Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
Analysis ID:756014
MD5:b5678475c3c15fdafff2c5c8b49d5dc1
SHA1:7407554011988292b3e3522e19edb5532f21ee4e
SHA256:755c44b90198282d2494321b4cb18cab7e4426efd1b7f4a20f2a0793d68a2a1f
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe (PID: 5592 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe MD5: B5678475C3C15FDAFFF2C5C8B49D5DC1)
    • powershell.exe (PID: 3236 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6000 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bVgCuQEDo.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 3728 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpA32E.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • bVgCuQEDo.exe (PID: 1500 cmdline: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe MD5: B5678475C3C15FDAFFF2C5C8B49D5DC1)
    • schtasks.exe (PID: 5752 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpEC0E.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • bVgCuQEDo.exe (PID: 2288 cmdline: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe MD5: B5678475C3C15FDAFFF2C5C8B49D5DC1)
    • bVgCuQEDo.exe (PID: 2888 cmdline: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe MD5: B5678475C3C15FDAFFF2C5C8B49D5DC1)
    • bVgCuQEDo.exe (PID: 1920 cmdline: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe MD5: B5678475C3C15FDAFFF2C5C8B49D5DC1)
      • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 908 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
  • cleanup
{"C2 list": ["www.mahalaburn.com/k0ud/"]}
SourceRuleDescriptionAuthorStrings
00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x10050:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x8dd7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8bd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x8681:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x8cd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x8e4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x78cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xedc7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xfdba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0xb0c9:$sqlite3step: 68 34 1C 7B E1
    • 0xbc41:$sqlite3step: 68 34 1C 7B E1
    • 0xb10b:$sqlite3text: 68 38 2A 90 C5
    • 0xbc86:$sqlite3text: 68 38 2A 90 C5
    • 0xb122:$sqlite3blob: 68 53 D8 7F 8C
    • 0xbc9c:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.330634433.00000000028BC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      16.2.bVgCuQEDo.exe.2ef2e30.0.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        16.2.bVgCuQEDo.exe.2ef2e30.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPasteDetects executables potentially checking for WinJail sandbox windowditekSHen
        • 0x2a83a:$v1: SbieDll.dll
        • 0x6dc90:$v1: SbieDll.dll
        • 0x2a854:$v2: USER
        • 0x6dce4:$v2: USER
        • 0x2a860:$v3: SANDBOX
        • 0x6dd2c:$v3: SANDBOX
        • 0x6df6c:$v3: SANDBOX
        • 0x2a872:$v4: VIRUS
        • 0x2a8c2:$v4: VIRUS
        • 0x6dd78:$v4: VIRUS
        • 0x6deea:$v4: VIRUS
        • 0x2a880:$v5: MALWARE
        • 0x6ddc0:$v5: MALWARE
        • 0x2a892:$v6: SCHMIDTI
        • 0x6de0c:$v6: SCHMIDTI
        • 0x2a8a6:$v7: CURRENTUSER
        • 0x6de5c:$v7: CURRENTUSER
        16.2.bVgCuQEDo.exe.2f10600.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          16.2.bVgCuQEDo.exe.2f10600.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPasteDetects executables potentially checking for WinJail sandbox windowditekSHen
          • 0xd06a:$v1: SbieDll.dll
          • 0x504c0:$v1: SbieDll.dll
          • 0xd084:$v2: USER
          • 0x50514:$v2: USER
          • 0xd090:$v3: SANDBOX
          • 0x5055c:$v3: SANDBOX
          • 0x5079c:$v3: SANDBOX
          • 0xd0a2:$v4: VIRUS
          • 0xd0f2:$v4: VIRUS
          • 0x505a8:$v4: VIRUS
          • 0x5071a:$v4: VIRUS
          • 0xd0b0:$v5: MALWARE
          • 0x505f0:$v5: MALWARE
          • 0xd0c2:$v6: SCHMIDTI
          • 0x5063c:$v6: SCHMIDTI
          • 0xd0d6:$v7: CURRENTUSER
          • 0x5068c:$v7: CURRENTUSER
          0.2.SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe.2650718.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 3 entries

            Persistence and Installation Behavior

            barindex
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpA32E.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpA32E.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, ParentProcessId: 5592, ParentProcessName: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpA32E.tmp, ProcessId: 3728, ProcessName: schtasks.exe
            No Snort rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeReversingLabs: Detection: 34%
            Source: Yara matchFile source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeReversingLabs: Detection: 34%
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeJoe Sandbox ML: detected
            Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.mahalaburn.com/k0ud/"]}
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000012.00000003.327603496.0000000000EC9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000012.00000002.330019683.0000000001060000.00000040.00000800.00020000.00000000.sdmp, bVgCuQEDo.exe, 00000017.00000002.510842522.0000000001970000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000003.511638904.0000000004F68000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000002.540613519.000000000521F000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000002.538597996.0000000005100000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000003.505532333.0000000004DC3000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000012.00000003.327603496.0000000000EC9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000012.00000002.330019683.0000000001060000.00000040.00000800.00020000.00000000.sdmp, bVgCuQEDo.exe, 00000017.00000002.510842522.0000000001970000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000003.511638904.0000000004F68000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000002.540613519.000000000521F000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000002.538597996.0000000005100000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000003.505532333.0000000004DC3000.00000004.00000800.00020000.00000000.sdmp

            Networking

            barindex
            Source: Malware configuration extractorURLs: www.mahalaburn.com/k0ud/
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.328148596.0000000002611000.00000004.00000800.00020000.00000000.sdmp, bVgCuQEDo.exe, 00000010.00000002.360601754.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000018.00000000.405613153.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.474698963.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.364042098.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.439327241.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.327538116.0000000000B47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma%O
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.327538116.0000000000B47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlvfet
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Source: 16.2.bVgCuQEDo.exe.2ef2e30.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 16.2.bVgCuQEDo.exe.2f10600.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe.2650718.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe.2632f48.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000017.00000002.509702733.00000000014E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe PID: 2136, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: Process Memory Space: chkdsk.exe PID: 908, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 16.2.bVgCuQEDo.exe.2ef2e30.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 16.2.bVgCuQEDo.exe.2f10600.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe.2650718.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe.2632f48.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000017.00000002.509702733.00000000014E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe PID: 2136, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Process Memory Space: chkdsk.exe PID: 908, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_0094C1640_2_0094C164
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_0094E5B00_2_0094E5B0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_0094E5A20_2_0094E5A2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC06E80_2_04AC06E8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC28D10_2_04AC28D1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC942D0_2_04AC942D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC65890_2_04AC6589
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC65980_2_04AC6598
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC06D90_2_04AC06D9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC23200_2_04AC2320
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC23300_2_04AC2330
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC68290_2_04AC6829
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC68380_2_04AC6838
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_07B907580_2_07B90758
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_07B907480_2_07B90748
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeCode function: 16_2_013FC16416_2_013FC164
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeCode function: 16_2_013FE5B016_2_013FE5B0
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeCode function: 16_2_013FE5A316_2_013FE5A3
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeCode function: 16_2_085F004016_2_085F0040
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeCode function: 16_2_085F003116_2_085F0031
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108F90018_2_0108F900
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A412018_2_010A4120
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A99BF18_2_010A99BF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114100218_2_01141002
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0115E82418_2_0115E824
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA83018_2_010AA830
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109B09018_2_0109B090
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B20A018_2_010B20A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011520A818_2_011520A8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011528EC18_2_011528EC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA30918_2_010AA309
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114231B18_2_0114231B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01152B2818_2_01152B28
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AAB4018_2_010AAB40
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0112CB4F18_2_0112CB4F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B138B18_2_010B138B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AEB9A18_2_010AEB9A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0112EB8A18_2_0112EB8A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BEBB018_2_010BEBB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114DBD218_2_0114DBD2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011403DA18_2_011403DA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BABD818_2_010BABD8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010D8BE818_2_010D8BE8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011323E318_2_011323E3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0113FA2B18_2_0113FA2B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB23618_2_010AB236
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011522AE18_2_011522AE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011532A918_2_011532A9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114E2C518_2_0114E2C5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144AEF18_2_01144AEF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01152D0718_2_01152D07
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01080D2018_2_01080D20
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01151D5518_2_01151D55
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01142D8218_2_01142D82
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B65A018_2_010B65A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011525DD18_2_011525DD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109D5E018_2_0109D5E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109841F18_2_0109841F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114D46618_2_0114D466
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB47718_2_010AB477
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114449618_2_01144496
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0115DFCE18_2_0115DFCE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01151FF118_2_01151FF1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011467E218_2_011467E2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114D61618_2_0114D616
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A560018_2_010A5600
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A6E3018_2_010A6E30
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01131EB618_2_01131EB6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01152EF718_2_01152EF7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_004012A418_2_004012A4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0042292618_2_00422926
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0042134018_2_00421340
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0040B43718_2_0040B437
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_004044C718_2_004044C7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_004044BE18_2_004044BE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0042251418_2_00422514
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_004215DC18_2_004215DC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0040FE6718_2_0040FE67
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_004046E718_2_004046E7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: String function: 0108B150 appears 154 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: String function: 01115720 appears 38 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: String function: 010DD08C appears 37 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9860 NtQuerySystemInformation,LdrInitializeThunk,18_2_010C9860
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9660 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_010C9660
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C96E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_010C96E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9910 NtAdjustPrivilegesToken,18_2_010C9910
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9950 NtQueueApcThread,18_2_010C9950
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C99A0 NtCreateSection,18_2_010C99A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C99D0 NtCreateProcessEx,18_2_010C99D0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9820 NtEnumerateKey,18_2_010C9820
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010CB040 NtSuspendThread,18_2_010CB040
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9840 NtDelayExecution,18_2_010C9840
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C98A0 NtWriteVirtualMemory,18_2_010C98A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C98F0 NtReadVirtualMemory,18_2_010C98F0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9B00 NtSetValueKey,18_2_010C9B00
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010CA3B0 NtGetContextThread,18_2_010CA3B0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9A00 NtProtectVirtualMemory,18_2_010C9A00
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9A10 NtQuerySection,18_2_010C9A10
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9A20 NtResumeThread,18_2_010C9A20
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9A50 NtCreateFile,18_2_010C9A50
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9A80 NtOpenDirectoryObject,18_2_010C9A80
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9520 NtWaitForSingleObject,18_2_010C9520
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010CAD30 NtSetContextThread,18_2_010CAD30
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9540 NtReadFile,18_2_010C9540
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9560 NtWriteFile,18_2_010C9560
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C95D0 NtClose,18_2_010C95D0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C95F0 NtQueryInformationFile,18_2_010C95F0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010CA710 NtOpenProcessToken,18_2_010CA710
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9710 NtQueryInformationToken,18_2_010C9710
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9730 NtQueryVirtualMemory,18_2_010C9730
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9760 NtOpenProcess,18_2_010C9760
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010CA770 NtOpenThread,18_2_010CA770
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9770 NtSetInformationFile,18_2_010C9770
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9780 NtMapViewOfSection,18_2_010C9780
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C97A0 NtUnmapViewOfSection,18_2_010C97A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9FE0 NtCreateMutant,18_2_010C9FE0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9610 NtEnumerateValueKey,18_2_010C9610
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9650 NtQueryValueKey,18_2_010C9650
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9670 NtQueryInformationProcess,18_2_010C9670
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C96D0 NtCreateKey,18_2_010C96D0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0041E067 NtAllocateVirtualMemory,18_2_0041E067
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_004012A4 NtProtectVirtualMemory,18_2_004012A4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe