2	Get hash	malicious	Browse	13.107.4.50
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	13.107.4.50
	Iwutiwno.dll.dll	Get hash	malicious	Browse	13.107.4.50
	kW1RcHd3Np.exe	Get hash	malicious	Browse	13.107.4.50
	Urgent quote request -pdf-.exe	Get hash	malicious	Browse	13.107.4.50
	094089010-094098574-1669343495-1669343493-2332.html	Get hash	malicious	Browse	13.107.4.50
	LhLntDLA0i.exe	Get hash	malicious	Browse	13.107.4.50
	stGLUBW7kG.exe	Get hash	malicious	Browse	13.107.4.50
	file.exe	Get hash	malicious	Browse	13.107.4.50
	I8Kmld8K8U.exe	Get hash	malicious	Browse	13.107.4.50
	CamScanner-397841.exe	Get hash	malicious	Browse	13.107.4.50
	UPDATED SOA (2).exe	Get hash	malicious	Browse	13.107.4.50
	2022#U5e74#U4e2a#U4eba#U52b3#U52a8#U8865#U8d34.docx.doc	Get hash	malicious	Browse	13.107.4.50
	REMITTANCE COPY.exe	Get hash	malicious	Browse	13.107.4.50
	TNT Invoice_pdf.exe	Get hash	malicious	Browse	13.107.4.50
	n2cFuTcuzL.exe	Get hash	malicious	Browse	13.107.4.50
	file.exe	Get hash	malicious	Browse	13.107.4.50
	SecuriteInfo.com.Trojan.PackedNET.1617.17943.11881.exe	Get hash	malicious	Browse	13.107.4.50
	SecuriteInfo.com.W32.A-62389890.Eldorado.4706.2477.exe	Get hash	malicious	Browse	13.107.4.50
	file.exe	Get hash	malicious	Browse	13.107.4.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PROMETEYPROMETEYLLCRU	gHjDEkPBlv.elf	Get hash	malicious	Browse	78.140.242.234
	igE3BClsMw	Get hash	malicious	Browse	188.227.96.208
	EZ9f5eb6zR	Get hash	malicious	Browse	78.140.193.155
	x86	Get hash	malicious	Browse	78.140.199.254
	X45qi1q6uN.exe	Get hash	malicious	Browse	78.111.84.6
	3FB154482EF8AE49941C9ED13063294CD4F97E28E5DD8.exe	Get hash	malicious	Browse	78.140.240.154
	3D41425DAA1E1844BE0539723042DC532A640E5BA9EF9.exe	Get hash	malicious	Browse	78.140.240.154
	1D18C3C86D70C5371E761BA77C60C9361183EDC26368E.exe	Get hash	malicious	Browse	78.140.240.154
	4809227EE49AED05EEA812EC5FE60084177AE90A76E5A.exe	Get hash	malicious	Browse	78.140.240.154
	05E2540B7113609289FFB8CCDCB605AA6DAC2873DCCE1.exe	Get hash	malicious	Browse	78.140.240.154
	6104F2B4049168FEA236BB6A5B9A5194B878B61F87336.exe	Get hash	malicious	Browse	78.140.240.154
	54BCD3308C140C8EC030F98697CC7F0E9D4585D54334A.exe	Get hash	malicious	Browse	78.140.240.154
	07C18E8E0F92E75367DF02C4114947B038E86FCBC7C8E.exe	Get hash	malicious	Browse	78.140.240.154
	ev8zhBsCzU.exe	Get hash	malicious	Browse	78.140.240.154
	hrttshkxhj.exe	Get hash	malicious	Browse	78.140.240.154
	O5t4RGAkKg.exe	Get hash	malicious	Browse	78.140.240.154
	DG3kRWrQrf.exe	Get hash	malicious	Browse	78.140.240.154

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 62919 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	62919
Entropy (8bit):	7.995280921994772
Encrypted:	true
SSDEEP:	1536:d+OfVxHl7Wyf11lYom3xQcRVOtPHwQV4rP6Ji7:d+OxHxJlZcuPt4b6q
MD5:	3DCF580A93972319E82CAFBC047D34D5
SHA1:	8528D2A1363E5DE77DC3B1142850E51EAD0F4B6B
SHA-256:	40810E31F1B69075C727E6D557F9614D5880112895FF6F4DF1767E87AE5640D1
SHA-512:	98384BE7218340F95DAE88D1CB865F23A0B4E12855BEB6E74A3752274C9B4C601E493864DB777BCA677A370D0A9DBFFD68D94898A82014537F3A801CCE839C42
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I.......Q.........GU.\ .authroot.stl..O..5..CK..<Tk...c_.d....A.K...+.d.-;%.BJII!.QIR..$t)Kd.-QQ...g......^..~\|N=...y....{. .4{...W....b.i...j.I.......1:..b\.0.....Ait.2t......w.%.&.",tL_...4.8L[G..;.57....AT.k.......V..K......(....mzS...G....r.".=H.?>.........x&...S%....X.M^..j...A..x.9`.9...A../.s..#.4#.....Id.w..B....s.8..(...dj....=L.)..s.d.]NxQX8....stV#.K.'7.tH..9u~.2..!..2./.....!..9C../...mP $..../y.....@p.6.}.`...5. 0r.w...@(.. .Q....)g.........m..z.8rR..).].T9r<.L....0..`.........c.....;-.g..;.wk.)......i..c5.....{v.u...AS..=.....&.:.........+..P.N..9..EAQ.V.$s.......B.`.Mfe..8.......$...y-.q9J........W...2.Q8...O.......i..@\^.=X..dG$.M..#=....m.h..{9.'...-.v..Z...!....z.....N....i..^..,........d...%Xa~q.@D\|0...Y.m...........&d.4..A..{t=...../.t.3._.....?-.....uroP?.d.Z..S..{...$.i....X..$.O..4..N.)....U.Z..P....X,.... ...Lg..35..W..s.!c...Ap.].P..8..M..W.......U..,...m.u..\|=.m1..~..!..b...._.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.1085359935940406
Encrypted:	false
SSDEEP:	6:kKLTEN1HlNiN+SkQlPlEGYRMY9z+4KlDA3RUeKlTAlWRyf1:DTk/kPlE99SNxAhUexYo1
MD5:	B81EE1A8A335587B8E02783E3D400D2D
SHA1:	68C4FAB0E6B9330789ADE1048D8BA46D5DE2C544
SHA-256:	ADCF90B3C43AF8DC7E11AFC46523C7D3EEF91AAB890B27D8C91505C1DBE62B3C
SHA-512:	EFA34C213A89887618E2998A1020AE87DECF11BC4F9AA7A8E3436DCED18E6313AD8D921465AF033CEFFB8383A2B11CFD453C588FAF7D4EB2DDEC460621D1B5EA
Malicious:	false
Reputation:	low
Preview:	p...... ........"S.!B...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.d.e.4.d.3.9.b.e.8.d.8.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.664770270231839
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
File size:	960000
MD5:	277a9cd8ef361888eb41a6b7d0d94e26
SHA1:	9b703e613307793cd9f0309eb458d5f12f8400dd
SHA256:	8cdfbe67b609226da852adf3db3098941cffda7cea7443b935e1eed5fdae0bf3
SHA512:	fb35b96d3153b13ec2cea3c243114b9e1c8a58ee391c94f44555a2d7c07137702a4230446f616373c0cf139695d3dcf8fcc9a55de778ad2112f6874011dad44d
SSDEEP:	12288:o/x3qU+ai4t0ZiB3s8K4fMP7zs5y8m6Zwjz2boW9zq1krmvkhog/6Fb7wqzwBSDE:mxR0i3s8qDww8m6ZcQq21ht6woDdEPf
TLSH:	FC15DF8023A6AF75F1296BF37421900827B63C5EA5F1D2296DCDF0DE2A71B415AF0B17
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4ebd9a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6385B5DD [Tue Nov 29 07:33:49 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xebd48	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xec000	0x388	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xee000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe9da0	0xe9e00	False	0.8298025370791021	data	7.671253644478303	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xec000	0x388	0x400	False	0.37109375	data	2.860979956316595	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xee000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xec058	0x32c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 13:54:15.805341959 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:15.861587048 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:15.861691952 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:15.996521950 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:15.996942043 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.049736023 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.053610086 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.094831944 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.097780943 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.157645941 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.161354065 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.204152107 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.760996103 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.815157890 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.815237999 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.815262079 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.815372944 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.815437078 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.815469027 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.815517902 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.867993116 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.928946018 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.933392048 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.994105101 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:17.048006058 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.626239061 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.682285070 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:21.684568882 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.747383118 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:21.748119116 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.817748070 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:21.818945885 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.877036095 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:21.877501965 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.938349009 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:21.938827991 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.992013931 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:21.995357990 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.995471001 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.995975018 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.996053934 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:22.061959982 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:22.061983109 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:22.679898024 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:22.720345974 CET	49702	587	192.168.2.5	78.140.195.54

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 13:54:15.704055071 CET	51441	53	192.168.2.5	8.8.8.8
Nov 29, 2022 13:54:15.779623985 CET	53	51441	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 13:54:15.704055071 CET	192.168.2.5	8.8.8.8	0x57e7	Standard query (0)	mail2.bpk-spb.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 13:54:15.779623985 CET	8.8.8.8	192.168.2.5	0x57e7	No error (0)	mail2.bpk-spb.ru		78.140.195.54	A (IP address)	IN (0x0001)	false
Nov 29, 2022 13:54:15.779623985 CET	8.8.8.8	192.168.2.5	0x57e7	No error (0)	mail2.bpk-spb.ru		217.119.27.174	A (IP address)	IN (0x0001)	false
Nov 29, 2022 13:54:19.506061077 CET	8.8.8.8	192.168.2.5	0x7664	No error (0)	au.c-0001.c-msedge.net	c-0001.c-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 13:54:19.506061077 CET	8.8.8.8	192.168.2.5	0x7664	No error (0)	c-0001.c-msedge.net		13.107.4.50	A (IP address)	IN (0x0001)	false
Nov 29, 2022 13:54:34.261774063 CET	8.8.8.8	192.168.2.5	0x2e9b	No error (0)	au.c-0001.c-msedge.net	c-0001.c-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 13:54:34.261774063 CET	8.8.8.8	192.168.2.5	0x2e9b	No error (0)	c-0001.c-msedge.net		13.107.4.50	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 29, 2022 13:54:15.996521950 CET	587	49702	78.140.195.54	192.168.2.5	220 mail2.bpk-spb.ru ESMTP Postfix
Nov 29, 2022 13:54:15.996942043 CET	49702	587	192.168.2.5	78.140.195.54	EHLO 019635
Nov 29, 2022 13:54:16.053610086 CET	587	49702	78.140.195.54	192.168.2.5	250-mail2.bpk-spb.ru 250-PIPELINING 250-SIZE 36214400 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING
Nov 29, 2022 13:54:16.097780943 CET	49702	587	192.168.2.5	78.140.195.54	STARTTLS
Nov 29, 2022 13:54:16.161354065 CET	587	49702	78.140.195.54	192.168.2.5	220 2.0.0 Ready to start TLS

Target ID:	0
Start time:	13:53:42
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Imagebase:	0x370000
File size:	960000 bytes
MD5 hash:	277A9CD8EF361888EB41A6B7D0D94E26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	13:53:56
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Imagebase:	0xc70000
File size:	960000 bytes
MD5 hash:	277A9CD8EF361888EB41A6B7D0D94E26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	90
Total number of Limit Nodes:	8

Executed Functions

Function 00B9B6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00B9B730
GetCurrentThread.KERNEL32 ref: 00B9B76D
GetCurrentProcess.KERNEL32 ref: 00B9B7AA
GetCurrentThreadId.KERNEL32 ref: 00B9B803

Memory Dump Source

Source File: 00000000.00000002.340001313.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SecuriteInfo.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 933d831212c256019b0d0509b08ddf979a1e4a972410fd3bdf4a2ce694a0df3e
Instruction ID: b3bff54dc2992e46ce68077a6057c22dcee63b72c18062f739069684cb340d28
Opcode Fuzzy Hash: 933d831212c256019b0d0509b08ddf979a1e4a972410fd3bdf4a2ce694a0df3e
Instruction Fuzzy Hash: 675127B4D002498FDB14CFAAD688BDEBBF1EB89314F108569E409B7350D7746944CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00B93DE4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00B95421

Strings

ta, xrefs: 00B95499
0`, xrefs: 00B93DE4

Memory Dump Source

Source File: 00000000.00000002.340001313.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID: 0`$ta
API String ID: 2289755597-1580671299
Opcode ID: c2287c95f986c27bf04f2d24087b7fd7e2d617b63e47868029d59b495b657619
Instruction ID: 2351353f412216c8a177fb2fbb6a51e8bb6a85978cc635ce72d250af1f69a311
Opcode Fuzzy Hash: c2287c95f986c27bf04f2d24087b7fd7e2d617b63e47868029d59b495b657619
Instruction Fuzzy Hash: 9C410070C00618CBDB20CFA9C884BCEBBF1BF59309F20806AD408AB351D7756989CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B994B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00B99991,00000800,00000000,00000000), ref: 00B99BA2

Strings

XS, xrefs: 00B994B8

Memory Dump Source

Source File: 00000000.00000002.340001313.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SecuriteInfo.jbxd

Similarity

API ID: LibraryLoad
String ID: XS
API String ID: 1029625771-1674197376
Opcode ID: 39b7f874788e8f63993b5ac13de9365de2144bf75680a6619b6fede78c371f4d
Instruction ID: 3b7b98064714bbc1628916ce6a95daf38edb246f75d549a3609d63c23c36ff0c
Opcode Fuzzy Hash: 39b7f874788e8f63993b5ac13de9365de2144bf75680a6619b6fede78c371f4d
Instruction Fuzzy Hash: F511E7B69002499FDF10CF9AD544BDEFBF4EB98324F14846ED415A7600C379A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B9FCED Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B9FE4A

Memory Dump Source

Source File: 00000000.00000002.340001313.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: f4d6209dd3f76a500e9a1a1890c2f7d04ce88a4f96d14f87b2726afd1ddb1119
Instruction ID: f6d4f600eb94b7d530cf31ef4cdf0fe9653f8e5605209a18914f1039cc79621c
Opcode Fuzzy Hash: f4d6209dd3f76a500e9a1a1890c2f7d04ce88a4f96d14f87b2726afd1ddb1119
Instruction Fuzzy Hash: FD51EDB1D00249AFDF11CFA9C884ADEBFB5FF48314F14816AE818AB221D7759855CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B9FD38 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00B9FE4A

Memory Dump Source

Source File: 00000000.00000002.340001313.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SecuriteInfo.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 064af0d28c51a5256fda5ada342cc5088b4eb23c18c665675415c6cb7e891c57
Instruction ID: 1e0ce0784b5a9fce59b40f293095193a4ecd6c54e18a2bffee6c3f3f7d324d31
Opcode Fuzzy Hash: 064af0d28c51a5256fda5ada342cc5088b4eb23c18c665675415c6cb7e891c57
Instruction Fuzzy Hash: 1E41CEB1D103099FDF14CFAAC984ADEBBB5FF48314F24852AE819AB210D7749885CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00B998B0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00B99916

Memory Dump Source

Source File: 00000000.00000002.340001313.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3b9f0c720dcf299bad14d14688ffa829acd1f258b7355373b8f2c897071313c0
Instruction ID: 9b310b9b5cbadbd5bf74511f8c7db378247f9198dd450dd94ababd4892a9c9b3
Opcode Fuzzy Hash: 3b9f0c720dcf299bad14d14688ffa829acd1f258b7355373b8f2c897071313c0
Instruction Fuzzy Hash: A51102B6D002498FDB20CF9AC444BDEFBF4EB48324F10846ED419A7600C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B9B95A Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B9B97F

Memory Dump Source

Source File: 00000000.00000002.340001313.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SecuriteInfo.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 191824c33a5b638a97ddea486d3259351f79ec9f54e7b709338da061777cb6e4
Instruction ID: 0fe80adba2edd439fc3c07e4401f240973bc61ecf4b7b57e3c3bc6329b3f6c18
Opcode Fuzzy Hash: 191824c33a5b638a97ddea486d3259351f79ec9f54e7b709338da061777cb6e4
Instruction Fuzzy Hash: B9F06DB2C00208EEDF108FD9E844BDEFBF5EB88314F14841AE114A7210C3759854CB60

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B9E5B0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.340001313.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338369e9db6d23976c53024a8216c2e357afb25c187bf88dbf9b0650e60fcf6a
Instruction ID: f42419e1f78c9fea34ffd88739e1f769cae4cf1a104d75e78c1395fc801576f2
Opcode Fuzzy Hash: 338369e9db6d23976c53024a8216c2e357afb25c187bf88dbf9b0650e60fcf6a
Instruction Fuzzy Hash: D51291B1411F468BE371DF65ED983897BA1B745328B904318D2A13BAF1DBF8118ACF46

Uniqueness

Uniqueness Score: -1.00%

Function 00B9C164 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.340001313.0000000000B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f8bba49a9bc72c79967f828c6754bbae2f8e1dedd0e8bf4449d6ae7cffbe04d
Instruction ID: 25fe62f4be60401f910b7a762120d6be2683c66be1ec0d2733a383eeb7349c0c
Opcode Fuzzy Hash: 1f8bba49a9bc72c79967f828c6754bbae2f8e1dedd0e8bf4449d6ae7cffbe04d
Instruction Fuzzy Hash: 47A13D32E002198FCF15DFB5C98499EBBF2FF85300B1585BAE905BB261EB71A955CB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exePID: 4596, Parent PID: 4356COMMON

Execution Graph

Execution Coverage:	24%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	239
Total number of Limit Nodes:	16

Executed Functions

Function 06475110 Relevance: 2.1, APIs: 1, Instructions: 628
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 064756C1

Memory Dump Source

Source File: 00000001.00000002.579038195.0000000006470000.00000040.00000800.00020000.00000000.sdmp, Offset: 06470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6470000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9b2a554146fd7f5665a4795896d86e4a19dc1bba7e6e78fc45e749ee179f8215
Instruction ID: 0666fc6ce31a462e294acc240db475f62e604c2e9dfc545d82d330c6c3e584b6
Opcode Fuzzy Hash: 9b2a554146fd7f5665a4795896d86e4a19dc1bba7e6e78fc45e749ee179f8215
Instruction Fuzzy Hash: 70328C70A102058FDB69DBB4D5486AEBBF2EF89315F14842AE406DB394DF38DC45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 061A7C88 Relevance: 3.4, APIs: 2, Instructions: 361
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A7C88
KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9ccce544eed44397865717457b45da1c39511bb91c1a0a830f44120274014304
Instruction ID: 2ff3c57f65c444029cd1028ab432c960756777eceef173f7729f2b959e0da9b2
Opcode Fuzzy Hash: 9ccce544eed44397865717457b45da1c39511bb91c1a0a830f44120274014304
Instruction Fuzzy Hash: 0B12A438902269CFDBA8DF34D98969CB7B2FF49346F1045E9D50A92340CB3A5AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A7CA9 Relevance: 1.9, APIs: 1, Instructions: 361
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e6b4b20739ec0f9b30d700a6d415a3affc1584369729c1fc62ea5880e860aef1
Instruction ID: 055d014a8db1d1686a895d33a90edb142fd31186dc3c10b2fc2f66f77799d5cf
Opcode Fuzzy Hash: e6b4b20739ec0f9b30d700a6d415a3affc1584369729c1fc62ea5880e860aef1
Instruction Fuzzy Hash: 1812A478902269CFDBA8DF34D98969CB7B2FF49305F1045E9D50AA2340CB3A5AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A7CEE Relevance: 1.9, APIs: 1, Instructions: 354
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6fc1a33969afdbf80300b65ffb6f6bf770bad1747c8f181fdca3beadf619d79a
Instruction ID: 7ebb248f17e1abc5d26387083688acd45a5ae2c6c5916f6231158dfaf3dcaff3
Opcode Fuzzy Hash: 6fc1a33969afdbf80300b65ffb6f6bf770bad1747c8f181fdca3beadf619d79a
Instruction Fuzzy Hash: FA029378902269CFDBA8DF34D98969CB7B2FF49306F1045D9D50AA2340CB3A5AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A7D33 Relevance: 1.8, APIs: 1, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: add3e64ebc640551a9e2761d4de93aaa6de2534477bf7184d93af49172aa8678
Instruction ID: 1f9b58e6ed79867a2863cafd87e1469463a306919ece6e99ce7e117b050ce40a
Opcode Fuzzy Hash: add3e64ebc640551a9e2761d4de93aaa6de2534477bf7184d93af49172aa8678
Instruction Fuzzy Hash: E6029478902269CFDBA8DF34D98969CB7B2FF49305F1045D9D50AA2240CB3A5EC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A7D78 Relevance: 1.8, APIs: 1, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bd71073fbcfba259e8e0d7e90f63f6ede45b644f4b50f0cdabc50aa879e43549
Instruction ID: d4b3b182d13d2a844e81a2fd1620590f7e95cca0184f8fd91bac2c527c996b51
Opcode Fuzzy Hash: bd71073fbcfba259e8e0d7e90f63f6ede45b644f4b50f0cdabc50aa879e43549
Instruction Fuzzy Hash: 4302A478902269CFDBA8DF34D98969CB7B2FF49305F1045D9D50AA2340CB3A5AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A7DBD Relevance: 1.8, APIs: 1, Instructions: 333
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1d91c2312dd69eef051763c5475730a096512ebfbba6dec51a1f64f437d6869c
Instruction ID: 2b297766b21bd450e70f5ba622e1b046650d3d0ea895b5a8f0196d5efd557c13
Opcode Fuzzy Hash: 1d91c2312dd69eef051763c5475730a096512ebfbba6dec51a1f64f437d6869c
Instruction Fuzzy Hash: F902A438902269CFDBA8DF34D98969CB7B2FF49345F1045D9D50AA2340CB3A5AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A7E02 Relevance: 1.8, APIs: 1, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: feccebbed0e72a3ea86fb45c992f0422716225847daaa2a7ce790871e6af4170
Instruction ID: 09e2e83f23b4529c1c0d376f717d76f56aa6dfba475e8c34b578264b3fb0cbb8
Opcode Fuzzy Hash: feccebbed0e72a3ea86fb45c992f0422716225847daaa2a7ce790871e6af4170
Instruction Fuzzy Hash: EAF1A438902269CFDBA8DF34D98969CB7B2FF49346F1045D9D50AA2340CB3A5AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A7E3E Relevance: 1.8, APIs: 1, Instructions: 319
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fe3e1bf095f64f61b913b2ff27f376638d63578f3bd852fe4038e675a3cc27c5
Instruction ID: 7924d3c3d2e701c1849c16f564da3b4fe1fb1ecf48c8e7f20e2d748d36255fc2
Opcode Fuzzy Hash: fe3e1bf095f64f61b913b2ff27f376638d63578f3bd852fe4038e675a3cc27c5
Instruction Fuzzy Hash: D9F19338902269CFDBA8DF34D98969CB7B2FF49346F1045D9D50AA2340CB3A5AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A7E83 Relevance: 1.8, APIs: 1, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7da782cfcc8125a9b266dbdcc2d00c60e3bc431706e67653cfaa6f5a0d5ab44a
Instruction ID: dd3a64cdc45d18458b780c2842f76d808136c2b10ff53a0df5d9aed987af8b8d
Opcode Fuzzy Hash: 7da782cfcc8125a9b266dbdcc2d00c60e3bc431706e67653cfaa6f5a0d5ab44a
Instruction Fuzzy Hash: 35F19438902269CFDBA8DF34D98969CB7B2FF49346F1045D9D50AA2340CB3A5AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A7EC8 Relevance: 1.8, APIs: 1, Instructions: 303
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6afec4b41eb4ccc079afa873c0160484d4409b74fbf2a878c830bed11598283d
Instruction ID: 6c5948ee3bb826eb5331ed0f40a0be26a7cc20852d95feec8e94735ff4a2d253
Opcode Fuzzy Hash: 6afec4b41eb4ccc079afa873c0160484d4409b74fbf2a878c830bed11598283d
Instruction Fuzzy Hash: 1EF1A438902269CFDBA8DF34D98969CB7B2FF49346F1045D9D50AA2340CB3A5AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A7F04 Relevance: 1.8, APIs: 1, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 991c1b5f75ad93189ffa9382807a1b36e4113eef3a74385e7d32348a02a7ff01
Instruction ID: 15f7e9d012a1312d8d3fae0cc767d1788bfe4f1e876d9b3460a9c912a8b8826b
Opcode Fuzzy Hash: 991c1b5f75ad93189ffa9382807a1b36e4113eef3a74385e7d32348a02a7ff01
Instruction Fuzzy Hash: 70F1A438902269CFDBA8DF34D98969CB7B2FF49346F1045D9D50AA2340CB3A5AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A7F49 Relevance: 1.8, APIs: 1, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 09fbe3cdb8e0da32d60d290b065b93eaceed56284801b7c33d8826622499c17b
Instruction ID: df01a752649a176375d4b2ae0598e1ae5602e44359f2a2e9a2bc7238dd3c8b03
Opcode Fuzzy Hash: 09fbe3cdb8e0da32d60d290b065b93eaceed56284801b7c33d8826622499c17b
Instruction Fuzzy Hash: D5E1A438902229CFDBA8DF34D98969CB7B2FF49346F1045D9D50AA2340CB3A5AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A7F8E Relevance: 1.8, APIs: 1, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 831732f08d0c846b850abeba5c26529d046c151f08af746101cc7692e479826f
Instruction ID: fb0f04500e5953570bf6d5a0450f6c44bc0b6c65cde33d44c4ccfa279125a58c
Opcode Fuzzy Hash: 831732f08d0c846b850abeba5c26529d046c151f08af746101cc7692e479826f
Instruction Fuzzy Hash: 55E1A538902269CFDBA8DF34D98969CB7B2FF49346F1045D9D50AA2340CB395AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A7FD3 Relevance: 1.8, APIs: 1, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 82d2a6cfe07db3265ca37c3deecb4e65dd7d1d912fada8689cecaca5e35423ce
Instruction ID: d92c429a4a062110a1e6cfded1154cdb4e8aa23b2ff6362e7aab5b43244a9d37
Opcode Fuzzy Hash: 82d2a6cfe07db3265ca37c3deecb4e65dd7d1d912fada8689cecaca5e35423ce
Instruction Fuzzy Hash: 7BE1A438902229CFDBA8DF34D98969CB7B2FF49346F1045D9D50AA2340CB399AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A8018 Relevance: 1.8, APIs: 1, Instructions: 270COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cc8abce7b562f2b875c686d0407b8dee3e099b62081892994b6aaf882ce6071f
Instruction ID: 6e964b248e7d987a75150bc5062e21bdfd4b945530a0b4a0efb0e6dd2a97eb1b
Opcode Fuzzy Hash: cc8abce7b562f2b875c686d0407b8dee3e099b62081892994b6aaf882ce6071f
Instruction Fuzzy Hash: 67E1A438902269CFDBA8DF34D98969CB7B2FF49346F1045D9D50AA2340CB3A5AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A805D Relevance: 1.8, APIs: 1, Instructions: 263COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7f8da27d145bf6dfc9728920c1d7a1996a4f8169b9fab80190754f491ef05b96
Instruction ID: e39eb5232192dc89285a618ead313aafbdc5eb1bb2d7d412c2920a23ed7f8624
Opcode Fuzzy Hash: 7f8da27d145bf6dfc9728920c1d7a1996a4f8169b9fab80190754f491ef05b96
Instruction Fuzzy Hash: B7D1B438902229CFDBA8DF34D98969CB7B2FF45306F1045D9D50AA2340CB3A5AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A80A2 Relevance: 1.8, APIs: 1, Instructions: 256COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e09334e0374e00125c47b6e6f27a6b747cd4a92707866f9d15c728255a5dedd8
Instruction ID: 48598aca89e869107c1f5e43705f5797c8c1a7f93b144d442ec16c545a68c3c4
Opcode Fuzzy Hash: e09334e0374e00125c47b6e6f27a6b747cd4a92707866f9d15c728255a5dedd8
Instruction Fuzzy Hash: A8D1A438906229CFDBA8DF34D98969CB7B2FF45346F1045D9D50AA2340CB3A5AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A80E7 Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f8b046b8d0a4b0b1336f4ee5f5a607238dad6a83be3912f8894d9e6276b5a828
Instruction ID: af38fa28948e84a4fa08c92f9b1da38b5535efd969660909e04282301284bf62
Opcode Fuzzy Hash: f8b046b8d0a4b0b1336f4ee5f5a607238dad6a83be3912f8894d9e6276b5a828
Instruction Fuzzy Hash: 94D1B438906229CFDBA8DF34D98969CB7B2FF45346F1045E9D50AA2340CB3A5AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 061A8123 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 061A8147

Memory Dump Source

Source File: 00000001.00000002.578869748.00000000061A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_61a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 95c9e322d28c9de4b9fcc4c69cb68d30d7048017f923f1b492d29daf6a23a003
Instruction ID: 5431a4af20fb26ddc76cb95b3158b89c1c52776e11f8d12a45f660b2a1cc1284
Opcode Fuzzy Hash: 95c9e322d28c9de4b9fcc4c69cb68d30d7048017f923f1b492d29daf6a23a003
Instruction Fuzzy Hash: ACC1B438906229CFDBA8DF34D98969CB7B2FF49346F1045D9D50AA2340CB355AC1DF61

Uniqueness

Uniqueness Score: -1.00%

Function 012BDA01 Relevance: 1.7, Instructions: 1670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.571958025.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12bd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53f77b9aa5107c0371f97b0cd0809642554208546ce20e2cc5ff2129caf4e1f
Instruction ID: d310b77eb9da1e1307d5f44dc8e6cb19bdf2c6e07d281a455a27084d2fb8191c
Opcode Fuzzy Hash: d53f77b9aa5107c0371f97b0cd0809642554208546ce20e2cc5ff2129caf4e1f
Instruction Fuzzy Hash: 0372372605E7C64FD3234BB48DA16C27FB0AF13224B0E89DBD5C0CB5A3D21D9A59D762

Uniqueness

Uniqueness Score: -1.00%

Function 064AD3C6 Relevance: 1.7, APIs: 1, Instructions: 156libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 064AD431

Memory Dump Source

Source File: 00000001.00000002.579104491.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_64a0000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7a3bb95c46549c9ef7ed6551b4e25c1e5f4739181c9848c0a11372956d38f895
Instruction ID: 3fe532364427d72e0d109d9fb950506da7307751b168df1163ef2215d8e2c0c8
Opcode Fuzzy Hash: 7a3bb95c46549c9ef7ed6551b4e25c1e5f4739181c9848c0a11372956d38f895
Instruction Fuzzy Hash: E551B130A00305AFDB50EFB4D948AAFB7A6FF84215F108969E4069B745EF34DD09CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 064AD3D0 Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 064AD431

Memory Dump Source

Source File: 00000001.00000002.579104491.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_64a0000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8c117b634ff1b9b7b49b55f932cf27b838402281934603cb0dca8db3a4af6958
Instruction ID: 00b7a8cae1364a9fb6d71b966f84757e80a6c612d710685e34e3e07821862e93
Opcode Fuzzy Hash: 8c117b634ff1b9b7b49b55f932cf27b838402281934603cb0dca8db3a4af6958
Instruction Fuzzy Hash: 79519531E00205AFCB54EFB4D948AAFB7A6FF84215F108929E5129B754DF34ED08CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 064ACA4A Relevance: 1.6, APIs: 1, Instructions: 123registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 064ACB59

Memory Dump Source

Source File: 00000001.00000002.579104491.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_64a0000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 352fc11ce620a3bd00241e7eb9801d3b875180871939f9a919e25a58dccb55fc
Instruction ID: af361d8f641eab64f202a42ce517604d246e69448aaf8a33f7041fa66b8e6261
Opcode Fuzzy Hash: 352fc11ce620a3bd00241e7eb9801d3b875180871939f9a919e25a58dccb55fc
Instruction Fuzzy Hash: DA4132B0E00358AFCB50CFA9D884A9EBFF5AF48344F54816AE819AB310D7759805CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 064AC788 Relevance: 1.6, APIs: 1, Instructions: 122registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 064AC89C

Memory Dump Source

Source File: 00000001.00000002.579104491.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_64a0000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ffcd2bd447d42a2f5b871df3b075eb4022cd9bde60618f45c0b2d65274b2c4d6
Instruction ID: 368a5f14ccbfa57861f2eecfcf67df0c089ceb8723fc05228f12ccaee8519c8c
Opcode Fuzzy Hash: ffcd2bd447d42a2f5b871df3b075eb4022cd9bde60618f45c0b2d65274b2c4d6
Instruction Fuzzy Hash: EF4145B0D013499FDB51CFA8C584A9EBBF5BF48304F25856AE808AB341D7749849CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 064AC0F8 Relevance: 1.6, APIs: 1, Instructions: 88registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 064ACB59

Memory Dump Source

Source File: 00000001.00000002.579104491.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_64a0000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 072747efa8ed7952d6298bf018c8f2f9cfcc17c31f1e661196aad7a6eef8ebc8
Instruction ID: 622bfe82b3c49329a824288beee8085485386903f94fd8ff663bc7400bf192a1
Opcode Fuzzy Hash: 072747efa8ed7952d6298bf018c8f2f9cfcc17c31f1e661196aad7a6eef8ebc8
Instruction Fuzzy Hash: 8831EFB1D00358EFCB60CFAAD984A9EBBF5BF48310F54812AE819AB310D7759905CF90

Uniqueness

Uniqueness Score: -1.00%

Function 064AC0EC Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,00000000,?,00000001,?), ref: 064AC89C

Memory Dump Source

Source File: 00000001.00000002.579104491.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_64a0000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 33ecdc6dbf610273e6d485313e3cefe53b71a907831c48875ba289341e373f4e
Instruction ID: f815f6795255cfd31081e892d85553cc6c2a29363d6b2c5ffe2def1eec9f09d1
Opcode Fuzzy Hash: 33ecdc6dbf610273e6d485313e3cefe53b71a907831c48875ba289341e373f4e
Instruction Fuzzy Hash: EC31EFB1D00349DFDB50CF99C684A8EFBF5BF48304F24856AE809AB341C7759985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012BE16A Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.571958025.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12bd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d02faa583cb267c2536901e8d9c518e775feece96dc9029b5be0c882926d288e
Instruction ID: 5d0f36582d47ba95ae390a6be2a991a445ddeda44707ca072bf713b1384f1bc1
Opcode Fuzzy Hash: d02faa583cb267c2536901e8d9c518e775feece96dc9029b5be0c882926d288e
Instruction Fuzzy Hash: 83916D7604A7C19FD3134FA48D916C17FB0EF17320F1E89DBD9C08A2A3D22A9959D762

Uniqueness

Uniqueness Score: -1.00%

Function 012AD3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.571913765.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12ad000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d78c35bc6036c91f382c9a08354cc9243a2843c27db99679c15f07f12aef35
Instruction ID: c2af03f292e72eeb7b3605524320ec7dfe592c27af4c6f98e028b4cdf1303a40
Opcode Fuzzy Hash: c2d78c35bc6036c91f382c9a08354cc9243a2843c27db99679c15f07f12aef35
Instruction Fuzzy Hash: 19214571510208DFDB01DF94D9C0BA6BB61FB84324F60C979E9090BB06C33AE84ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 012BE3F0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.571958025.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12bd000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3139b017dc61d08e2bc83a2e6e50f295ce3bf5642a322a9c449b1a5d2bf81a9c
Instruction ID: c8f525211362422a7afacdf7978762841298ff082defa0154951efec60c7dc01
Opcode Fuzzy Hash: 3139b017dc61d08e2bc83a2e6e50f295ce3bf5642a322a9c449b1a5d2bf81a9c
Instruction Fuzzy Hash: E4213475614204EFCB05CF24D9C4BA6BB71FB84364F24C969DA494B346C37ED84ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 012AD3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.571913765.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_12ad000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95a58f6c018f3728783d1a413ec92afad62c72efd4f494350a5dd109fd946cf
Instruction ID: 3a1aa0d943ca6d9b98cde484e4c93fdc9eb5acf8b072294fef95c710e785c8e2
Opcode Fuzzy Hash: e95a58f6c018f3728783d1a413ec92afad62c72efd4f494350a5dd109fd946cf
Instruction Fuzzy Hash: B311D376504284DFCB12CF54D5C4B56BF72FB84320F24C6A9D9484BA16C33AE456CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Function 00B9B6D0 Relevance: 6.1, APIs: 4, Instructions: 120
threadCOMMON

Function 00B93DE4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96
COMMON

Function 00B994B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Function 00B9FCED Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Function 00B9FD38 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 00B998B0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 00B9B95A Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Function 06475110 Relevance: 2.1, APIs: 1, Instructions: 628
libraryCOMMON

Function 061A7C88 Relevance: 3.4, APIs: 2, Instructions: 361
COMMON

Function 061A7CA9 Relevance: 1.9, APIs: 1, Instructions: 361
COMMON

Function 061A7CEE Relevance: 1.9, APIs: 1, Instructions: 354
COMMON

Function 061A7D33 Relevance: 1.8, APIs: 1, Instructions: 347
COMMON

Function 061A7D78 Relevance: 1.8, APIs: 1, Instructions: 340
COMMON

Function 061A7DBD Relevance: 1.8, APIs: 1, Instructions: 333
COMMON

Function 061A7E02 Relevance: 1.8, APIs: 1, Instructions: 324
COMMON

Function 061A7E3E Relevance: 1.8, APIs: 1, Instructions: 319
COMMON

Function 061A7E83 Relevance: 1.8, APIs: 1, Instructions: 312
COMMON

Function 061A7EC8 Relevance: 1.8, APIs: 1, Instructions: 303
COMMON

Function 061A7F04 Relevance: 1.8, APIs: 1, Instructions: 298
COMMON

Function 061A7F49 Relevance: 1.8, APIs: 1, Instructions: 291
COMMON

Function 061A7F8E Relevance: 1.8, APIs: 1, Instructions: 284
COMMON

Function 061A7FD3 Relevance: 1.8, APIs: 1, Instructions: 277
COMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre