Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe
Analysis ID:756187
MD5:2364501a86685f9a53d37d339549cee5
SHA1:ebacf33c1e9f53048a8e808429671ed489dc285d
SHA256:74a3379894a1b92cb381a128c7fe7c5f97e1a12df02588ec816d1a4fc5dc0a25
Tags:exe
Infos:

Detection

FormBook
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • cleanup
{"C2 list": ["www.imperiumtowns.xyz/b3es/"], "decoy": ["sweets.wtf", "apextama.com", "tygbs.com", "kumaoedu.com", "bestbathroomremodeling.club", "lnshykj.com", "nelsonanddima.com", "falunap.info", "codyhinrichs.com", "2797vip.com", "danutka.com", "3o2t307a.com", "kellymariewest.com", "profilelonn.online", "procan.website", "sopjimmy.com", "xn--skdarkae-55ac80i.net", "entitymanaged.com", "melitadahl.art", "joineguru.net", "good-meme.com", "creditconepts.com", "narafconstruction.com", "paspsichologa.com", "rancho365.com", "rimplefeel.com", "kingsub.online", "cnsrdns.com", "billythepainter.com", "clientevirtualpdf.net", "marycruzruiz.com", "renaultcikmaparca.xyz", "1600156.com", "paymallmart.info", "garafe.com", "fredrikk.net", "gogo-tunisia.space", "center-me.com", "xiaohuayhq.com", "xn--h49a60xt7azzcm91a.com", "unidiliobobo.info", "libertypolestore.com", "20111210.net", "atraofix.online", "furniron.com", "mingyun58.com", "shfesmua.com", "rdougdigital.life", "safsip.com", "melon.town", "sagihigaibengo.net", "ethnicsbyak.com", "designoffaitheventsllc.com", "dpmforensics.com", "ripple-us.net", "fuyouhin-happiness.com", "conceptweb.online", "l453.net", "zenars.com", "mepcoonlinebill.com", "oonn99.xyz", "dackus.energy", "articvas.com", "yayuanlin.com"]}
SourceRuleDescriptionAuthorStrings
00000000.00000002.258835814.00000000024C6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.256915328.00000000023B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000002.00000000.252621166.0000000000401000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000002.00000000.252621166.0000000000401000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x5251:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x1bb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x99cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x148b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        00000002.00000000.252621166.0000000000401000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x959a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 8 entries
        SourceRuleDescriptionAuthorStrings
        2.0.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.0.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          2.0.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          2.0.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a19:$sqlite3step: 68 34 1C 7B E1
          • 0x17b2c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a48:$sqlite3text: 68 38 2A 90 C5
          • 0x17b6d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
          0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.3706fe0.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 11 entries
            No Sigma rule has matched
            No Snort rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeReversingLabs: Detection: 50%
            Source: Yara matchFile source: 2.0.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.3706fe0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.36777c0.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000000.252621166.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.266786451.000000000364F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeJoe Sandbox ML: detected
            Source: 2.0.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 00000000.00000002.266786451.000000000364F000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.imperiumtowns.xyz/b3es/"], "decoy": ["sweets.wtf", "apextama.com", "tygbs.com", "kumaoedu.com", "bestbathroomremodeling.club", "lnshykj.com", "nelsonanddima.com", "falunap.info", "codyhinrichs.com", "2797vip.com", "danutka.com", "3o2t307a.com", "kellymariewest.com", "profilelonn.online", "procan.website", "sopjimmy.com", "xn--skdarkae-55ac80i.net", "entitymanaged.com", "melitadahl.art", "joineguru.net", "good-meme.com", "creditconepts.com", "narafconstruction.com", "paspsichologa.com", "rancho365.com", "rimplefeel.com", "kingsub.online", "cnsrdns.com", "billythepainter.com", "clientevirtualpdf.net", "marycruzruiz.com", "renaultcikmaparca.xyz", "1600156.com", "paymallmart.info", "garafe.com", "fredrikk.net", "gogo-tunisia.space", "center-me.com", "xiaohuayhq.com", "xn--h49a60xt7azzcm91a.com", "unidiliobobo.info", "libertypolestore.com", "20111210.net", "atraofix.online", "furniron.com", "mingyun58.com", "shfesmua.com", "rdougdigital.life", "safsip.com", "melon.town", "sagihigaibengo.net", "ethnicsbyak.com", "designoffaitheventsllc.com", "dpmforensics.com", "ripple-us.net", "fuyouhin-happiness.com", "conceptweb.online", "l453.net", "zenars.com", "mepcoonlinebill.com", "oonn99.xyz", "dackus.energy", "articvas.com", "yayuanlin.com"]}
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000002.00000002.259630294.0000000001010000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000002.00000003.256483159.0000000000E7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000002.00000003.253297062.0000000000CD6000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000002.00000002.259630294.0000000001010000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000002.00000003.256483159.0000000000E7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000002.00000003.253297062.0000000000CD6000.00000004.00000800.00020000.00000000.sdmp

            Networking

            barindex
            Source: Malware configuration extractorURLs: www.imperiumtowns.xyz/b3es/
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.237103546.00000000053AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.wikip
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241550871.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241616644.00000000053BA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.240670623.00000000053BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241314930.00000000053BA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241336054.00000000053BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comFPx
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241616644.00000000053BA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.242284956.00000000053B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comFgx
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.240742786.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.240670623.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.240603222.00000000053B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comOx
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241146831.00000000053B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241550871.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241616644.00000000053BA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241336054.00000000053BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comals
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241550871.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241616644.00000000053BA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241314930.00000000053BA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241336054.00000000053BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcoma
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241550871.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241616644.00000000053BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdKx
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.240742786.00000000053BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessedBx
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.254193387.00000000053B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrita
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.240670623.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.240603222.00000000053B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlvfetPx
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.254193387.00000000053B6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.240742786.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.240670623.00000000053BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoitu
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241550871.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.240742786.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241616644.00000000053BA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.241336054.00000000053BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comyux
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.237766559.00000000053A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.c
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.237766559.00000000053A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.237783564.00000000053AE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.237951551.00000000053AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/T
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.236833345.00000000053BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/nt
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.242944051.00000000053B8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.242734447.00000000053B8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.242880246.00000000053B8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.243359577.00000000053B6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.243191419.00000000053B7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.243076980.00000000053B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.242734447.00000000053B8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.242880246.00000000053B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239615103.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239980903.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239638756.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.240051220.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239744541.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.240088210.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239686574.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239850577.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239918940.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.240133807.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239447034.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239808719.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239830507.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239944814.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239899581.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239706031.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.240110528.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.240166526.00000000053BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239615103.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239638756.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239744541.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239686574.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239850577.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239447034.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239808719.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239830507.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239706031.00000000053BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(x
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239447034.00000000053BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6x
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239447034.00000000053BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Ox
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239447034.00000000053BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Px
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239447034.00000000053BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/gx
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239447034.00000000053BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239447034.00000000053BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Kx
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239615103.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239638756.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239686574.00000000053BB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239447034.00000000053BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/os
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.239447034.00000000053BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ux
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.242595921.00000000053A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.235284225.00000000053BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.238183730.00000000053DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.275925764.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: 2.0.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.3706fe0.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.36777c0.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000000.252621166.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.266786451.000000000364F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Source: 2.0.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.0.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.0.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.3706fe0.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.3706fe0.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.3706fe0.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.23f0738.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.23d2f68.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.36777c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.36777c0.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.36777c0.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000000.252621166.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000000.252621166.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000000.252621166.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.266786451.000000000364F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000000.00000002.266786451.000000000364F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.266786451.000000000364F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe PID: 2804, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe PID: 5948, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 2.0.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.0.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 2.0.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.3706fe0.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.3706fe0.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.3706fe0.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.23f0738.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.23d2f68.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.36777c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.36777c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.36777c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000000.252621166.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000000.252621166.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000000.252621166.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.266786451.000000000364F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000000.00000002.266786451.000000000364F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.266786451.000000000364F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe PID: 2804, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe PID: 5948, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 0_2_00A7C1640_2_00A7C164
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 0_2_00A7E5A20_2_00A7E5A2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 0_2_00A7E5B00_2_00A7E5B0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0103F9002_2_0103F900
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010541202_2_01054120
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010599BF2_2_010599BF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010368002_2_01036800
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010F10022_2_010F1002
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0110E8242_2_0110E824
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0105A8302_2_0105A830
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0104B0902_2_0104B090
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010620A02_2_010620A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_011020A82_2_011020A8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_011028EC2_2_011028EC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0105A3092_2_0105A309
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010F231B2_2_010F231B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01102B282_2_01102B28
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010DCB4F2_2_010DCB4F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0105AB402_2_0105AB40
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010DEB8A2_2_010DEB8A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0106138B2_2_0106138B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0105EB9A2_2_0105EB9A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0106EBB02_2_0106EBB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010F03DA2_2_010F03DA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010FDBD22_2_010FDBD2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0106ABD82_2_0106ABD8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01088BE82_2_01088BE8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010E23E32_2_010E23E3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010EFA2B2_2_010EFA2B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0105B2362_2_0105B236
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_011032A92_2_011032A9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_011022AE2_2_011022AE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010FE2C52_2_010FE2C5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010F4AEF2_2_010F4AEF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01102D072_2_01102D07
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01030D202_2_01030D20
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01101D552_2_01101D55
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010625812_2_01062581
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010F2D822_2_010F2D82
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010665A02_2_010665A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_011025DD2_2_011025DD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0104D5E02_2_0104D5E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0104841F2_2_0104841F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010FD4662_2_010FD466
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0105B4772_2_0105B477
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010F44962_2_010F4496
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0110DFCE2_2_0110DFCE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01101FF12_2_01101FF1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010F67E22_2_010F67E2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010556002_2_01055600
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010FD6162_2_010FD616
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01056E302_2_01056E30
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010E1EB62_2_010E1EB6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01102EF72_2_01102EF7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: String function: 010C5720 appears 38 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: String function: 0103B150 appears 154 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: String function: 0108D08C appears 39 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079860 NtQuerySystemInformation,LdrInitializeThunk,2_2_01079860
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_01079660
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010796E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_010796E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079910 NtAdjustPrivilegesToken,2_2_01079910
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079950 NtQueueApcThread,2_2_01079950
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010799A0 NtCreateSection,2_2_010799A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010799D0 NtCreateProcessEx,2_2_010799D0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079820 NtEnumerateKey,2_2_01079820
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079840 NtDelayExecution,2_2_01079840
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0107B040 NtSuspendThread,2_2_0107B040
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010798A0 NtWriteVirtualMemory,2_2_010798A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010798F0 NtReadVirtualMemory,2_2_010798F0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079B00 NtSetValueKey,2_2_01079B00
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0107A3B0 NtGetContextThread,2_2_0107A3B0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079A00 NtProtectVirtualMemory,2_2_01079A00
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079A10 NtQuerySection,2_2_01079A10
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079A20 NtResumeThread,2_2_01079A20
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079A50 NtCreateFile,2_2_01079A50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079A80 NtOpenDirectoryObject,2_2_01079A80
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079520 NtWaitForSingleObject,2_2_01079520
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0107AD30 NtSetContextThread,2_2_0107AD30
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079540 NtReadFile,2_2_01079540
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079560 NtWriteFile,2_2_01079560
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010795D0 NtClose,2_2_010795D0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010795F0 NtQueryInformationFile,2_2_010795F0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0107A710 NtOpenProcessToken,2_2_0107A710
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079710 NtQueryInformationToken,2_2_01079710
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079730 NtQueryVirtualMemory,2_2_01079730
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079760 NtOpenProcess,2_2_01079760
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_0107A770 NtOpenThread,2_2_0107A770
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079770 NtSetInformationFile,2_2_01079770
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079780 NtMapViewOfSection,2_2_01079780
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010797A0 NtUnmapViewOfSection,2_2_010797A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079FE0 NtCreateMutant,2_2_01079FE0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079610 NtEnumerateValueKey,2_2_01079610
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079650 NtQueryValueKey,2_2_01079650
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_01079670 NtQueryInformationProcess,2_2_01079670
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeCode function: 2_2_010796D0 NtCreateKey,2_2_010796D0
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.256915328.00000000023B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.256915328.00000000023B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.277100354.0000000006E70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000002.266786451.000000000364F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000000.231950472.0000000000082000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamehlqt.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000002.00000003.258176308.0000000000F9A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000002.00000002.260500799.000000000112F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000002.00000003.254473886.0000000000DEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeBinary or memory string: OriginalFilenamehlqt.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeReversingLabs: Detection: 50%
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe.logJump to behavior
            Source: classification engineClassification label: mal88.troj.evad.winEXE@5/1@0/0
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000000.231950472.0000000000082000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000000.231950472.0000000000082000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000000.231950472.0000000000082000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeMutant created: \Sessions\1\BaseNamedObjects\hrCPkPTHlBkxv
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000000.00000003.236688691.00000000053BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: a trademark of the Microsoft group of companies.slnt
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeString found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeString found in binary or memory: Username:-AddusertextBoxUsernameCash
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000002.00000002.259630294.0000000001010000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000002.00000003.256483159.0000000000E7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000002.00000003.253297062.0000000000CD6000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000002.00000002.259630294.0000000001010000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000002.00000003.256483159.0000000000E7B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.845.22447.exe, 00000002.00000003.253297062.0000000000CD6000.00000004.00000800.00020000.00000000.sdmp