Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Analysis ID:	756011
MD5:	277a9cd8ef361888eb41a6b7d0d94e26
SHA1:	9b703e613307793cd9f0309eb458d5f12f8400dd
SHA256:	8cdfbe67b609226da852adf3db3098941cffda7cea7443b935e1eed5fdae0bf3
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe (PID: 4356 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe MD5: 277A9CD8EF361888EB41A6B7D0D94E26)

SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe (PID: 4596 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe MD5: 277A9CD8EF361888EB41A6B7D0D94E26)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail2.bpk-spb.ru", "Username": "grafkina.gg@sasta.ru", "Password": "SGZ3574344"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31cfe:$a13: get_DnsResolver 0x303f3:$a20: get_LastAccessed 0x3272c:$a27: set_InternalServerPort 0x32a61:$a30: set_GuidMasterKey 0x30505:$a33: get_Clipboard 0x30513:$a34: get_Keyboard 0x318f8:$a35: get_ShiftKeyDown 0x31909:$a36: get_AltKeyDown 0x30520:$a37: get_Password 0x31053:$a38: get_PasswordHash 0x32160:$a39: get_DefaultCredentials
00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x14f81e:$a13: get_DnsResolver 0x18603e:$a13: get_DnsResolver 0x1bc65e:$a13: get_DnsResolver 0x14df13:$a20: get_LastAccessed 0x184733:$a20: get_LastAccessed 0x1bad53:$a20: get_LastAccessed 0x15024c:$a27: set_InternalServerPort 0x186a6c:$a27: set_InternalServerPort 0x1bd08c:$a27: set_InternalServerPort 0x150581:$a30: set_GuidMasterKey 0x186da1:$a30: set_GuidMasterKey 0x1bd3c1:$a30: set_GuidMasterKey 0x14e025:$a33: get_Clipboard 0x184845:$a33: get_Clipboard 0x1bae65:$a33: get_Clipboard 0x14e033:$a34: get_Keyboard 0x184853:$a34: get_Keyboard 0x1bae73:$a34: get_Keyboard 0x14f418:$a35: get_ShiftKeyDown 0x185c38:$a35: get_ShiftKeyDown 0x1bc258:$a35: get_ShiftKeyDown
00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x8a6fa:$a13: get_DnsResolver 0x896cd:$a20: get_LastAccessed 0x8ad9c:$a27: set_InternalServerPort 0x8af83:$a30: set_GuidMasterKey 0x897b3:$a33: get_Clipboard 0x897c1:$a34: get_Keyboard 0x8a477:$a35: get_ShiftKeyDown 0x8a488:$a36: get_AltKeyDown 0x897ce:$a37: get_Password 0x89efd:$a38: get_PasswordHash 0x8a9ba:$a39: get_DefaultCredentials
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x55c8d:$a13: get_DnsResolver 0x545e2:$a20: get_LastAccessed 0x5666a:$a27: set_InternalServerPort 0x568d1:$a30: set_GuidMasterKey 0x546dd:$a33: get_Clipboard 0x546eb:$a34: get_Keyboard 0x55923:$a35: get_ShiftKeyDown 0x55934:$a36: get_AltKeyDown 0x546f8:$a37: get_Password 0x55187:$a38: get_PasswordHash 0x560c3:$a39: get_DefaultCredentials
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.28b0724.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.28b0724.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0xd16e:$v1: SbieDll.dll 0xd188:$v2: USER 0xd194:$v3: SANDBOX 0xd1a6:$v4: VIRUS 0xd1f6:$v4: VIRUS 0xd1b4:$v5: MALWARE 0xd1c6:$v6: SCHMIDTI 0xd1da:$v7: CURRENTUSER
1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a40:$s10: logins 0x344ba:$s11: credential 0x30705:$g1: get_Clipboard 0x30713:$g2: get_Keyboard 0x30720:$g3: get_Password 0x31ae8:$g4: get_CtrlKeyDown 0x31af8:$g5: get_ShiftKeyDown 0x31b09:$g6: get_AltKeyDown
1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31efe:$a13: get_DnsResolver 0x305f3:$a20: get_LastAccessed 0x3292c:$a27: set_InternalServerPort 0x32c61:$a30: set_GuidMasterKey 0x30705:$a33: get_Clipboard 0x30713:$a34: get_Keyboard 0x31af8:$a35: get_ShiftKeyDown 0x31b09:$a36: get_AltKeyDown 0x30720:$a37: get_Password 0x31253:$a38: get_PasswordHash 0x32360:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32c40:$s10: logins 0x326ba:$s11: credential 0x2e905:$g1: get_Clipboard 0x2e913:$g2: get_Keyboard 0x2e920:$g3: get_Password 0x2fce8:$g4: get_CtrlKeyDown 0x2fcf8:$g5: get_ShiftKeyDown 0x2fd09:$g6: get_AltKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.2892f54.0.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x300fe:$a13: get_DnsResolver 0x2e7f3:$a20: get_LastAccessed 0x30b2c:$a27: set_InternalServerPort 0x30e61:$a30: set_GuidMasterKey 0x2e905:$a33: get_Clipboard 0x2e913:$a34: get_Keyboard 0x2fcf8:$a35: get_ShiftKeyDown 0x2fd09:$a36: get_AltKeyDown 0x2e920:$a37: get_Password 0x2f453:$a38: get_PasswordHash 0x30560:$a39: get_DefaultCredentials
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.2892f54.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x2a93e:$v1: SbieDll.dll 0x2a958:$v2: USER 0x2a964:$v3: SANDBOX 0x2a976:$v4: VIRUS 0x2a9c6:$v4: VIRUS 0x2a984:$v5: MALWARE 0x2a996:$v6: SCHMIDTI 0x2a9aa:$v7: CURRENTUSER
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x34a40:$s10: logins 0x6b260:$s10: logins 0xa1880:$s10: logins 0x344ba:$s11: credential 0x6acda:$s11: credential 0xa12fa:$s11: credential 0x30705:$g1: get_Clipboard 0x66f25:$g1: get_Clipboard 0x9d545:$g1: get_Clipboard 0x30713:$g2: get_Keyboard 0x66f33:$g2: get_Keyboard 0x9d553:$g2: get_Keyboard 0x30720:$g3: get_Password 0x66f40:$g3: get_Password 0x9d560:$g3: get_Password 0x31ae8:$g4: get_CtrlKeyDown 0x68308:$g4: get_CtrlKeyDown 0x9e928:$g4: get_CtrlKeyDown 0x31af8:$g5: get_ShiftKeyDown 0x68318:$g5: get_ShiftKeyDown 0x9e938:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x31efe:$a13: get_DnsResolver 0x6871e:$a13: get_DnsResolver 0x9ed3e:$a13: get_DnsResolver 0x305f3:$a20: get_LastAccessed 0x66e13:$a20: get_LastAccessed 0x9d433:$a20: get_LastAccessed 0x3292c:$a27: set_InternalServerPort 0x6914c:$a27: set_InternalServerPort 0x9f76c:$a27: set_InternalServerPort 0x32c61:$a30: set_GuidMasterKey 0x69481:$a30: set_GuidMasterKey 0x9faa1:$a30: set_GuidMasterKey 0x30705:$a33: get_Clipboard 0x66f25:$a33: get_Clipboard 0x9d545:$a33: get_Clipboard 0x30713:$a34: get_Keyboard 0x66f33:$a34: get_Keyboard 0x9d553:$a34: get_Keyboard 0x31af8:$a35: get_ShiftKeyDown 0x68318:$a35: get_ShiftKeyDown 0x9e938:$a35: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0xcba60:$s10: logins 0x102280:$s10: logins 0x1388a0:$s10: logins 0xcb4da:$s11: credential 0x101cfa:$s11: credential 0x13831a:$s11: credential 0xc7725:$g1: get_Clipboard 0xfdf45:$g1: get_Clipboard 0x134565:$g1: get_Clipboard 0xc7733:$g2: get_Keyboard 0xfdf53:$g2: get_Keyboard 0x134573:$g2: get_Keyboard 0xc7740:$g3: get_Password 0xfdf60:$g3: get_Password 0x134580:$g3: get_Password 0xc8b08:$g4: get_CtrlKeyDown 0xff328:$g4: get_CtrlKeyDown 0x135948:$g4: get_CtrlKeyDown 0xc8b18:$g5: get_ShiftKeyDown 0xff338:$g5: get_ShiftKeyDown 0x135958:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x3501f:$s1: file:/// 0x34f2f:$s2: {11111-22222-10009-11112} 0x34faf:$s3: {11111-22222-50001-00000} 0x341d9:$s4: get_Module 0x34554:$s5: Reverse 0xc7cee:$s5: Reverse 0xfe50e:$s5: Reverse 0x134b2e:$s5: Reverse 0x2f62d:$s6: BlockCopy 0xc9d34:$s6: BlockCopy 0x100554:$s6: BlockCopy 0x136b74:$s6: BlockCopy 0xc7fac:$s7: ReadByte 0xfe7cc:$s7: ReadByte 0x134dec:$s7: ReadByte 0x35031:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0xc8f1e:$a13: get_DnsResolver 0xff73e:$a13: get_DnsResolver 0x135d5e:$a13: get_DnsResolver 0xc7613:$a20: get_LastAccessed 0xfde33:$a20: get_LastAccessed 0x134453:$a20: get_LastAccessed 0xc994c:$a27: set_InternalServerPort 0x10016c:$a27: set_InternalServerPort 0x13678c:$a27: set_InternalServerPort 0xc9c81:$a30: set_GuidMasterKey 0x1004a1:$a30: set_GuidMasterKey 0x136ac1:$a30: set_GuidMasterKey 0xc7725:$a33: get_Clipboard 0xfdf45:$a33: get_Clipboard 0x134565:$a33: get_Clipboard 0xc7733:$a34: get_Keyboard 0xfdf53:$a34: get_Keyboard 0x134573:$a34: get_Keyboard 0xc8b18:$a35: get_ShiftKeyDown 0xff338:$a35: get_ShiftKeyDown 0x135958:$a35: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x151850:$s10: logins 0x188070:$s10: logins 0x1be690:$s10: logins 0x1512ca:$s11: credential 0x187aea:$s11: credential 0x1be10a:$s11: credential 0x14d515:$g1: get_Clipboard 0x183d35:$g1: get_Clipboard 0x1ba355:$g1: get_Clipboard 0x14d523:$g2: get_Keyboard 0x183d43:$g2: get_Keyboard 0x1ba363:$g2: get_Keyboard 0x14d530:$g3: get_Password 0x183d50:$g3: get_Password 0x1ba370:$g3: get_Password 0x14e8f8:$g4: get_CtrlKeyDown 0x185118:$g4: get_CtrlKeyDown 0x1bb738:$g4: get_CtrlKeyDown 0x14e908:$g5: get_ShiftKeyDown 0x185128:$g5: get_ShiftKeyDown 0x1bb748:$g5: get_ShiftKeyDown
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xbae0f:$s1: file:/// 0xbad1f:$s2: {11111-22222-10009-11112} 0xbad9f:$s3: {11111-22222-50001-00000} 0xb9fc9:$s4: get_Module 0xba344:$s5: Reverse 0x14dade:$s5: Reverse 0x1842fe:$s5: Reverse 0x1ba91e:$s5: Reverse 0xb541d:$s6: BlockCopy 0x14fb24:$s6: BlockCopy 0x186344:$s6: BlockCopy 0x1bc964:$s6: BlockCopy 0x14dd9c:$s7: ReadByte 0x1845bc:$s7: ReadByte 0x1babdc:$s7: ReadByte 0xbae21:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x14ed0e:$a13: get_DnsResolver 0x18552e:$a13: get_DnsResolver 0x1bbb4e:$a13: get_DnsResolver 0x14d403:$a20: get_LastAccessed 0x183c23:$a20: get_LastAccessed 0x1ba243:$a20: get_LastAccessed 0x14f73c:$a27: set_InternalServerPort 0x185f5c:$a27: set_InternalServerPort 0x1bc57c:$a27: set_InternalServerPort 0x14fa71:$a30: set_GuidMasterKey 0x186291:$a30: set_GuidMasterKey 0x1bc8b1:$a30: set_GuidMasterKey 0x14d515:$a33: get_Clipboard 0x183d35:$a33: get_Clipboard 0x1ba355:$a33: get_Clipboard 0x14d523:$a34: get_Keyboard 0x183d43:$a34: get_Keyboard 0x1ba363:$a34: get_Keyboard 0x14e908:$a35: get_ShiftKeyDown 0x185128:$a35: get_ShiftKeyDown 0x1bb748:$a35: get_ShiftKeyDown
Click to see the 21 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	ReversingLabs: Detection: 34%
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Virustotal: Detection: 27%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Joe Sandbox ML: detected

Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail2.bpk-spb.ru", "Username": "grafkina.gg@sasta.ru", "Password": "SGZ3574344"}

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: global traffic

TCP traffic: 192.168.2.5:49702 -> 78.140.195.54:587

Source: global traffic

TCP traffic: 192.168.2.5:49702 -> 78.140.195.54:587

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579642195.0000000006BBD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385128719.0000000001504000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573185738.000000000150C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385052025.00000000014F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384518788.0000000006EA3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CABD2A79A1076A31F21D253635CB0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383888553.0000000006BFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fhESbX.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail2.bpk-spb.ru
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.580423251.0000000006E91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.coC?
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.accv.es0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.pki.gva.es0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384119215.0000000006BE4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384993675.0000000006E0D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385128719.0000000001504000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573185738.000000000150C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385128719.0000000001504000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573185738.000000000150C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org/doc0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.acabogacia.org0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.accv.es00
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ancert.com/cps0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384993675.0000000006E0D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384119215.0000000006BE4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384432501.0000000006BA5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579625475.0000000006BA5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.defence.gov.au/pki0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579642195.0000000006BBD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579642195.0000000006BBD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.disig.sk/ca0f
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.dnie.es/dpc0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-me.lv/repository0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.eme.lv/repository0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579679447.0000000006BDF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579679447.0000000006BDF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.globaltrust.info0=
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oaticerts.com/repository.
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385288042.0000000006B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384504580.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.rcsc.lt/repository0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.ssc.lt/cps03
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384119215.0000000006BE4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384119215.0000000006BE4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000003.309946235.0000000000ECC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.coma-e
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573111699.00000000014FC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385052025.00000000014F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573111699.00000000014FC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385052025.00000000014F0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://eca.hinet.net/repository0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ffKDeOcgRB9.org
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.catcert.net/verarrel05
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.net/docs
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Source: unknown

DNS traffic detected: queries for: mail2.bpk-spb.ru

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.28b0724.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.2892f54.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6C97159Du002d948Au002d4C34u002d8EDEu002dBB37431C88DCu007d/u0037D11B9D8u002d0763u002d4715u002d8625u002d2EAD2336D536.cs

Large array initialization: .cctor: array initializer size 10930

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.28b0724.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.2892f54.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 0_2_00B9C164
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 0_2_00B9E5B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061AC358
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061AD0A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061A0040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061A0910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061A29F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647A613
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_06477AB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_06470040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647F868
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_06479568
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_06475110
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_06474758
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_06471F88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647F470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_064A2E08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_064AAF98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_064AD898
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_064A8908
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_064A6598
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_064A2DA4

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename81a6843b-1903-472e-8fd2-c4bedf070891.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.347920571.0000000007120000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345204816.0000000004E10000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename81a6843b-1903-472e-8fd2-c4bedf070891.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000000.300564846.0000000000372000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameqzSt.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000000.334183368.0000000000438000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilename81a6843b-1903-472e-8fd2-c4bedf070891.exe4 vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.571795820.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Binary or memory string: OriginalFilenameqzSt.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	ReversingLabs: Detection: 34%
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Virustotal: Detection: 27%

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

File created: C:\Users\user\AppData\Local\Temp\tmp2CA3.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@1/2

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000000.300564846.0000000000372000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000000.300564846.0000000000372000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000000.300564846.0000000000372000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	String found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	String found in binary or memory: Username:-AddusertextBoxUsernameCash

Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061AAEC0 push 8BD08B66h; retf
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061AAC98 push 8B000005h; retf
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061A5C90 push eax; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_061AB569 push es; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_06470040 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D646 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D64E push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D656 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D652 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D65E push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D65A push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D662 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D60E push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D612 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6D6 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6D2 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6DE push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6DA push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6E6 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6E2 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6EE push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6F6 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6F2 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647DAF0 push es; retf
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6FA push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6A6 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6AE push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D6AA push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D746 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D742 push es; iretd
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Code function: 1_2_0647D76E push es; iretd

Source: initial sample

Static PE information: section name: .text entropy: 7.671253644478303

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.28b0724.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.2892f54.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 5928	Thread sleep time: -38122s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 4464	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 4012	Thread sleep count: 9518 > 30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -99703s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -99466s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -99320s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -99197s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -99038s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -98496s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -98372s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -98265s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -98150s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -97957s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -97437s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -96916s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -96789s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -96605s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -96482s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -96359s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -96246s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -96135s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -96028s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -95903s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -95780s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -95671s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 5880	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -95555s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -95427s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -95297s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -95155s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -94976s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -94750s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -94530s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -94421s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -94250s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -94140s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -94000s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -93843s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -93654s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -93515s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -93406s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -93296s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -93183s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -93062s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -92952s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -92843s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -92714s >= -30000s
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe TID: 2912	Thread sleep time: -92592s >= -30000s

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Window / User API: threadDelayed 9518

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 38122
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 100000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 99703
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 99466
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 99320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 99197
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 99038
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 98496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 98372
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 98265
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 98150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 97957
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 97437
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 96916
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 96789
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 96605
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 96482
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 96359
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 96246
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 96135
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 96028
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 95903
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 95780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 95671
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 95555
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 95427
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 95297
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 95155
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 94976
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 94750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 94530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 94421
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 94250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 94140
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 94000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 93843
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 93654
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 93515
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 93406
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 93296
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 93183
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 93062
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 92952
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 92843
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 92714
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Thread delayed: delay time: 92592

Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579940741.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579940741.0000000006C60000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-QoS Packet Scheduler-00009

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Code function: 1_2_06475110 LdrInitializeThunk,

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Memory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: Yara match	File source: 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3bf5920.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3b5e900.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.3ad8b10.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe PID: 4596, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	111 Process Injection	1 Masquerading	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Credentials in Registry	211 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	3 Software Packing	DCSync	114 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	34%	ReversingLabs	ByteCode-MSIL.Infostealer.DarkStealer
SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	28%	Virustotal		Browse
SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.0.SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

Source	Detection	Scanner	Label	Link
c-0001.c-msedge.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3.crl0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.e-me.lv/repository0	0%	URL Reputation	safe
http://www.acabogacia.org/doc0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://ocsp.suscerte.gob.ve0	0%	URL Reputation	safe
http://www.postsignum.cz/crl/psrootqca2.crl02	0%	URL Reputation	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	URL Reputation	safe
http://www.suscerte.gob.ve/lcr0#	0%	URL Reputation	safe
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	URL Reputation	safe
http://crl.ssc.lt/root-c/cacrl.crl0	0%	URL Reputation	safe
http://postsignum.ttc.cz/crl/psrootqca2.crl0	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	URL Reputation	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	0%	URL Reputation	safe
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl0	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.suscerte.gob.ve/dpc0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	URL Reputation	safe
http://www.defence.gov.au/pki0	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.sk.ee/cps/0	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://www.ssc.lt/cps03	0%	URL Reputation	safe
http://ocsp.pki.gva.es0	0%	URL Reputation	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	URL Reputation	safe
http://ca.mtin.es/mtin/ocsp0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	URL Reputation	safe
http://web.ncdc.gov.sa/crl/nrcacomb1.crl0	0%	URL Reputation	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	URL Reputation	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
https://wwww.certigna.fr/autorites/0m	0%	URL Reputation	safe
http://www.dnie.es/dpc0	0%	URL Reputation	safe
http://www.dnie.es/dpc0	0%	URL Reputation	safe
http://www.globaltrust.info0=	0%	Avira URL Cloud	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	URL Reputation	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	URL Reputation	safe
http://microsoft.coC?	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://fhESbX.com	0%	Avira URL Cloud	safe
http://ca.mtin.es/mtin/DPCyPoliticas0	0%	URL Reputation	safe
http://www.globaltrust.info0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3TS.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3TS.crl0	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://ac.economia.gob.mx/last.crl0G	0%	URL Reputation	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
http://www.disig.sk/ca0f	0%	URL Reputation	safe
http://www.sk.ee/juur/crl/0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersignroot.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crl0	0%	URL Reputation	safe
http://crl.oces.trust2408.com/oces.crl0	0%	URL Reputation	safe
http://www.quovadis.bm0	0%	URL Reputation	safe
http://crl.ssc.lt/root-a/cacrl.crl0	0%	URL Reputation	safe
http://crl.ssc.lt/root-a/cacrl.crl0	0%	URL Reputation	safe
http://certs.oaticerts.com/repository/OATICA2.crl	0%	URL Reputation	safe
http://www.trustdst.com/certificates/policy/ACES-index.html0	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crt0	0%	URL Reputation	safe
http://certs.oati.net/repository/OATICA2.crt0	0%	URL Reputation	safe
http://www.accv.es00	0%	URL Reputation	safe
http://www.pkioverheid.nl/policies/root-policy-G20	0%	URL Reputation	safe
https://www.netlock.net/docs	0%	URL Reputation	safe
http://www.e-trust.be/CPS/QNcerts	0%	URL Reputation	safe
http://ocsp.ncdc.gov.sa0	0%	URL Reputation	safe
http://mail2.bpk-spb.ru	0%	Avira URL Cloud	safe
http://fedir.comsign.co.il/crl/ComSignCA.crl0	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/ComSignCA.crl0	0%	URL Reputation	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	0%	URL Reputation	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	0%	URL Reputation	safe
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;	0%	URL Reputation	safe
https://repository.luxtrust.lu0	0%	URL Reputation	safe
http://www.tiro.coma-e	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
c-0001.c-msedge.net	13.107.4.50	true	false	0%, Virustotal, Browse	unknown
mail2.bpk-spb.ru	78.140.195.54	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383888553.0000000006BFC000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.e-me.lv/repository0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.acabogacia.org/doc0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.suscerte.gob.ve0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384119215.0000000006BE4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.postsignum.cz/crl/psrootqca2.crl02	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.dhimyotis.com/certignarootca.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://repository.swisssign.com/0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.suscerte.gob.ve/lcr0#	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384119215.0000000006BE4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ssc.lt/root-c/cacrl.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://postsignum.ttc.cz/crl/psrootqca2.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579642195.0000000006BBD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3P.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.suscerte.gob.ve/dpc0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384119215.0000000006BE4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fhESbX.com	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certplus.com/CRL/class2.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.disig.sk/ca/crl/ca_disig.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579642195.0000000006BBD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.defence.gov.au/pki0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sk.ee/cps/0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.globaltrust.info0=	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579679447.0000000006BDF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.anf.es	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://microsoft.coC?	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.580423251.0000000006E91000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.registradores.org/normativa/index.htm0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.root-x1.letsencrypt.org0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://policy.camerfirma.com0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ssc.lt/cps03	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.pki.gva.es0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.anf.es/es/address-direccion.html	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.anf.es/address/)1(0&	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	false		high
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.coma-e	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000003.309946235.0000000000ECC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ca.mtin.es/mtin/ocsp0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cps.letsencrypt.org0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.385128719.0000000001504000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573185738.000000000150C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.572908994.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.ssc.lt/root-b/cacrl.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://web.ncdc.gov.sa/crl/nrcacomb1.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.certicamara.com/dpc/0Z	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.wellsfargo.com/wsprca.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false		high
https://wwww.certigna.fr/autorites/0m	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.dnie.es/dpc0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail2.bpk-spb.ru	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.576650294.00000000033DE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ca.mtin.es/mtin/DPCyPoliticas0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.anf.es/AC/ANFServerCA.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.globaltrust.info0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579679447.0000000006BDF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certificates.starfieldtech.com/repository/1604	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://acedicom.edicomgroup.com/doc0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.certplus.com/CRL/class3TS.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://crl.anf.es/AC/ANFServerCA.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384553962.0000000006E20000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://ac.economia.gob.mx/last.crl0G	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.catcert.net/verarrel	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.disig.sk/ca0f	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579642195.0000000006BBD000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.e-szigno.hu/RootCA.crl	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sk.ee/juur/crl/0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.chambersign.org/chambersignroot.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oati.net/repository/OATICA2.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.oces.trust2408.com/oces.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.quovadis.bm0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://eca.hinet.net/repository0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.ssc.lt/root-a/cacrl.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://certs.oaticerts.com/repository/OATICA2.crl	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.trustdst.com/certificates/policy/ACES-index.html0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383812134.0000000006BDB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://certs.oati.net/repository/OATICA2.crt0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.accv.es00	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy-G20	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.netlock.net/docs	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384504580.0000000006BC5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384190628.0000000006BC1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.e-trust.be/CPS/QNcerts	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.ncdc.gov.sa0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designersG	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false		high
http://fedir.comsign.co.il/crl/ComSignCA.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384847493.0000000006E12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false		high
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384610055.0000000006E04000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384130770.0000000006BA7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.datev.de/zertifikat-policy-int0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384432501.0000000006BA5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384041947.0000000006BC6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000002.579625475.0000000006BA5000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384366166.0000000006B8E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.384238128.0000000006B7B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000000.00000002.345955674.0000000006852000.00000004.00000800.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu0	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe, 00000001.00000003.383679132.0000000006E85000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
78.140.195.54	mail2.bpk-spb.ru	Russian Federation		35000	PROMETEYPROMETEYLLCRU	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756011
Start date and time:	2022-11-29 13:52:42 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 5s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/3@1/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.4.50, 209.197.3.8
Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:53:54	API Interceptor	652x Sleep call for process: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe modified

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 62919 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	62919
Entropy (8bit):	7.995280921994772
Encrypted:	true
SSDEEP:	1536:d+OfVxHl7Wyf11lYom3xQcRVOtPHwQV4rP6Ji7:d+OxHxJlZcuPt4b6q
MD5:	3DCF580A93972319E82CAFBC047D34D5
SHA1:	8528D2A1363E5DE77DC3B1142850E51EAD0F4B6B
SHA-256:	40810E31F1B69075C727E6D557F9614D5880112895FF6F4DF1767E87AE5640D1
SHA-512:	98384BE7218340F95DAE88D1CB865F23A0B4E12855BEB6E74A3752274C9B4C601E493864DB777BCA677A370D0A9DBFFD68D94898A82014537F3A801CCE839C42
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I.......Q.........GU.\ .authroot.stl..O..5..CK..<Tk...c_.d....A.K...+.d.-;%.BJII!.QIR..$t)Kd.-QQ...g......^..~\|N=...y....{. .4{...W....b.i...j.I.......1:..b\.0.....Ait.2t......w.%.&.",tL_...4.8L[G..;.57....AT.k.......V..K......(....mzS...G....r.".=H.?>.........x&...S%....X.M^..j...A..x.9`.9...A../.s..#.4#.....Id.w..B....s.8..(...dj....=L.)..s.d.]NxQX8....stV#.K.'7.tH..9u~.2..!..2./.....!..9C../...mP $..../y.....@p.6.}.`...5. 0r.w...@(.. .Q....)g.........m..z.8rR..).].T9r<.L....0..`.........c.....;-.g..;.wk.)......i..c5.....{v.u...AS..=.....&.:.........+..P.N..9..EAQ.V.$s.......B.`.Mfe..8.......$...y-.q9J........W...2.Q8...O.......i..@\^.=X..dG$.M..#=....m.h..{9.'...-.v..Z...!....z.....N....i..^..,........d...%Xa~q.@D\|0...Y.m...........&d.4..A..{t=...../.t.3._.....?-.....uroP?.d.Z..S..{...$.i....X..$.O..4..N.)....U.Z..P....X,.... ...Lg..35..W..s.!c...Ap.].P..8..M..W.......U..,...m.u..\|=.m1..~..!..b...._.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.1085359935940406
Encrypted:	false
SSDEEP:	6:kKLTEN1HlNiN+SkQlPlEGYRMY9z+4KlDA3RUeKlTAlWRyf1:DTk/kPlE99SNxAhUexYo1
MD5:	B81EE1A8A335587B8E02783E3D400D2D
SHA1:	68C4FAB0E6B9330789ADE1048D8BA46D5DE2C544
SHA-256:	ADCF90B3C43AF8DC7E11AFC46523C7D3EEF91AAB890B27D8C91505C1DBE62B3C
SHA-512:	EFA34C213A89887618E2998A1020AE87DECF11BC4F9AA7A8E3436DCED18E6313AD8D921465AF033CEFFB8383A2B11CFD453C588FAF7D4EB2DDEC460621D1B5EA
Malicious:	false
Reputation:	low
Preview:	p...... ........"S.!B...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.d.e.4.d.3.9.b.e.8.d.8.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.664770270231839
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
File size:	960000
MD5:	277a9cd8ef361888eb41a6b7d0d94e26
SHA1:	9b703e613307793cd9f0309eb458d5f12f8400dd
SHA256:	8cdfbe67b609226da852adf3db3098941cffda7cea7443b935e1eed5fdae0bf3
SHA512:	fb35b96d3153b13ec2cea3c243114b9e1c8a58ee391c94f44555a2d7c07137702a4230446f616373c0cf139695d3dcf8fcc9a55de778ad2112f6874011dad44d
SSDEEP:	12288:o/x3qU+ai4t0ZiB3s8K4fMP7zs5y8m6Zwjz2boW9zq1krmvkhog/6Fb7wqzwBSDE:mxR0i3s8qDww8m6ZcQq21ht6woDdEPf
TLSH:	FC15DF8023A6AF75F1296BF37421900827B63C5EA5F1D2296DCDF0DE2A71B415AF0B17
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4ebd9a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6385B5DD [Tue Nov 29 07:33:49 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xebd48	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xec000	0x388	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xee000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe9da0	0xe9e00	False	0.8298025370791021	data	7.671253644478303	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xec000	0x388	0x400	False	0.37109375	data	2.860979956316595	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xee000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xec058	0x32c	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 13:54:15.805341959 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:15.861587048 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:15.861691952 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:15.996521950 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:15.996942043 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.049736023 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.053610086 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.094831944 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.097780943 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.157645941 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.161354065 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.204152107 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.760996103 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.815157890 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.815237999 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.815262079 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.815372944 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.815437078 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.815469027 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.815517902 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.867993116 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:16.928946018 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.933392048 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:16.994105101 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:17.048006058 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.626239061 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.682285070 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:21.684568882 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.747383118 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:21.748119116 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.817748070 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:21.818945885 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.877036095 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:21.877501965 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.938349009 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:21.938827991 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.992013931 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:21.995357990 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.995471001 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.995975018 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:21.996053934 CET	49702	587	192.168.2.5	78.140.195.54
Nov 29, 2022 13:54:22.061959982 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:22.061983109 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:22.679898024 CET	587	49702	78.140.195.54	192.168.2.5
Nov 29, 2022 13:54:22.720345974 CET	49702	587	192.168.2.5	78.140.195.54

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 13:54:15.704055071 CET	51441	53	192.168.2.5	8.8.8.8
Nov 29, 2022 13:54:15.779623985 CET	53	51441	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 13:54:15.704055071 CET	192.168.2.5	8.8.8.8	0x57e7	Standard query (0)	mail2.bpk-spb.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 13:54:15.779623985 CET	8.8.8.8	192.168.2.5	0x57e7	No error (0)	mail2.bpk-spb.ru		78.140.195.54	A (IP address)	IN (0x0001)	false
Nov 29, 2022 13:54:15.779623985 CET	8.8.8.8	192.168.2.5	0x57e7	No error (0)	mail2.bpk-spb.ru		217.119.27.174	A (IP address)	IN (0x0001)	false
Nov 29, 2022 13:54:19.506061077 CET	8.8.8.8	192.168.2.5	0x7664	No error (0)	au.c-0001.c-msedge.net	c-0001.c-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 13:54:19.506061077 CET	8.8.8.8	192.168.2.5	0x7664	No error (0)	c-0001.c-msedge.net		13.107.4.50	A (IP address)	IN (0x0001)	false
Nov 29, 2022 13:54:34.261774063 CET	8.8.8.8	192.168.2.5	0x2e9b	No error (0)	au.c-0001.c-msedge.net	c-0001.c-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 29, 2022 13:54:34.261774063 CET	8.8.8.8	192.168.2.5	0x2e9b	No error (0)	c-0001.c-msedge.net		13.107.4.50	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Nov 29, 2022 13:54:15.996521950 CET	587	49702	78.140.195.54	192.168.2.5	220 mail2.bpk-spb.ru ESMTP Postfix
Nov 29, 2022 13:54:15.996942043 CET	49702	587	192.168.2.5	78.140.195.54	EHLO 019635
Nov 29, 2022 13:54:16.053610086 CET	587	49702	78.140.195.54	192.168.2.5	250-mail2.bpk-spb.ru 250-PIPELINING 250-SIZE 36214400 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250-SMTPUTF8 250 CHUNKING
Nov 29, 2022 13:54:16.097780943 CET	49702	587	192.168.2.5	78.140.195.54	STARTTLS
Nov 29, 2022 13:54:16.161354065 CET	587	49702	78.140.195.54	192.168.2.5	220 2.0.0 Ready to start TLS

Target ID:	0
Start time:	13:53:42
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Imagebase:	0x370000
File size:	960000 bytes
MD5 hash:	277A9CD8EF361888EB41A6B7D0D94E26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.342203286.0000000002B7B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.340639694.0000000002871000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.343455182.0000000003AD8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exePID: 4596, Parent PID: 4356

General

Target ID:	1
Start time:	13:53:56
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe
Imagebase:	0xc70000
File size:	960000 bytes
MD5 hash:	277A9CD8EF361888EB41A6B7D0D94E26
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.332476278.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.573661423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.12191.6105.exe

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre