36.0.0 Rainbow Opal
IR
756014
CloudBasic
13:59:37
29/11/2022
SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
b5678475c3c15fdafff2c5c8b49d5dc1
7407554011988292b3e3522e19edb5532f21ee4e
755c44b90198282d2494321b4cb18cab7e4426efd1b7f4a20f2a0793d68a2a1f
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe.log
true
2E016B886BDB8389D2DD0867BE55F87B
25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bVgCuQEDo.exe.log
false
2E016B886BDB8389D2DD0867BE55F87B
25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
9E6FE6CE3EC2053BDD9336BEBCEC7BFD
F16BA0E2A413B771831E4B475D96F68799E25626
AA1C7C78727345DC5821A8C8A92A3D6BE656CDF0AB8CC873FB9B3A15734FBA82
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fptjlsd3.wea.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gym543un.edp.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mm30uqch.onq.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vh10hp4k.web.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmpA32E.tmp
true
57E1BE44A6D2766E524D20545B4191F8
F1F39EB3ADCF81BD3D5EBF64E7357016327D3018
5875F2790D53322F299C8A7719E1E262A58FF0C3BC8BC3CAD4A6B34886150816
C:\Users\user\AppData\Local\Temp\tmpEC0E.tmp
false
57E1BE44A6D2766E524D20545B4191F8
F1F39EB3ADCF81BD3D5EBF64E7357016327D3018
5875F2790D53322F299C8A7719E1E262A58FF0C3BC8BC3CAD4A6B34886150816
C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
true
B5678475C3C15FDAFFF2C5C8B49D5DC1
7407554011988292B3E3522E19EDB5532F21EE4E
755C44B90198282D2494321B4CB18CAB7E4426EFD1B7F4A20F2A0793D68A2A1F
C:\Users\user\AppData\Roaming\bVgCuQEDo.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
http://www.autoitscript.com/autoit3/J
false
unknown
http://www.apache.org/licenses/LICENSE-2.0
false
unknown
http://www.fontbureau.com
false
unknown
http://www.fontbureau.com/designersG
false
unknown
http://www.fontbureau.com/designers/?
false
unknown
http://www.founder.com.cn/cn/bThe
false
unknown
http://www.fontbureau.com/designers?
false
unknown
http://www.tiro.com
false
unknown
http://www.fontbureau.com/designers
false
unknown
http://www.goodfont.co.kr
false
unknown
www.mahalaburn.com/k0ud/
true
http://www.carterandcone.coml
false
unknown
http://www.sajatypeworks.com
false
unknown
http://www.typography.netD
false
unknown
http://www.fontbureau.com/designers/cabarga.htmlN
false
unknown
http://www.founder.com.cn/cn/cThe
false
unknown
http://www.galapagosdesign.com/staff/dennis.htm
false
unknown
http://fontfabrik.com
false
unknown
http://www.founder.com.cn/cn
false
unknown
http://www.fontbureau.com/designers/frere-jones.html
false
unknown
http://www.fontbureau.comlvfet
false
unknown
http://www.jiyu-kobo.co.jp/
false
unknown
http://www.galapagosdesign.com/DPlease
false
unknown
http://www.fontbureau.com/designers8
false
unknown
http://www.fontbureau.coma%O
false
unknown
http://www.fonts.com
false
unknown
http://www.sandoll.co.kr
false
unknown
http://www.urwpp.deDPlease
false
unknown
http://www.zhongyicts.com.cn
false
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
false
unknown
http://www.sakkal.com
false
unknown
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Scheduled temp file as task from temp location
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Multi AV Scanner detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules