Windows Analysis Report
SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe
Analysis ID:	1435276
MD5:	aaf817515d979805f44294a29c78adc0
SHA1:	30c103a04b06d67b74c008a096842ed2823ac002
SHA256:	ac56d91f9e736d3354f645796d5e476cb29a60c1fe69593cb17ceba515e97038
Tags:	exe
Infos:

Detection

FormBook

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to detect virtual machines (SLDT)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	ReversingLabs: Detection: 31%
Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Virustotal: Detection: 42%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1972389703.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.24.84:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49753 version: TLS 1.2

Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe, 00000000.00000002.1628797318.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe, 00000000.00000002.1630742148.0000000005710000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe, 00000001.00000002.1972801906.0000000001280000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe, SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe, 00000001.00000002.1972801906.0000000001280000.00000040.00001000.00020000.00000000.sdmp

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.24.84

Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=NpDzGg3shNg5Ach&MD=oe4npzOc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=NpDzGg3shNg5Ach&MD=oe4npzOc HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com

Source: Amcache.hve.8.dr

String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.24.84:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49753 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1972389703.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.4054f90.2.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.4054f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.55f0000.3.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 1.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.55f0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.2ff1f20.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.2fef6e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects downloader injector Author: ditekSHen
Source: 00000001.00000002.1972389703.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1630078265.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects downloader injector Author: ditekSHen

Contains functionality to call native functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0042AED3 NtClose,	1_2_0042AED3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_012F2DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F4340 NtSetContextThread,	1_2_012F4340
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F4650 NtSuspendThread,	1_2_012F4650
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2B60 NtClose,	1_2_012F2B60
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2BA0 NtEnumerateValueKey,	1_2_012F2BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2B80 NtQueryInformationFile,	1_2_012F2B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2BE0 NtQueryValueKey,	1_2_012F2BE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2BF0 NtAllocateVirtualMemory,	1_2_012F2BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2AB0 NtWaitForSingleObject,	1_2_012F2AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2AF0 NtWriteFile,	1_2_012F2AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2AD0 NtReadFile,	1_2_012F2AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2D30 NtUnmapViewOfSection,	1_2_012F2D30
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2D00 NtSetInformationFile,	1_2_012F2D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2D10 NtMapViewOfSection,	1_2_012F2D10
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2DB0 NtEnumerateKey,	1_2_012F2DB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2DD0 NtDelayExecution,	1_2_012F2DD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2C00 NtQueryInformationProcess,	1_2_012F2C00
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2C60 NtCreateKey,	1_2_012F2C60
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2C70 NtFreeVirtualMemory,	1_2_012F2C70
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2CA0 NtQueryInformationToken,	1_2_012F2CA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2CF0 NtOpenProcess,	1_2_012F2CF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2CC0 NtQueryVirtualMemory,	1_2_012F2CC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2F30 NtCreateSection,	1_2_012F2F30
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2F60 NtCreateProcessEx,	1_2_012F2F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2FA0 NtQuerySection,	1_2_012F2FA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2FB0 NtResumeThread,	1_2_012F2FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2F90 NtProtectVirtualMemory,	1_2_012F2F90
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2FE0 NtCreateFile,	1_2_012F2FE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2E30 NtWriteVirtualMemory,	1_2_012F2E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2EA0 NtAdjustPrivilegesToken,	1_2_012F2EA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2E80 NtReadVirtualMemory,	1_2_012F2E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F2EE0 NtQueueApcThread,	1_2_012F2EE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F3010 NtOpenDirectoryObject,	1_2_012F3010
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F3090 NtSetValueKey,	1_2_012F3090
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F35C0 NtCreateMutant,	1_2_012F35C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F39B0 NtGetContextThread,	1_2_012F39B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F3D10 NtOpenProcessToken,	1_2_012F3D10
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F3D70 NtOpenThread,	1_2_012F3D70

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 0_2_0159AA28	0_2_0159AA28
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 0_2_01599150	0_2_01599150
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0040F973	1_2_0040F973
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_004029D0	1_2_004029D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_00401210	1_2_00401210
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0042D353	1_2_0042D353
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_00416313	1_2_00416313
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_00403380	1_2_00403380
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0040FB93	1_2_0040FB93
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0040DC10	1_2_0040DC10
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0040DC13	1_2_0040DC13
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0040271D	1_2_0040271D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_00402720	1_2_00402720
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012B0100	1_2_012B0100
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0135A118	1_2_0135A118
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01348158	1_2_01348158
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_013801AA	1_2_013801AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_013741A2	1_2_013741A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_013781CC	1_2_013781CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01352000	1_2_01352000
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0137A352	1_2_0137A352
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012CE3F0	1_2_012CE3F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_013803E6	1_2_013803E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01360274	1_2_01360274
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_013402C0	1_2_013402C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012C0535	1_2_012C0535
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01380591	1_2_01380591
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01364420	1_2_01364420
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01372446	1_2_01372446
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0136E4F6	1_2_0136E4F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012C0770	1_2_012C0770
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012E4750	1_2_012E4750
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012BC7C0	1_2_012BC7C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012DC6E0	1_2_012DC6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012D6962	1_2_012D6962
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012C29A0	1_2_012C29A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0138A9A6	1_2_0138A9A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012CA840	1_2_012CA840
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012C2840	1_2_012C2840
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012A68B8	1_2_012A68B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012EE8F0	1_2_012EE8F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0137AB40	1_2_0137AB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01376BD7	1_2_01376BD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012BEA80	1_2_012BEA80
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0135CD1F	1_2_0135CD1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012CAD00	1_2_012CAD00
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012D8DBF	1_2_012D8DBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012BADE0	1_2_012BADE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012C0C00	1_2_012C0C00
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01360CB5	1_2_01360CB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012B0CF2	1_2_012B0CF2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01362F30	1_2_01362F30
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01302F28	1_2_01302F28
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012E0F30	1_2_012E0F30
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01334F40	1_2_01334F40
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0133EFA0	1_2_0133EFA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012B2FC8	1_2_012B2FC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0137EE26	1_2_0137EE26
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012C0E59	1_2_012C0E59
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0137CE93	1_2_0137CE93
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012D2E90	1_2_012D2E90
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0137EEDB	1_2_0137EEDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012F516C	1_2_012F516C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0138B16B	1_2_0138B16B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012AF172	1_2_012AF172
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012CB1B0	1_2_012CB1B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0137F0E0	1_2_0137F0E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_013770E9	1_2_013770E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012C70C0	1_2_012C70C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0136F0CC	1_2_0136F0CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0137132D	1_2_0137132D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012AD34C	1_2_012AD34C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0130739A	1_2_0130739A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012C52A0	1_2_012C52A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_013612ED	1_2_013612ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012DB2C0	1_2_012DB2C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01377571	1_2_01377571
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0135D5B0	1_2_0135D5B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_013895C3	1_2_013895C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0137F43F	1_2_0137F43F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012B1460	1_2_012B1460
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0137F7B0	1_2_0137F7B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01305630	1_2_01305630
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_013716CC	1_2_013716CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01355910	1_2_01355910
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012C9950	1_2_012C9950
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012DB950	1_2_012DB950
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0132D800	1_2_0132D800
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012C38E0	1_2_012C38E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0137FB76	1_2_0137FB76
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012DFB80	1_2_012DFB80
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01335BF0	1_2_01335BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012FDBF9	1_2_012FDBF9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01333A6C	1_2_01333A6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01377A46	1_2_01377A46
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0137FA49	1_2_0137FA49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01305AA0	1_2_01305AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01361AA3	1_2_01361AA3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0135DAAC	1_2_0135DAAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0136DAC6	1_2_0136DAC6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01377D73	1_2_01377D73
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012C3D40	1_2_012C3D40
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01371D5A	1_2_01371D5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012DFDC0	1_2_012DFDC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01339C32	1_2_01339C32
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0137FCF2	1_2_0137FCF2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0137FF09	1_2_0137FF09
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0137FFB1	1_2_0137FFB1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012C1F92	1_2_012C1F92
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01283FD2	1_2_01283FD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_01283FD5	1_2_01283FD5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012C9EB0	1_2_012C9EB0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: String function: 012F5130 appears 58 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: String function: 01307E54 appears 108 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: String function: 0133F290 appears 105 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: String function: 012AB970 appears 265 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: String function: 0132EA12 appears 86 times

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 196

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe, 00000000.00000000.1624989636.0000000000AA2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHOSTNAME.exel% vs SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe
Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe, 00000000.00000002.1630078265.00000000055F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe
Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe, 00000000.00000002.1628889436.0000000003FE5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExample.dll0 vs SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe
Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe, 00000000.00000002.1628797318.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe
Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe, 00000000.00000002.1627719341.000000000112E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe
Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe, 00000000.00000002.1630742148.0000000005710000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe
Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe, 00000001.00000002.1972801906.00000000013AD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe
Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Binary or memory string: OriginalFilenameHOSTNAME.exel% vs SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe

Uses 32bit PE files

Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 1.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.4054f90.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.4054f90.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.55f0000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 1.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.55f0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.2ff1f20.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.2fef6e0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector
Source: 00000001.00000002.1972389703.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1630078265.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_DLInjector02 author = ditekSHen, description = Detects downloader injector

Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.55f0000.3.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.4054f90.2.raw.unpack, DarkListView.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.55f0000.3.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.4054f90.2.raw.unpack, DarkComboBox.cs	Base64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'

Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Binary or memory string: MSB2013: The project-to-project reference with GUID {0} could not be converted because a valid .SLN file containing all projects could not be found.
Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Binary or memory string: .vbproj
Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Binary or memory string: .csproj
Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Binary or memory string: .csprojM{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}
Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Binary or memory string: .vbprojM{F184B08F-C81C-45F6-A57F-5ABD9991F28F}
Source: SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Binary or memory string: *.sln.sln

Source: classification engine

Classification label: mal92.troj.evad.winEXE@23/6@4/3

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.log

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6624

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 --field-trial-handle=2372,i,13039814948342334997,6454914738324802222,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6624 -s 196
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe"	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 --field-trial-handle=2372,i,13039814948342334997,6454914738324802222,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Section loaded: windows.storage.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0041A0EC push esi; retf	1_2_0041A0BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0041133C push esp; retf	1_2_0041133D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_00408397 push esp; iretd	1_2_004083AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_00413551 push eax; ret	1_2_00413552
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_004035E0 push eax; ret	1_2_004035E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_00404E45 push ds; iretd	1_2_00404E44
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_00404E1C push ds; iretd	1_2_00404E44
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_00404E23 push ds; iretd	1_2_00404E44
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_00404ECD push ds; iretd	1_2_00404E44
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_004186EA push ebx; ret	1_2_004186EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_00417F62 push ecx; retf	1_2_00417F64
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0128225F pushad ; ret	1_2_012827F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012827FA pushad ; ret	1_2_012827F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_012B09AD push ecx; mov dword ptr [esp], ecx	1_2_012B09B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0128283D push eax; iretd	1_2_01282858
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Code function: 1_2_0128135E push eax; iretd	1_2_01281369

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Memory allocated: 1590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch	Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Process queried: DebugPort			Jump to behavior

Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.2ff1f20.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.2ff1f20.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
Source: 0.2.SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.2ff1f20.0.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.cs	Reference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved		unknown	unknown	false
142.251.40.196	www.google.com	United States		15169	GOOGLEUS	false

Name	IP	Active
google.com	142.251.40.206	true
www.google.com	142.251.40.196	true

ID:	1435276
Product:	CloudBasic
Start time:	12:23:10
Start date:	02.05.2024
Sample:	SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	aaf817515d979805f44294a29c78adc0
SHA1:	30c103a04b06d67b74c008a096842ed2823ac002
SHA256:	ac56d91f9e736d3354f645796d5e476cb29a60c1fe69593cb17ceba515e97038
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_c82ea277b6871d198159225c9e96b9ed27abff4a_56054b36_5bf8dc03-b4d2-413f-8be5-e604e5a16adf\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	39808C77CCB6437FF998283B7F0BCB08	BB47CEE31B246461BE1A80D9E27CEF216888925D	3F61EA1AE6199377A351893D6CE8A8346BD925D5955F0ED720BFD2D8B513F4BD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CA0.tmp.dmp	Mini DuMP crash report, 14 streams, Thu May 2 10:24:21 2024, 0x1205a4 type	0910A410AD7AD406D3630D84DA27C8D0	0209697DC50F2912218FA6C5DC8E4831E7E44E4A	B009B33234FBF3076B5C19A550ED393F0AFAEFB772B80D57D1BA582C6F23DEB7
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D0F.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	6439A87234A4EAEC1198B1EEE726CE16	F9568FD11228FC157B396FB0AF2098379ECBBF96	9C9D2E117FFFBA50AAD17EB7C11980864D6B8483B53F3FCC6B1A792AD6173628
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D5E.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	B4A43153F8C30497FD4A3CC5ABA7CA67	E415A3773718C8374E48EB7BCB4200F44575ED0C	12273986E9B50B19FD0317E482AF74DFC47C6131FFA2F353094589F8F3DED480
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe.log	ASCII text, with CRLF line terminators	9BA266AD16952A9A57C3693E0BCFED48	5DB70A3A7F1DB4E3879265AB336B2FA1AFBCECD5	A6DFD14E82D7D47195A1EC7F31E64C2820AB8721EF4B5825E21E742093B55C0E
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	0477CCBB387DAAB048A760953CDD0362	ECD1C6A178CD996BF8AD278F7D0BA14A01063E14	65CB51D87609817FAD16B93D77FE031BCF7F6AAEA004416E3E5C2C0AFEC1E554

Windows Analysis Report SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
SecuriteInfo.com.W32.MSIL_Kryptik.KXQ.gen.Eldorado.28696.3484.exe

Malware Threat Intel
Provided by