Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
Analysis ID:756014
MD5:b5678475c3c15fdafff2c5c8b49d5dc1
SHA1:7407554011988292b3e3522e19edb5532f21ee4e
SHA256:755c44b90198282d2494321b4cb18cab7e4426efd1b7f4a20f2a0793d68a2a1f
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe (PID: 5592 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe MD5: B5678475C3C15FDAFFF2C5C8B49D5DC1)
    • powershell.exe (PID: 3236 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 6000 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bVgCuQEDo.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 3728 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpA32E.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • bVgCuQEDo.exe (PID: 1500 cmdline: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe MD5: B5678475C3C15FDAFFF2C5C8B49D5DC1)
    • schtasks.exe (PID: 5752 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpEC0E.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • bVgCuQEDo.exe (PID: 2288 cmdline: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe MD5: B5678475C3C15FDAFFF2C5C8B49D5DC1)
    • bVgCuQEDo.exe (PID: 2888 cmdline: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe MD5: B5678475C3C15FDAFFF2C5C8B49D5DC1)
    • bVgCuQEDo.exe (PID: 1920 cmdline: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe MD5: B5678475C3C15FDAFFF2C5C8B49D5DC1)
      • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 908 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.mahalaburn.com/k0ud/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x10050:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x8dd7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8bd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x8681:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x8cd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x8e4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x78cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xedc7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xfdba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0xb0c9:$sqlite3step: 68 34 1C 7B E1
    • 0xbc41:$sqlite3step: 68 34 1C 7B E1
    • 0xb10b:$sqlite3text: 68 38 2A 90 C5
    • 0xbc86:$sqlite3text: 68 38 2A 90 C5
    • 0xb122:$sqlite3blob: 68 53 D8 7F 8C
    • 0xbc9c:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.330634433.00000000028BC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      16.2.bVgCuQEDo.exe.2ef2e30.0.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        16.2.bVgCuQEDo.exe.2ef2e30.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPasteDetects executables potentially checking for WinJail sandbox windowditekSHen
        • 0x2a83a:$v1: SbieDll.dll
        • 0x6dc90:$v1: SbieDll.dll
        • 0x2a854:$v2: USER
        • 0x6dce4:$v2: USER
        • 0x2a860:$v3: SANDBOX
        • 0x6dd2c:$v3: SANDBOX
        • 0x6df6c:$v3: SANDBOX
        • 0x2a872:$v4: VIRUS
        • 0x2a8c2:$v4: VIRUS
        • 0x6dd78:$v4: VIRUS
        • 0x6deea:$v4: VIRUS
        • 0x2a880:$v5: MALWARE
        • 0x6ddc0:$v5: MALWARE
        • 0x2a892:$v6: SCHMIDTI
        • 0x6de0c:$v6: SCHMIDTI
        • 0x2a8a6:$v7: CURRENTUSER
        • 0x6de5c:$v7: CURRENTUSER
        16.2.bVgCuQEDo.exe.2f10600.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          16.2.bVgCuQEDo.exe.2f10600.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPasteDetects executables potentially checking for WinJail sandbox windowditekSHen
          • 0xd06a:$v1: SbieDll.dll
          • 0x504c0:$v1: SbieDll.dll
          • 0xd084:$v2: USER
          • 0x50514:$v2: USER
          • 0xd090:$v3: SANDBOX
          • 0x5055c:$v3: SANDBOX
          • 0x5079c:$v3: SANDBOX
          • 0xd0a2:$v4: VIRUS
          • 0xd0f2:$v4: VIRUS
          • 0x505a8:$v4: VIRUS
          • 0x5071a:$v4: VIRUS
          • 0xd0b0:$v5: MALWARE
          • 0x505f0:$v5: MALWARE
          • 0xd0c2:$v6: SCHMIDTI
          • 0x5063c:$v6: SCHMIDTI
          • 0xd0d6:$v7: CURRENTUSER
          • 0x5068c:$v7: CURRENTUSER
          0.2.SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe.2650718.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 3 entries

            Sigma Signatures

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpA32E.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpA32E.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, ParentProcessId: 5592, ParentProcessName: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpA32E.tmp, ProcessId: 3728, ProcessName: schtasks.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeReversingLabs: Detection: 34%
            Yara detected FormBook
            Source: Yara matchFile source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeReversingLabs: Detection: 34%
            Machine Learning detection for sample
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeJoe Sandbox ML: detected
            Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.mahalaburn.com/k0ud/"]}
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000012.00000003.327603496.0000000000EC9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000012.00000002.330019683.0000000001060000.00000040.00000800.00020000.00000000.sdmp, bVgCuQEDo.exe, 00000017.00000002.510842522.0000000001970000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000003.511638904.0000000004F68000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000002.540613519.000000000521F000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000002.538597996.0000000005100000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000003.505532333.0000000004DC3000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000012.00000003.327603496.0000000000EC9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000012.00000002.330019683.0000000001060000.00000040.00000800.00020000.00000000.sdmp, bVgCuQEDo.exe, 00000017.00000002.510842522.0000000001970000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000003.511638904.0000000004F68000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000002.540613519.000000000521F000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000002.538597996.0000000005100000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000003.505532333.0000000004DC3000.00000004.00000800.00020000.00000000.sdmp

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: www.mahalaburn.com/k0ud/
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.328148596.0000000002611000.00000004.00000800.00020000.00000000.sdmp, bVgCuQEDo.exe, 00000010.00000002.360601754.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000018.00000000.405613153.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.474698963.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.364042098.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.439327241.0000000001425000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.327538116.0000000000B47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma%O
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.327538116.0000000000B47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comlvfet
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 16.2.bVgCuQEDo.exe.2ef2e30.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 16.2.bVgCuQEDo.exe.2f10600.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe.2650718.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe.2632f48.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
            Source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000017.00000002.509702733.00000000014E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe PID: 2136, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: Process Memory Space: chkdsk.exe PID: 908, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 16.2.bVgCuQEDo.exe.2ef2e30.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 16.2.bVgCuQEDo.exe.2f10600.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe.2650718.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe.2632f48.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
            Source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000017.00000002.509702733.00000000014E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe PID: 2136, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Process Memory Space: chkdsk.exe PID: 908, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_0094C164
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_0094E5B0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_0094E5A2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC06E8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC28D1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC942D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC6589
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC6598
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC06D9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC2320
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC2330
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC6829
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_04AC6838
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_07B90758
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_07B90748
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeCode function: 16_2_013FC164
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeCode function: 16_2_013FE5B0
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeCode function: 16_2_013FE5A3
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeCode function: 16_2_085F0040
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeCode function: 16_2_085F0031
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108F900
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A4120
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A99BF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141002
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0115E824
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA830
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109B090
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B20A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011520A8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011528EC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114231B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01152B28
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AAB40
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0112CB4F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B138B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AEB9A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0112EB8A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BEBB0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114DBD2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011403DA
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BABD8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010D8BE8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011323E3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0113FA2B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB236
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011522AE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011532A9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114E2C5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144AEF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01152D07
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01080D20
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01151D55
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01142D82
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B65A0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011525DD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109D5E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109841F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114D466
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB477
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144496
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0115DFCE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01151FF1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011467E2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114D616
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A5600
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A6E30
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01131EB6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01152EF7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_004012A4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_00422926
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_00421340
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0040B437
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_004044C7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_004044BE
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_00422514
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_004215DC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0040FE67
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_004046E7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: String function: 0108B150 appears 154 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: String function: 01115720 appears 38 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: String function: 010DD08C appears 37 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C96E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9910 NtAdjustPrivilegesToken,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9950 NtQueueApcThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C99A0 NtCreateSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C99D0 NtCreateProcessEx,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9820 NtEnumerateKey,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010CB040 NtSuspendThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9840 NtDelayExecution,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C98A0 NtWriteVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C98F0 NtReadVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9B00 NtSetValueKey,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010CA3B0 NtGetContextThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9A00 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9A10 NtQuerySection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9A20 NtResumeThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9A50 NtCreateFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9A80 NtOpenDirectoryObject,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9520 NtWaitForSingleObject,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010CAD30 NtSetContextThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9540 NtReadFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9560 NtWriteFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C95D0 NtClose,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C95F0 NtQueryInformationFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010CA710 NtOpenProcessToken,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9710 NtQueryInformationToken,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9730 NtQueryVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9760 NtOpenProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010CA770 NtOpenThread,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9770 NtSetInformationFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9780 NtMapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C97A0 NtUnmapViewOfSection,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9FE0 NtCreateMutant,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9610 NtEnumerateValueKey,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9650 NtQueryValueKey,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9670 NtQueryInformationProcess,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C96D0 NtCreateKey,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0041E067 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_004012A4 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0041DE87 NtCreateFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0041DF37 NtReadFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0041DFB7 NtClose,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0041E062 NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_004014E9 NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0041DED9 NtReadFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0041DE81 NtCreateFile,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0041DF81 NtReadFile,
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334117112.0000000004AF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.336275341.0000000006CB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334036482.0000000004AD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000000.265911908.0000000000104000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameiKkH.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.328148596.0000000002611000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.328148596.0000000002611000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000012.00000003.328757871.0000000000FE8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000012.00000002.330934926.000000000117F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000012.00000003.325498544.0000000000E3B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeBinary or memory string: OriginalFilenameiKkH.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: bVgCuQEDo.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeReversingLabs: Detection: 34%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeJump to behavior
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpA32E.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpEC0E.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess created: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess created: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess created: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpA32E.tmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpEC0E.tmp
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess created: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess created: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess created: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeFile created: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA32E.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@23/11@0/0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000000.265756583.0000000000022000.00000002.00000001.01000000.00000003.sdmp, bVgCuQEDo.exe.0.drBinary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000000.265756583.0000000000022000.00000002.00000001.01000000.00000003.sdmp, bVgCuQEDo.exe.0.drBinary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000000.265756583.0000000000022000.00000002.00000001.01000000.00000003.sdmp, bVgCuQEDo.exe.0.drBinary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2072:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4272:120:WilError_01
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeMutant created: \Sessions\1\BaseNamedObjects\hJsqLKixTYpYBEkvNIEUwIPhHoo
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1400:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2680:120:WilError_01
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeString found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeString found in binary or memory: Username:-AddusertextBoxUsernameCash
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000012.00000003.327603496.0000000000EC9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000012.00000002.330019683.0000000001060000.00000040.00000800.00020000.00000000.sdmp, bVgCuQEDo.exe, 00000017.00000002.510842522.0000000001970000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000003.511638904.0000000004F68000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000002.540613519.000000000521F000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000002.538597996.0000000005100000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000003.505532333.0000000004DC3000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000012.00000003.327603496.0000000000EC9000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000012.00000002.330019683.0000000001060000.00000040.00000800.00020000.00000000.sdmp, bVgCuQEDo.exe, 00000017.00000002.510842522.0000000001970000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000003.511638904.0000000004F68000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000002.540613519.000000000521F000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000002.538597996.0000000005100000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000001B.00000003.505532333.0000000004DC3000.00000004.00000800.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 0_2_0094F972 pushad ; iretd
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeCode function: 16_2_013FF973 pushad ; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010DD0D1 push ecx; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0042107C push eax; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0041A0CB push ecx; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_004210C9 push eax; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_004210D2 push eax; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0042209F push ebx; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_00422926 push ebp; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_00421133 push eax; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_004199F7 push edi; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0040A30B push esp; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_00405428 push ss; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_00421CB3 push edx; iretd
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_00419E1A push cs; ret
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0041DFE1 push es; retf
            Source: initial sampleStatic PE information: section name: .text entropy: 7.649605681917304
            Source: initial sampleStatic PE information: section name: .text entropy: 7.649605681917304
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeFile created: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpA32E.tmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: 16.2.bVgCuQEDo.exe.2ef2e30.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 16.2.bVgCuQEDo.exe.2f10600.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe.2650718.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe.2632f48.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.330634433.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.360601754.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.365234756.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.328148596.0000000002611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe PID: 5592, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bVgCuQEDo.exe PID: 1500, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.328148596.0000000002611000.00000004.00000800.00020000.00000000.sdmp, bVgCuQEDo.exe, 00000010.00000002.360601754.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.330634433.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.328148596.0000000002611000.00000004.00000800.00020000.00000000.sdmp, bVgCuQEDo.exe, 00000010.00000002.360601754.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, bVgCuQEDo.exe, 00000010.00000002.365234756.00000000031B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.330634433.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.328148596.0000000002611000.00000004.00000800.00020000.00000000.sdmp, bVgCuQEDo.exe, 00000010.00000002.360601754.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, bVgCuQEDo.exe, 00000010.00000002.365234756.00000000031B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe TID: 5576Thread sleep time: -38122s >= -30000s
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe TID: 5596Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5752Thread sleep time: -3689348814741908s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2108Thread sleep count: 8818 > 30
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5928Thread sleep time: -4611686018427385s >= -30000s
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe TID: 1536Thread sleep time: -38122s >= -30000s
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe TID: 6132Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B6B90 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8610
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8818
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeAPI coverage: 1.7 %
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeThread delayed: delay time: 38122
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeThread delayed: delay time: 38122
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeThread delayed: delay time: 922337203685477
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000003.308065715.000000000079F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
            Source: explorer.exe, 00000018.00000000.451335841.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
            Source: bVgCuQEDo.exe, 00000010.00000002.365234756.00000000031B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000003.308065715.000000000079F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareE673__12Win32_VideoController1222RG_1VideoController120060621000000.000000-000.902.201display.infMSBDA53Z6XYTLPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsCKBN36KZ
            Source: bVgCuQEDo.exe, 00000010.00000002.365234756.00000000031B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: bVgCuQEDo.exe, 00000010.00000002.360601754.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #l"SOFTWARE\VMware, Inc.\VMware Tools
            Source: bVgCuQEDo.exe, 00000010.00000002.360601754.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
            Source: explorer.exe, 00000018.00000000.389248876.0000000007166000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
            Source: explorer.exe, 00000018.00000000.451335841.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
            Source: explorer.exe, 00000018.00000000.450556289.0000000008FD3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
            Source: explorer.exe, 00000018.00000000.451335841.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
            Source: explorer.exe, 00000018.00000000.477722712.0000000005063000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
            Source: bVgCuQEDo.exe, 00000010.00000002.365234756.00000000031B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: bVgCuQEDo.exe, 00000010.00000002.360601754.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000018.00000000.450556289.0000000008FD3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
            Source: bVgCuQEDo.exe, 00000010.00000002.365234756.00000000031B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: explorer.exe, 00000018.00000000.492885633.000000000F62F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Mail
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B6B90 rdtsc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01089100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01089100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01089100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A4120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01083138 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141951 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108395E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108395E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108C962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01158966 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114E962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AC182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BA185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108519E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108519E mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B2990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B4190 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114A189 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114A189 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B61A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011051BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011051BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011051BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011051BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011449A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011449A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011449A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011449A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A99BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A99BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A99BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A99BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A99BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A99BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A99BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A99BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A99BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A99BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A99BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A99BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011069A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011419D8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010831E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011141E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01154015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01154015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01107016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01107016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01107016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA830 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141843 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01085050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01085050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01085050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A0050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01151074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01142073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AF86D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01089080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01083880 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01083880 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01103884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01103884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C90AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B20A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BF0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BF0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0111B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0111B8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0111B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0111B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0111B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0111B8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011418CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010858EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010840E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010840E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010840E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB8E4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB8E4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108DB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01158B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108F358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B3B5A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B3B5A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B3B5A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B3B5A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108DB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B3B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109F370 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109F370 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109F370 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B138B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B138B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B138B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01091B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01091B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AEB9A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AEB9A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0113D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0112EB8A mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0112EB8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0112EB8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0112EB8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BB390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B2397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01084B94 mov edi, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01158BB6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B4BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01159BBE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01155BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141BA8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B53C5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011053CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011053CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01081BE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010ADBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B03E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011323E3 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011323E3 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011323E3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01098A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A3A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01085210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01085210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01085210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01085210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C4A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01084A20 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01084A20 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01088239 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01088239 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01088239 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114EA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01114257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01089240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01089240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01089240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01089240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141A5F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C5A69 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C5A69 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C5A69 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0113B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0113B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01158A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114129A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BD294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BD294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01081AA0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B5AA0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B5AA0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010852A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010852A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010852A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010852A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010852A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B12BD mov esi, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B12BD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B12BD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BFAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B2ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01083ACA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01085AC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01085AC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01085AC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010812D4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B2AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01143518 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01143518 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01143518 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01158D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0110A537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BF527 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BF527 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BF527 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114E539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B4D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01093D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01093D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01093D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01093D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01093D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01093D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01093D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01093D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01093D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01093D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01093D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01093D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01093D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108354C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108354C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C3D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01103540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01133D40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A7D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C4D51 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C4D51 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A8D76 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A8D76 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A8D76 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A8D76 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A8D76 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AC577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BFD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114B581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114B581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114B581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114B581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01142D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01142D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01142D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01142D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01142D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01142D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01142D82 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01083591 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B35A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B65A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B65A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B65A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011505AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011505AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B1DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0113FDD3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010815C1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01106DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01106DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01106DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01106DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01106DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01106DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01138DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0114FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010895F0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010895F0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01158C14 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0115740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0115740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0115740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01106C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01106C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01106C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01106C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BBC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01084439 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B3C3E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B3C3E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B3C3E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109B433 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109B433 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109B433 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BA44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0111C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0111C450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01158C75 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BAC7B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C5C70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB477 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01144496 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01081480 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108649B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108649B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01084CB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01158CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082CDB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01106CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01106CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01106CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011414FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0111FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0111FF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BA70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0115070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0115070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B4710 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AF716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01084F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01084F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB73D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AB73D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B3F33 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BE730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01141751 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010BDF4C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109EF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108A745 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0109FF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AE760 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010AE760 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01158F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01107794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01107794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01107794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01098794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082FB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082FB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082FB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082FB0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082FB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082FB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082FB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082FB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082FB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082FB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01082FB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_011417D2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01083FC5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01083FC5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01083FC5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B37EB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B37EB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B37EB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B37EB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B37EB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B37EB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010B37EB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A97ED mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A97ED mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A97ED mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A97ED mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A97ED mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A97ED mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A97ED mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C37F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_01112E14 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_0108C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010A5600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeCode function: 18_2_010C9860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Sample uses process hollowing technique
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeSection unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: C80000
            Maps a DLL or memory area into another process
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe base: 400000 value starts with: 4D5A
            Queues an APC in another process (thread injection)
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeThread APC queued: target process: C:\Windows\explorer.exe
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeThread register set: target process: 3452
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpA32E.tmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpEC0E.tmp
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess created: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess created: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeProcess created: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
            Source: explorer.exe, 00000018.00000000.439720508.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.475446310.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.364838469.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerT7<=ge
            Source: explorer.exe, 00000018.00000000.482082204.0000000006770000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.439720508.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.400937623.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000018.00000000.439720508.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.475446310.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.364838469.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000018.00000000.438991980.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.474226196.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.362319149.0000000001378000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CProgmanile
            Source: explorer.exe, 00000018.00000000.439720508.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.475446310.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000018.00000000.364838469.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeQueries volume information: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\bVgCuQEDo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		512
            Process Injection            		1
            Masquerading            		OS Credential Dumping331
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts2
            Command and Scripting Interpreter            		Boot or Logon Initialization Scripts1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Application Layer Protocol            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            Scheduled Task/Job            		Logon Script (Windows)Logon Script (Windows)141
            Virtualization/Sandbox Evasion            		Security Account Manager141
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local Accounts1
            Shared Modules            		Logon Script (Mac)Logon Script (Mac)512
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common3
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items2
            Software Packing            		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 756014 Sample: SecuriteInfo.com.Win32.Cryp... Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 5 other signatures 2->57 8 bVgCuQEDo.exe 5 2->8         started        11 SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe 7 2->11         started        process3 file4 59 Multi AV Scanner detection for dropped file 8->59 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->61 63 Machine Learning detection for dropped file 8->63 14 bVgCuQEDo.exe 8->14         started        17 schtasks.exe 1 8->17         started        19 bVgCuQEDo.exe 8->19         started        21 bVgCuQEDo.exe 8->21         started        43 C:\Users\user\AppData\Roaming\bVgCuQEDo.exe, PE32 11->43 dropped 45 C:\Users\...\bVgCuQEDo.exe:Zone.Identifier, ASCII 11->45 dropped 47 C:\Users\user\AppData\Local\...\tmpA32E.tmp, XML 11->47 dropped 49 SecuriteInfo.com.W....22726.1920.exe.log, ASCII 11->49 dropped 65 Uses schtasks.exe or at.exe to add and modify task schedules 11->65 67 Adds a directory exclusion to Windows Defender 11->67 69 Injects a PE file into a foreign processes 11->69 23 powershell.exe 19 11->23         started        25 powershell.exe 19 11->25         started        27 schtasks.exe 1 11->27         started        29 SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe 11->29         started        signatures5 process6 signatures7 71 Modifies the context of a thread in another process (thread injection) 14->71 73 Maps a DLL or memory area into another process 14->73 75 Sample uses process hollowing technique 14->75 77 Queues an APC in another process (thread injection) 14->77 31 explorer.exe 14->31 injected 33 conhost.exe 17->33         started        35 conhost.exe 23->35         started        37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        process8 process9 41 chkdsk.exe 31->41         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe34%ReversingLabsByteCode-MSIL.Trojan.RemLoader
            SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\bVgCuQEDo.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\bVgCuQEDo.exe34%ReversingLabsByteCode-MSIL.Trojan.RemLoader

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            18.0.SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.fontbureau.comlvfet0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            www.mahalaburn.com/k0ud/0%Avira URL Cloudsafe
            http://www.fontbureau.coma%O0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            www.mahalaburn.com/k0ud/true
            • Avira URL Cloud: safe
            		low

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000018.00000000.405613153.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.474698963.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.364042098.0000000001425000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000018.00000000.439327241.0000000001425000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.comSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersGSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.tiro.comSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.goodfont.co.krSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comlSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://fontfabrik.comSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-jones.htmlSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.comlvfetSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.327538116.0000000000B47000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers8SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.coma%OSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.327538116.0000000000B47000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.fonts.comSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.328148596.0000000002611000.00000004.00000800.00020000.00000000.sdmp, bVgCuQEDo.exe, 00000010.00000002.360601754.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sakkal.comSecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe, 00000000.00000002.334784566.0000000006532000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    No contacted IP infos

                                    General Information

                                    Joe Sandbox Version:36.0.0 Rainbow Opal
                                    Analysis ID:756014
                                    Start date and time:2022-11-29 13:59:37 +01:00
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 10m 1s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:27
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:1
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@23/11@0/0
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HDC Information:
                                    • Successful, ratio: 52.6% (good quality ratio 47.3%)
                                    • Quality average: 74.4%
                                    • Quality standard deviation: 31.5%
                                    HCA Information:
                                    • Successful, ratio: 87%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    14:00:49API Interceptor2x Sleep call for process: SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe modified
                                    14:00:59API Interceptor74x Sleep call for process: powershell.exe modified
                                    14:01:05Task SchedulerRun new task: bVgCuQEDo path: C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
                                    14:01:12API Interceptor2x Sleep call for process: bVgCuQEDo.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:modified
                                    Size (bytes):1308
                                    Entropy (8bit):5.345811588615766
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                    MD5:2E016B886BDB8389D2DD0867BE55F87B
                                    SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                    SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                    SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                    Malicious:true
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bVgCuQEDo.exe.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1308
                                    Entropy (8bit):5.345811588615766
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                    MD5:2E016B886BDB8389D2DD0867BE55F87B
                                    SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                    SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                    SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                    Malicious:false
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):22004
                                    Entropy (8bit):5.5990339915304075
                                    Encrypted:false
                                    SSDEEP:384:dtCRGsPMqahOP07nYSjnSjuxbiV9ghSJ3uyq1+m0K1AVrdhstoA+inYb:mEqUOPoYoSSxjhcuSjhb
                                    MD5:9E6FE6CE3EC2053BDD9336BEBCEC7BFD
                                    SHA1:F16BA0E2A413B771831E4B475D96F68799E25626
                                    SHA-256:AA1C7C78727345DC5821A8C8A92A3D6BE656CDF0AB8CC873FB9B3A15734FBA82
                                    SHA-512:4BB21A20F3A192C49F5B580C9C6585923943EF1019CD54BF1EC175C86C8D21F1DBF04D32158600D4CCAC2081A6A9043ABD6BB20C5A9723E9156418A1FEA80E21
                                    Malicious:false
                                    Preview:@...e...........4...................:................@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fptjlsd3.wea.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:very short file (no magic)
                                    Category:dropped
                                    Size (bytes):1
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3:U:U
                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                    Malicious:false
                                    Preview:1

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gym543un.edp.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:very short file (no magic)
                                    Category:dropped
                                    Size (bytes):1
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3:U:U
                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                    Malicious:false
                                    Preview:1

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mm30uqch.onq.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:very short file (no magic)
                                    Category:dropped
                                    Size (bytes):1
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3:U:U
                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                    Malicious:false
                                    Preview:1

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vh10hp4k.web.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:very short file (no magic)
                                    Category:dropped
                                    Size (bytes):1
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3:U:U
                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                    Malicious:false
                                    Preview:1

                                    C:\Users\user\AppData\Local\Temp\tmpA32E.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
                                    File Type:XML 1.0 document, ASCII text
                                    Category:dropped
                                    Size (bytes):1596
                                    Entropy (8bit):5.152858960654771
                                    Encrypted:false
                                    SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtGxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTKv
                                    MD5:57E1BE44A6D2766E524D20545B4191F8
                                    SHA1:F1F39EB3ADCF81BD3D5EBF64E7357016327D3018
                                    SHA-256:5875F2790D53322F299C8A7719E1E262A58FF0C3BC8BC3CAD4A6B34886150816
                                    SHA-512:FDFE4992234A43974C4CA040D4F7042FE6F8C5D4088FC50E2ECE806ACB725F27A9B5E233AAF0F6F0F368FE9454CE7D0B50F3C90211BBC123BFE682898DB219A0
                                    Malicious:true
                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                    C:\Users\user\AppData\Local\Temp\tmpEC0E.tmp

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
                                    File Type:XML 1.0 document, ASCII text
                                    Category:dropped
                                    Size (bytes):1596
                                    Entropy (8bit):5.152858960654771
                                    Encrypted:false
                                    SSDEEP:24:2di4+S2qh/Q1K1y1mokUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtGxvn:cge4MYrFdOFzOzN33ODOiDdKrsuTKv
                                    MD5:57E1BE44A6D2766E524D20545B4191F8
                                    SHA1:F1F39EB3ADCF81BD3D5EBF64E7357016327D3018
                                    SHA-256:5875F2790D53322F299C8A7719E1E262A58FF0C3BC8BC3CAD4A6B34886150816
                                    SHA-512:FDFE4992234A43974C4CA040D4F7042FE6F8C5D4088FC50E2ECE806ACB725F27A9B5E233AAF0F6F0F368FE9454CE7D0B50F3C90211BBC123BFE682898DB219A0
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <

                                    C:\Users\user\AppData\Roaming\bVgCuQEDo.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):937472
                                    Entropy (8bit):7.626851498602256
                                    Encrypted:false
                                    SSDEEP:12288:B0dqU+0zR1NqFgVkN3kXsujtKtVrA8RssJk0cDe1Wa33JzysxUi59zDdzoa1cfN:KvFqgVAU8LrLq0vBhyLiTDdEPf
                                    MD5:B5678475C3C15FDAFFF2C5C8B49D5DC1
                                    SHA1:7407554011988292B3E3522E19EDB5532F21EE4E
                                    SHA-256:755C44B90198282D2494321B4CB18CAB7E4426EFD1B7F4A20F2A0793D68A2A1F
                                    SHA-512:05EB462D04FA52DC64781064305AAF73C960765E35F51EF3EEB87E81E25D2DBDCFE7E2C51840CCC4D25E61A7FFC4D0786232C115A395F5E94EABA9508088AECC
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 34%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............0......B......2)... ...@....@.. ....................................@..................................(..O....@..\?........................................................................... ............... ..H............text...8.... ...................... ..`.rsrc...\?...@...@..................@..@.reloc...............L..............@..B.................)......H.......<...........l...8u..............................................^..}.....(.......(.....*.0...........s......o......(.....*...0...........s......o......(.....*...0...........s......o......(.....*...0...........s......o......(.....*...0..+.........,..{.......+....,...{....o........(.....*..0..r.............(....s......s....}.....s....}.....s....}.....s....}.....(......{....(....o......{.....o......{.....o .....{....r...p"..@A...s!...o".....{....(#...o$.....{.... .... ..

                                    C:\Users\user\AppData\Roaming\bVgCuQEDo.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:true
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.626851498602256
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Windows Screen Saver (13104/52) 0.07%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    File name:SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
                                    File size:937472
                                    MD5:b5678475c3c15fdafff2c5c8b49d5dc1
                                    SHA1:7407554011988292b3e3522e19edb5532f21ee4e
                                    SHA256:755c44b90198282d2494321b4cb18cab7e4426efd1b7f4a20f2a0793d68a2a1f
                                    SHA512:05eb462d04fa52dc64781064305aaf73c960765e35f51ef3eeb87e81e25d2dbdcfe7e2c51840ccc4d25e61a7ffc4d0786232c115a395f5e94eaba9508088aecc
                                    SSDEEP:12288:B0dqU+0zR1NqFgVkN3kXsujtKtVrA8RssJk0cDe1Wa33JzysxUi59zDdzoa1cfN:KvFqgVAU8LrLq0vBhyLiTDdEPf
                                    TLSH:E115DF9023B6AF71F1686BF27412904827B63C6E98F1D12D9DDDB0DE2672B4049F1B27
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c..............0......B......2)... ...@....@.. ....................................@................................

                                    File Icon

                                    Icon Hash:000c0c1f9b1b1f8c

                                    Static PE Info

                                    General

                                    Entrypoint:0x4e2932
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x6385B6A7 [Tue Nov 29 07:37:11 2022 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xe28e00x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe40000x3f5c.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xe80000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xe09380xe0a00False0.8227318969115192data7.649605681917304IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0xe40000x3f5c0x4000False0.34625244140625data4.701482416927951IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xe80000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_ICON0xe41480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 7559 x 7559 px/m
                                    RT_ICON0xe45b00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 7559 x 7559 px/m
                                    RT_ICON0xe56580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 7559 x 7559 px/m
                                    RT_GROUP_ICON0xe7c000x30data
                                    RT_VERSION0xe7c300x32cdata

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    No network behavior found

                                    Statistics

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:14:00:39
                                    Start date:29/11/2022
                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
                                    Imagebase:0x20000
                                    File size:937472 bytes
                                    MD5 hash:B5678475C3C15FDAFFF2C5C8B49D5DC1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.330634433.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.328148596.0000000002611000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low

                                    General

                                    Target ID:10
                                    Start time:14:00:52
                                    Start date:29/11/2022
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
                                    Imagebase:0xb00000
                                    File size:430592 bytes
                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Reputation:high

                                    General

                                    Target ID:11
                                    Start time:14:00:53
                                    Start date:29/11/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff745070000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:12
                                    Start time:14:01:00
                                    Start date:29/11/2022
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
                                    Imagebase:0xb00000
                                    File size:430592 bytes
                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Reputation:high

                                    General

                                    Target ID:13
                                    Start time:14:01:00
                                    Start date:29/11/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff745070000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:14
                                    Start time:14:01:00
                                    Start date:29/11/2022
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpA32E.tmp
                                    Imagebase:0xfa0000
                                    File size:185856 bytes
                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:15
                                    Start time:14:01:01
                                    Start date:29/11/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff745070000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:16
                                    Start time:14:01:05
                                    Start date:29/11/2022
                                    Path:C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
                                    Imagebase:0xac0000
                                    File size:937472 bytes
                                    MD5 hash:B5678475C3C15FDAFFF2C5C8B49D5DC1
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:.Net C# or VB.NET
                                    Yara matches:
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.360601754.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.365234756.00000000031B6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Antivirus matches:
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 34%, ReversingLabs

                                    General

                                    Target ID:18
                                    Start time:14:01:05
                                    Start date:29/11/2022
                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.22726.1920.exe
                                    Imagebase:0x5c0000
                                    File size:937472 bytes
                                    MD5 hash:B5678475C3C15FDAFFF2C5C8B49D5DC1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000012.00000002.329666151.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

                                    General

                                    Target ID:19
                                    Start time:14:01:20
                                    Start date:29/11/2022
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bVgCuQEDo" /XML "C:\Users\user\AppData\Local\Temp\tmpEC0E.tmp
                                    Imagebase:0xfa0000
                                    File size:185856 bytes
                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language

                                    General

                                    Target ID:20
                                    Start time:14:01:20
                                    Start date:29/11/2022
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff745070000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language

                                    General

                                    Target ID:21
                                    Start time:14:01:21
                                    Start date:29/11/2022
                                    Path:C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
                                    Imagebase:0x2c0000
                                    File size:937472 bytes
                                    MD5 hash:B5678475C3C15FDAFFF2C5C8B49D5DC1
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language

                                    General

                                    Target ID:22
                                    Start time:14:01:22
                                    Start date:29/11/2022
                                    Path:C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
                                    Imagebase:0x300000
                                    File size:937472 bytes
                                    MD5 hash:B5678475C3C15FDAFFF2C5C8B49D5DC1
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language

                                    General

                                    Target ID:23
                                    Start time:14:01:22
                                    Start date:29/11/2022
                                    Path:C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\AppData\Roaming\bVgCuQEDo.exe
                                    Imagebase:0xe10000
                                    File size:937472 bytes
                                    MD5 hash:B5678475C3C15FDAFFF2C5C8B49D5DC1
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000017.00000002.509702733.00000000014E0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown

                                    General

                                    Target ID:24
                                    Start time:14:01:24
                                    Start date:29/11/2022
                                    Path:C:\Windows\explorer.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Explorer.EXE
                                    Imagebase:0x7ff69fe90000
                                    File size:3933184 bytes
                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000018.00000000.458798122.000000001018B000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

                                    General

                                    Target ID:27
                                    Start time:14:02:26
                                    Start date:29/11/2022
                                    Path:C:\Windows\SysWOW64\chkdsk.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\chkdsk.exe
                                    Imagebase:0xc80000
                                    File size:23040 bytes
                                    MD5 hash:2D5A2497CB57C374B3AE3080FF9186FB
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000002.533460019.0000000000C40000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000002.537923698.0000000004EB0000.00000004.00000001.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000001B.00000002.531965809.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

                                    Disassembly

                                    No disassembly