Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe

Overview

General Information

Sample Name: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Analysis ID: 756016
MD5: 630ffd21c1de8a583a4e1627b8ac6534
SHA1: 7cdb7d33a07326fa3b2699bb7308889a0920541a
SHA256: 02b628dcbfaa0cad2ccde62b1cfb16425a8d40b4cad9de200569ce1b84981612
Tags: exeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Scheduled temp file as task from temp location
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Yara detected FormBook
Source: Yara match File source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe ReversingLabs: Detection: 39%
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.shinecleaningasheville.com/f9r5/"], "decoy": ["teknotimur.com", "zuliboo.com", "remmingtoncampbell.com", "vehicletitleloansphoenix.com", "sen-computer.com", "98731.biz", "shelikesblu.com", "canis-totem.com", "metaversemedianetwork.com", "adsdu.com", "vanishmediasystems.com", "astewaykebede.com", "wszhongxue.com", "gacha-animator-free.com", "papatyadekorasyon.com", "mqc168.top", "simplebrilliantsolutions.com", "jubileehawkesprairie.com", "ridflab.com", "conboysfilm.com", "iseemerit.world", "airhbb.com", "haveyourshare.com", "qcstcsz.com", "attorneykarinaramirez.com", "patriziabartelle.com", "dcc.coop", "hdzz.top", "treesandstarsoracle.com", "rebarunikont.com", "achivego.site", "baipiao100.com", "menslibwrty.com", "insulationtraining.online", "horseflix.club", "suxyqyu.xyz", "sqoki.com", "ffbsjhvbsjhbvsajv.xyz", "beapest.cfd", "4892166.com", "dvdmediastar.com", "hotwomensearching4u.site", "cupompetlover.com", "terrapretasales.com", "joinsequene.com", "powerkitap.com", "jonjene.com", "wqcwgl.com", "utahexotics.com", "ballerboutique.com", "cftronline.com", "gettidaladvance.site", "anagladstonedesign.com", "bunsi-figura.store", "ttvip-13.net", "cmjysx-uqps.website", "ifealafia.com", "carlospainter.com", "elitetrio.xyz", "inggridangelia.com", "leporebaq.com", "youpinhang.com", "palm3d.net", "wo567567.com"]}
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: msiexec.pdb source: owFIYUUG.exe, 0000000A.00000002.523173571.000000000168A000.00000004.00000020.00020000.00000000.sdmp, owFIYUUG.exe, 0000000A.00000002.523077272.0000000001679000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msiexec.pdbGCTL source: owFIYUUG.exe, 0000000A.00000002.523173571.000000000168A000.00000004.00000020.00020000.00000000.sdmp, owFIYUUG.exe, 0000000A.00000002.523077272.0000000001679000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.351513245.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.354790226.0000000000E97000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 0000000A.00000002.523742351.0000000001AD0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.579299461.0000000004B9F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.578391145.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.525371187.00000000048EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.522656943.000000000474A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.351513245.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.354790226.0000000000E97000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 0000000A.00000002.523742351.0000000001AD0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.579299461.0000000004B9F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.578391145.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.525371187.00000000048EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.522656943.000000000474A000.00000004.00000800.00020000.00000000.sdmp

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.shinecleaningasheville.com/f9r5/
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.358868037.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.356409073.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 00000005.00000002.376634128.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.317991275.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: explorer.exe, 0000000B.00000000.377790638.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.460452224.000000000ED27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.445459434.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.479699094.000000000091F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322074460.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322109625.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322153903.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321820881.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362488084.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.351725281.00000000057C7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321913738.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321855758.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321967040.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322047224.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322807447.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322861249.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322929853.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322807447.00000000057D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlx#
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322181268.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comFF&
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322643766.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322074460.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322109625.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322153903.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321820881.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321913738.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321855758.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321967040.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322703072.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322047224.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comI.TTF
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362488084.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.351725281.00000000057C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.coma
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322929853.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comalsu&
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323589071.00000000057D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comasik
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comc&
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comcom
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322074460.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322109625.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322153903.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321820881.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321668227.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321913738.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321855758.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321967040.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321718791.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322047224.00000000057D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322929853.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comd-&
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321668227.00000000057D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.come.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322643766.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322703072.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comedta
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362488084.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.351725281.00000000057C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comgrita
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322643766.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322807447.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322861249.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322703072.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322929853.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comldF
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322243437.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322074460.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322109625.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322153903.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321820881.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322386330.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321913738.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321855758.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322323380.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321967040.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322281913.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.321718791.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322047224.00000000057D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comm
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323136860.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323023842.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322807447.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322861249.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323229165.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.322929853.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323259594.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323078179.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.323310351.00000000057D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.comt
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.317261346.00000000057B2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.317261346.00000000057B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.317261346.00000000057B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cnt
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324285201.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324559034.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324418155.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324662108.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324459395.00000000057D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324285201.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324559034.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324418155.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324662108.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324459395.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.325354347.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.325199869.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362488084.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.351725281.00000000057C7000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.324736578.00000000057D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320263598.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320494921.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319310856.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319212503.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319392230.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320525670.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320440189.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319279685.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320571444.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320191564.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320099257.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319941075.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320055869.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319986515.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320394274.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320301449.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/-&
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319941075.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320055869.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319986515.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Q&
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319941075.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320055869.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319986515.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/X&
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319310856.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319212503.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319392230.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319015579.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319279685.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318849645.00000000057D1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318972157.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320263598.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319310856.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319212503.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319392230.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319015579.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319279685.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320191564.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320099257.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319941075.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318849645.00000000057D1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320055869.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319986515.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318642829.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318619322.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318972157.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319310856.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319212503.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319392230.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319279685.00000000057D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/s
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319492794.00000000057CA000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319310856.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319212503.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319392230.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319015579.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319279685.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319941075.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319762053.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318849645.00000000057D1000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320055869.00000000057D4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319986515.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319836497.00000000057D2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.318972157.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319601112.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319559496.00000000057D4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/u&
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.313670458.00000000057D3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320237486.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320477184.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319735455.00000000057C3000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319806390.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320289081.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320716381.00000000057BE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320419124.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320513514.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320160969.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320652389.00000000057BE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320327067.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320085368.00000000057C6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319864076.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320019809.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319971645.00000000057C4000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.320556591.00000000057C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000003.319806390.00000000057C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.comn
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.362716051.00000000069C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.owFIYUUG.exe.3012e30.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 5.2.owFIYUUG.exe.3030600.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.283072c.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.2812f5c.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe PID: 5808, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe PID: 1044, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msiexec.exe PID: 5544, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 5.2.owFIYUUG.exe.3012e30.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 5.2.owFIYUUG.exe.3030600.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.283072c.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.2812f5c.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe PID: 5808, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe PID: 1044, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msiexec.exe PID: 5544, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Code function: 5_2_0157C164 5_2_0157C164
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Code function: 5_2_0157E5B0 5_2_0157E5B0
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Code function: 5_2_0157E5A2 5_2_0157E5A2
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Code function: 5_2_01684948 5_2_01684948
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Code function: 5_2_01684938 5_2_01684938
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Code function: 5_2_07D30040 5_2_07D30040
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Code function: 5_2_07D30007 5_2_07D30007
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105F900 6_2_0105F900
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01074120 6_2_01074120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01072990 6_2_01072990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010799BF 6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106C1C0 6_2_0106C1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01056800 6_2_01056800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01111002 6_2_01111002
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108701D 6_2_0108701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0112E824 6_2_0112E824
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A830 6_2_0107A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106B090 6_2_0106B090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010820A0 6_2_010820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011220A8 6_2_011220A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011160F5 6_2_011160F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010588E0 6_2_010588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011228EC 6_2_011228EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111231B 6_2_0111231B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01122B28 6_2_01122B28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010FCB4F 6_2_010FCB4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107AB40 6_2_0107AB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01073360 6_2_01073360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108138B 6_2_0108138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010FEB8A 6_2_010FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107EB9A 6_2_0107EB9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108EBB0 6_2_0108EBB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111DBD2 6_2_0111DBD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011103DA 6_2_011103DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108ABD8 6_2_0108ABD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010A8BE8 6_2_010A8BE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011023E3 6_2_011023E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107B236 6_2_0107B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0110FA2B 6_2_0110FA2B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01115A4F 6_2_01115A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011232A9 6_2_011232A9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011222AE 6_2_011222AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111E2C5 6_2_0111E2C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01114AEF 6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01122D07 6_2_01122D07
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01050D20 6_2_01050D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01121D55 6_2_01121D55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01072D50 6_2_01072D50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01082581 6_2_01082581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01112D82 6_2_01112D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010865A0 6_2_010865A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011225DD 6_2_011225DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106D5E0 6_2_0106D5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106841F 6_2_0106841F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01072430 6_2_01072430
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111CC77 6_2_0111CC77
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107B477 6_2_0107B477
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111D466 6_2_0111D466
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01114496 6_2_01114496
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01084CD4 6_2_01084CD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0112DFCE 6_2_0112DFCE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01121FF1 6_2_01121FF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011167E2 6_2_011167E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111D616 6_2_0111D616
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01075600 6_2_01075600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01076E30 6_2_01076E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01059660 6_2_01059660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010DAE60 6_2_010DAE60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01101EB6 6_2_01101EB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010806C0 6_2_010806C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01122EF7 6_2_01122EF7
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: String function: 010E5720 appears 85 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: String function: 0105B150 appears 177 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: String function: 010AD08C appears 48 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099860 NtQuerySystemInformation,LdrInitializeThunk, 6_2_01099860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099660 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_01099660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010996E0 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_010996E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099910 NtAdjustPrivilegesToken, 6_2_01099910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099950 NtQueueApcThread, 6_2_01099950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010999A0 NtCreateSection, 6_2_010999A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010999D0 NtCreateProcessEx, 6_2_010999D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099820 NtEnumerateKey, 6_2_01099820
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0109B040 NtSuspendThread, 6_2_0109B040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099840 NtDelayExecution, 6_2_01099840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010998A0 NtWriteVirtualMemory, 6_2_010998A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010998F0 NtReadVirtualMemory, 6_2_010998F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099B00 NtSetValueKey, 6_2_01099B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0109A3B0 NtGetContextThread, 6_2_0109A3B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099A00 NtProtectVirtualMemory, 6_2_01099A00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099A10 NtQuerySection, 6_2_01099A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099A20 NtResumeThread, 6_2_01099A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099A50 NtCreateFile, 6_2_01099A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099A80 NtOpenDirectoryObject, 6_2_01099A80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099520 NtWaitForSingleObject, 6_2_01099520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0109AD30 NtSetContextThread, 6_2_0109AD30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099540 NtReadFile, 6_2_01099540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099560 NtWriteFile, 6_2_01099560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010995D0 NtClose, 6_2_010995D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010995F0 NtQueryInformationFile, 6_2_010995F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0109A710 NtOpenProcessToken, 6_2_0109A710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099710 NtQueryInformationToken, 6_2_01099710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099730 NtQueryVirtualMemory, 6_2_01099730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099760 NtOpenProcess, 6_2_01099760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0109A770 NtOpenThread, 6_2_0109A770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099770 NtSetInformationFile, 6_2_01099770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099780 NtMapViewOfSection, 6_2_01099780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010997A0 NtUnmapViewOfSection, 6_2_010997A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099FE0 NtCreateMutant, 6_2_01099FE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099610 NtEnumerateValueKey, 6_2_01099610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099650 NtQueryValueKey, 6_2_01099650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099670 NtQueryInformationProcess, 6_2_01099670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010996D0 NtCreateKey, 6_2_010996D0
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000000.310398354.00000000004E0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameQxoP.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.356409073.00000000027F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePrecision.dll6 vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.356409073.00000000027F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameInspector.dllN vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.364294039.0000000007190000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCollins.dll8 vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000002.358683097.000000000114F000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.352743513.0000000000E16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.356648553.0000000000FB6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Binary or memory string: OriginalFilenameQxoP.exeB vs SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: owFIYUUG.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Jump to behavior
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\owFIYUUG.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmpE80B.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\owFIYUUG.exe C:\Users\user\AppData\Roaming\owFIYUUG.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmp2BCB.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process created: C:\Users\user\AppData\Roaming\owFIYUUG.exe C:\Users\user\AppData\Roaming\owFIYUUG.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\owFIYUUG.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\owFIYUUG.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmpE80B.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmp2BCB.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process created: C:\Users\user\AppData\Roaming\owFIYUUG.exe C:\Users\user\AppData\Roaming\owFIYUUG.exe Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\owFIYUUG.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe File created: C:\Users\user\AppData\Roaming\owFIYUUG.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe File created: C:\Users\user\AppData\Local\Temp\tmpE80B.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@18/9@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000000.310229761.0000000000402000.00000002.00000001.01000000.00000003.sdmp, owFIYUUG.exe.0.dr Binary or memory string: insert into User_Transportation(UserID,TransportationID) values (@UserID,@TransID);
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000000.310229761.0000000000402000.00000002.00000001.01000000.00000003.sdmp, owFIYUUG.exe.0.dr Binary or memory string: insert into TourPlace(Name,Location,TicketPrice) values (@name,@location,@ticket);
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000000.310229761.0000000000402000.00000002.00000001.01000000.00000003.sdmp, owFIYUUG.exe.0.dr Binary or memory string: insert into User_TourPlace(UserID,TourPlaceID) values (@UserID,@TourplaceID);
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3492:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2960:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2940:120:WilError_01
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe String found in binary or memory: AddUserButton'AddUserPhoneTextbox'AdduserEmailtextbox-Adduserpasswordtextbox
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe String found in binary or memory: Username:-AddusertextBoxUsernameCash
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: msiexec.pdb source: owFIYUUG.exe, 0000000A.00000002.523173571.000000000168A000.00000004.00000020.00020000.00000000.sdmp, owFIYUUG.exe, 0000000A.00000002.523077272.0000000001679000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msiexec.pdbGCTL source: owFIYUUG.exe, 0000000A.00000002.523173571.000000000168A000.00000004.00000020.00020000.00000000.sdmp, owFIYUUG.exe, 0000000A.00000002.523077272.0000000001679000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.351513245.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.354790226.0000000000E97000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 0000000A.00000002.523742351.0000000001AD0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.579299461.0000000004B9F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.578391145.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.525371187.00000000048EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.522656943.000000000474A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.351513245.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000003.354790226.0000000000E97000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000006.00000002.357731731.0000000001030000.00000040.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 0000000A.00000002.523742351.0000000001AD0000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.579299461.0000000004B9F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.578391145.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.525371187.00000000048EC000.00000004.00000800.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.522656943.000000000474A000.00000004.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Code function: 5_2_0168F401 push ecx; ret 5_2_0168F415
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Code function: 5_2_07D365EA push edx; retf 5_2_07D365EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010AD0D1 push ecx; ret 6_2_010AD0E4
Source: initial sample Static PE information: section name: .text entropy: 7.640989875299505
Source: initial sample Static PE information: section name: .text entropy: 7.640989875299505
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe File created: C:\Users\user\AppData\Roaming\owFIYUUG.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmpE80B.tmp

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 5.2.owFIYUUG.exe.3012e30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.owFIYUUG.exe.3030600.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.283072c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.2812f5c.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.358868037.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.376634128.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.356409073.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe PID: 5808, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: owFIYUUG.exe PID: 5580, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.358868037.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.356409073.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 00000005.00000002.376634128.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.358868037.0000000002ACB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe, 00000000.00000002.356409073.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 00000005.00000002.376634128.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, owFIYUUG.exe, 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe TID: 5816 Thread sleep time: -38122s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe TID: 2528 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5588 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe TID: 5576 Thread sleep time: -38122s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe TID: 5636 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01086B90 rdtsc 6_2_01086B90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe API coverage: 0.5 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Thread delayed: delay time: 38122 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Thread delayed: delay time: 38122 Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 0000000B.00000000.489448105.0000000008631000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: owFIYUUG.exe, 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000B.00000000.410055991.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 0000000B.00000000.410055991.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: owFIYUUG.exe, 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000000B.00000000.382222721.00000000043B0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.410055991.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: owFIYUUG.exe, 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000B.00000000.489448105.0000000008631000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: owFIYUUG.exe, 00000005.00000002.379609104.00000000032CA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01086B90 rdtsc 6_2_01086B90
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01059100 mov eax, dword ptr fs:[00000030h] 6_2_01059100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01059100 mov eax, dword ptr fs:[00000030h] 6_2_01059100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01059100 mov eax, dword ptr fs:[00000030h] 6_2_01059100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01060100 mov eax, dword ptr fs:[00000030h] 6_2_01060100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01060100 mov eax, dword ptr fs:[00000030h] 6_2_01060100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01060100 mov eax, dword ptr fs:[00000030h] 6_2_01060100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01074120 mov eax, dword ptr fs:[00000030h] 6_2_01074120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01074120 mov eax, dword ptr fs:[00000030h] 6_2_01074120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01074120 mov eax, dword ptr fs:[00000030h] 6_2_01074120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01074120 mov eax, dword ptr fs:[00000030h] 6_2_01074120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01074120 mov ecx, dword ptr fs:[00000030h] 6_2_01074120
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108513A mov eax, dword ptr fs:[00000030h] 6_2_0108513A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108513A mov eax, dword ptr fs:[00000030h] 6_2_0108513A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01053138 mov ecx, dword ptr fs:[00000030h] 6_2_01053138
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01111951 mov eax, dword ptr fs:[00000030h] 6_2_01111951
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107B944 mov eax, dword ptr fs:[00000030h] 6_2_0107B944
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107B944 mov eax, dword ptr fs:[00000030h] 6_2_0107B944
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105395E mov eax, dword ptr fs:[00000030h] 6_2_0105395E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105395E mov eax, dword ptr fs:[00000030h] 6_2_0105395E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105C962 mov eax, dword ptr fs:[00000030h] 6_2_0105C962
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111E962 mov eax, dword ptr fs:[00000030h] 6_2_0111E962
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105B171 mov eax, dword ptr fs:[00000030h] 6_2_0105B171
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105B171 mov eax, dword ptr fs:[00000030h] 6_2_0105B171
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01128966 mov eax, dword ptr fs:[00000030h] 6_2_01128966
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107C182 mov eax, dword ptr fs:[00000030h] 6_2_0107C182
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108A185 mov eax, dword ptr fs:[00000030h] 6_2_0108A185
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01058190 mov ecx, dword ptr fs:[00000030h] 6_2_01058190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01082990 mov eax, dword ptr fs:[00000030h] 6_2_01082990
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01084190 mov eax, dword ptr fs:[00000030h] 6_2_01084190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111A189 mov eax, dword ptr fs:[00000030h] 6_2_0111A189
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111A189 mov ecx, dword ptr fs:[00000030h] 6_2_0111A189
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105519E mov eax, dword ptr fs:[00000030h] 6_2_0105519E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105519E mov ecx, dword ptr fs:[00000030h] 6_2_0105519E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010661A7 mov eax, dword ptr fs:[00000030h] 6_2_010661A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010661A7 mov eax, dword ptr fs:[00000030h] 6_2_010661A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010661A7 mov eax, dword ptr fs:[00000030h] 6_2_010661A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010661A7 mov eax, dword ptr fs:[00000030h] 6_2_010661A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0112F1B5 mov eax, dword ptr fs:[00000030h] 6_2_0112F1B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0112F1B5 mov eax, dword ptr fs:[00000030h] 6_2_0112F1B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010861A0 mov eax, dword ptr fs:[00000030h] 6_2_010861A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010861A0 mov eax, dword ptr fs:[00000030h] 6_2_010861A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D69A6 mov eax, dword ptr fs:[00000030h] 6_2_010D69A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D51BE mov eax, dword ptr fs:[00000030h] 6_2_010D51BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D51BE mov eax, dword ptr fs:[00000030h] 6_2_010D51BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D51BE mov eax, dword ptr fs:[00000030h] 6_2_010D51BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D51BE mov eax, dword ptr fs:[00000030h] 6_2_010D51BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010899BC mov eax, dword ptr fs:[00000030h] 6_2_010899BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011149A4 mov eax, dword ptr fs:[00000030h] 6_2_011149A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011149A4 mov eax, dword ptr fs:[00000030h] 6_2_011149A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011149A4 mov eax, dword ptr fs:[00000030h] 6_2_011149A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011149A4 mov eax, dword ptr fs:[00000030h] 6_2_011149A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108C9BF mov eax, dword ptr fs:[00000030h] 6_2_0108C9BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108C9BF mov eax, dword ptr fs:[00000030h] 6_2_0108C9BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010799BF mov ecx, dword ptr fs:[00000030h] 6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010799BF mov ecx, dword ptr fs:[00000030h] 6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010799BF mov eax, dword ptr fs:[00000030h] 6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010799BF mov ecx, dword ptr fs:[00000030h] 6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010799BF mov ecx, dword ptr fs:[00000030h] 6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010799BF mov eax, dword ptr fs:[00000030h] 6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010799BF mov ecx, dword ptr fs:[00000030h] 6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010799BF mov ecx, dword ptr fs:[00000030h] 6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010799BF mov eax, dword ptr fs:[00000030h] 6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010799BF mov ecx, dword ptr fs:[00000030h] 6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010799BF mov ecx, dword ptr fs:[00000030h] 6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010799BF mov eax, dword ptr fs:[00000030h] 6_2_010799BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010699C7 mov eax, dword ptr fs:[00000030h] 6_2_010699C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010699C7 mov eax, dword ptr fs:[00000030h] 6_2_010699C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010699C7 mov eax, dword ptr fs:[00000030h] 6_2_010699C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010699C7 mov eax, dword ptr fs:[00000030h] 6_2_010699C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106C1C0 mov eax, dword ptr fs:[00000030h] 6_2_0106C1C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011119D8 mov eax, dword ptr fs:[00000030h] 6_2_011119D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h] 6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h] 6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h] 6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h] 6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h] 6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h] 6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h] 6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011131DC mov ecx, dword ptr fs:[00000030h] 6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011131DC mov ecx, dword ptr fs:[00000030h] 6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h] 6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h] 6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h] 6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011131DC mov eax, dword ptr fs:[00000030h] 6_2_011131DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0105B1E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0105B1E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105B1E1 mov eax, dword ptr fs:[00000030h] 6_2_0105B1E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010531E0 mov eax, dword ptr fs:[00000030h] 6_2_010531E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010E41E8 mov eax, dword ptr fs:[00000030h] 6_2_010E41E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107D1EF mov eax, dword ptr fs:[00000030h] 6_2_0107D1EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011289E7 mov eax, dword ptr fs:[00000030h] 6_2_011289E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01056800 mov eax, dword ptr fs:[00000030h] 6_2_01056800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01056800 mov eax, dword ptr fs:[00000030h] 6_2_01056800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01056800 mov eax, dword ptr fs:[00000030h] 6_2_01056800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01124015 mov eax, dword ptr fs:[00000030h] 6_2_01124015
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01124015 mov eax, dword ptr fs:[00000030h] 6_2_01124015
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108701D mov eax, dword ptr fs:[00000030h] 6_2_0108701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108701D mov eax, dword ptr fs:[00000030h] 6_2_0108701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108701D mov eax, dword ptr fs:[00000030h] 6_2_0108701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108701D mov eax, dword ptr fs:[00000030h] 6_2_0108701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108701D mov eax, dword ptr fs:[00000030h] 6_2_0108701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108701D mov eax, dword ptr fs:[00000030h] 6_2_0108701D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D7016 mov eax, dword ptr fs:[00000030h] 6_2_010D7016
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D7016 mov eax, dword ptr fs:[00000030h] 6_2_010D7016
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D7016 mov eax, dword ptr fs:[00000030h] 6_2_010D7016
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108002D mov eax, dword ptr fs:[00000030h] 6_2_0108002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108002D mov eax, dword ptr fs:[00000030h] 6_2_0108002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108002D mov eax, dword ptr fs:[00000030h] 6_2_0108002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108002D mov eax, dword ptr fs:[00000030h] 6_2_0108002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108002D mov eax, dword ptr fs:[00000030h] 6_2_0108002D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01084020 mov edi, dword ptr fs:[00000030h] 6_2_01084020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106B02A mov eax, dword ptr fs:[00000030h] 6_2_0106B02A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106B02A mov eax, dword ptr fs:[00000030h] 6_2_0106B02A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106B02A mov eax, dword ptr fs:[00000030h] 6_2_0106B02A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106B02A mov eax, dword ptr fs:[00000030h] 6_2_0106B02A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A830 mov eax, dword ptr fs:[00000030h] 6_2_0107A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A830 mov eax, dword ptr fs:[00000030h] 6_2_0107A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A830 mov eax, dword ptr fs:[00000030h] 6_2_0107A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A830 mov eax, dword ptr fs:[00000030h] 6_2_0107A830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01111843 mov eax, dword ptr fs:[00000030h] 6_2_01111843
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01057057 mov eax, dword ptr fs:[00000030h] 6_2_01057057
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01055050 mov eax, dword ptr fs:[00000030h] 6_2_01055050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01055050 mov eax, dword ptr fs:[00000030h] 6_2_01055050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01055050 mov eax, dword ptr fs:[00000030h] 6_2_01055050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01070050 mov eax, dword ptr fs:[00000030h] 6_2_01070050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01070050 mov eax, dword ptr fs:[00000030h] 6_2_01070050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01112073 mov eax, dword ptr fs:[00000030h] 6_2_01112073
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01121074 mov eax, dword ptr fs:[00000030h] 6_2_01121074
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107F86D mov eax, dword ptr fs:[00000030h] 6_2_0107F86D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01059080 mov eax, dword ptr fs:[00000030h] 6_2_01059080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01053880 mov eax, dword ptr fs:[00000030h] 6_2_01053880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01053880 mov eax, dword ptr fs:[00000030h] 6_2_01053880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D3884 mov eax, dword ptr fs:[00000030h] 6_2_010D3884
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D3884 mov eax, dword ptr fs:[00000030h] 6_2_010D3884
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010990AF mov eax, dword ptr fs:[00000030h] 6_2_010990AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010820A0 mov eax, dword ptr fs:[00000030h] 6_2_010820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010820A0 mov eax, dword ptr fs:[00000030h] 6_2_010820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010820A0 mov eax, dword ptr fs:[00000030h] 6_2_010820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010820A0 mov eax, dword ptr fs:[00000030h] 6_2_010820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010820A0 mov eax, dword ptr fs:[00000030h] 6_2_010820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010820A0 mov eax, dword ptr fs:[00000030h] 6_2_010820A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010628AE mov eax, dword ptr fs:[00000030h] 6_2_010628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010628AE mov eax, dword ptr fs:[00000030h] 6_2_010628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010628AE mov eax, dword ptr fs:[00000030h] 6_2_010628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010628AE mov ecx, dword ptr fs:[00000030h] 6_2_010628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010628AE mov eax, dword ptr fs:[00000030h] 6_2_010628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010628AE mov eax, dword ptr fs:[00000030h] 6_2_010628AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h] 6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h] 6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h] 6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h] 6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h] 6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h] 6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h] 6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h] 6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010878A0 mov eax, dword ptr fs:[00000030h] 6_2_010878A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108F0BF mov ecx, dword ptr fs:[00000030h] 6_2_0108F0BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108F0BF mov eax, dword ptr fs:[00000030h] 6_2_0108F0BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108F0BF mov eax, dword ptr fs:[00000030h] 6_2_0108F0BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010570C0 mov eax, dword ptr fs:[00000030h] 6_2_010570C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010570C0 mov eax, dword ptr fs:[00000030h] 6_2_010570C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010578D6 mov eax, dword ptr fs:[00000030h] 6_2_010578D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010578D6 mov eax, dword ptr fs:[00000030h] 6_2_010578D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010578D6 mov ecx, dword ptr fs:[00000030h] 6_2_010578D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111B0C7 mov eax, dword ptr fs:[00000030h] 6_2_0111B0C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111B0C7 mov eax, dword ptr fs:[00000030h] 6_2_0111B0C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011118CA mov eax, dword ptr fs:[00000030h] 6_2_011118CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010EB8D0 mov eax, dword ptr fs:[00000030h] 6_2_010EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010EB8D0 mov ecx, dword ptr fs:[00000030h] 6_2_010EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010EB8D0 mov eax, dword ptr fs:[00000030h] 6_2_010EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010EB8D0 mov eax, dword ptr fs:[00000030h] 6_2_010EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010EB8D0 mov eax, dword ptr fs:[00000030h] 6_2_010EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010EB8D0 mov eax, dword ptr fs:[00000030h] 6_2_010EB8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107B8E4 mov eax, dword ptr fs:[00000030h] 6_2_0107B8E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107B8E4 mov eax, dword ptr fs:[00000030h] 6_2_0107B8E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010540E1 mov eax, dword ptr fs:[00000030h] 6_2_010540E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010540E1 mov eax, dword ptr fs:[00000030h] 6_2_010540E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010540E1 mov eax, dword ptr fs:[00000030h] 6_2_010540E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011160F5 mov eax, dword ptr fs:[00000030h] 6_2_011160F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011160F5 mov eax, dword ptr fs:[00000030h] 6_2_011160F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011160F5 mov eax, dword ptr fs:[00000030h] 6_2_011160F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011160F5 mov eax, dword ptr fs:[00000030h] 6_2_011160F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010588E0 mov eax, dword ptr fs:[00000030h] 6_2_010588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010588E0 mov eax, dword ptr fs:[00000030h] 6_2_010588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010588E0 mov eax, dword ptr fs:[00000030h] 6_2_010588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010588E0 mov eax, dword ptr fs:[00000030h] 6_2_010588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010588E0 mov eax, dword ptr fs:[00000030h] 6_2_010588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010588E0 mov eax, dword ptr fs:[00000030h] 6_2_010588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010588E0 mov eax, dword ptr fs:[00000030h] 6_2_010588E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010558EC mov eax, dword ptr fs:[00000030h] 6_2_010558EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010628FD mov eax, dword ptr fs:[00000030h] 6_2_010628FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010628FD mov eax, dword ptr fs:[00000030h] 6_2_010628FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010628FD mov eax, dword ptr fs:[00000030h] 6_2_010628FD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111131B mov eax, dword ptr fs:[00000030h] 6_2_0111131B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A309 mov eax, dword ptr fs:[00000030h] 6_2_0107A309
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105DB40 mov eax, dword ptr fs:[00000030h] 6_2_0105DB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01128B58 mov eax, dword ptr fs:[00000030h] 6_2_01128B58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01083B5A mov eax, dword ptr fs:[00000030h] 6_2_01083B5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01083B5A mov eax, dword ptr fs:[00000030h] 6_2_01083B5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01083B5A mov eax, dword ptr fs:[00000030h] 6_2_01083B5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01083B5A mov eax, dword ptr fs:[00000030h] 6_2_01083B5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105F358 mov eax, dword ptr fs:[00000030h] 6_2_0105F358
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105DB60 mov ecx, dword ptr fs:[00000030h] 6_2_0105DB60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010E6365 mov eax, dword ptr fs:[00000030h] 6_2_010E6365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010E6365 mov eax, dword ptr fs:[00000030h] 6_2_010E6365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010E6365 mov eax, dword ptr fs:[00000030h] 6_2_010E6365
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01083B7A mov eax, dword ptr fs:[00000030h] 6_2_01083B7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01083B7A mov eax, dword ptr fs:[00000030h] 6_2_01083B7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01057B70 mov eax, dword ptr fs:[00000030h] 6_2_01057B70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106F370 mov eax, dword ptr fs:[00000030h] 6_2_0106F370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106F370 mov eax, dword ptr fs:[00000030h] 6_2_0106F370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106F370 mov eax, dword ptr fs:[00000030h] 6_2_0106F370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108138B mov eax, dword ptr fs:[00000030h] 6_2_0108138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108138B mov eax, dword ptr fs:[00000030h] 6_2_0108138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108138B mov eax, dword ptr fs:[00000030h] 6_2_0108138B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010FEB8A mov ecx, dword ptr fs:[00000030h] 6_2_010FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010FEB8A mov eax, dword ptr fs:[00000030h] 6_2_010FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010FEB8A mov eax, dword ptr fs:[00000030h] 6_2_010FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010FEB8A mov eax, dword ptr fs:[00000030h] 6_2_010FEB8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01061B8F mov eax, dword ptr fs:[00000030h] 6_2_01061B8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01061B8F mov eax, dword ptr fs:[00000030h] 6_2_01061B8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0110D380 mov ecx, dword ptr fs:[00000030h] 6_2_0110D380
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01054B94 mov edi, dword ptr fs:[00000030h] 6_2_01054B94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108B390 mov eax, dword ptr fs:[00000030h] 6_2_0108B390
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111138A mov eax, dword ptr fs:[00000030h] 6_2_0111138A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107EB9A mov eax, dword ptr fs:[00000030h] 6_2_0107EB9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107EB9A mov eax, dword ptr fs:[00000030h] 6_2_0107EB9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01082397 mov eax, dword ptr fs:[00000030h] 6_2_01082397
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01128BB6 mov eax, dword ptr fs:[00000030h] 6_2_01128BB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01084BAD mov eax, dword ptr fs:[00000030h] 6_2_01084BAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01084BAD mov eax, dword ptr fs:[00000030h] 6_2_01084BAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01084BAD mov eax, dword ptr fs:[00000030h] 6_2_01084BAD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01129BBE mov eax, dword ptr fs:[00000030h] 6_2_01129BBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01125BA5 mov eax, dword ptr fs:[00000030h] 6_2_01125BA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01111BA8 mov eax, dword ptr fs:[00000030h] 6_2_01111BA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D53CA mov eax, dword ptr fs:[00000030h] 6_2_010D53CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D53CA mov eax, dword ptr fs:[00000030h] 6_2_010D53CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010853C5 mov eax, dword ptr fs:[00000030h] 6_2_010853C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010803E2 mov eax, dword ptr fs:[00000030h] 6_2_010803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010803E2 mov eax, dword ptr fs:[00000030h] 6_2_010803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010803E2 mov eax, dword ptr fs:[00000030h] 6_2_010803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010803E2 mov eax, dword ptr fs:[00000030h] 6_2_010803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010803E2 mov eax, dword ptr fs:[00000030h] 6_2_010803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010803E2 mov eax, dword ptr fs:[00000030h] 6_2_010803E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01051BE9 mov eax, dword ptr fs:[00000030h] 6_2_01051BE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107DBE9 mov eax, dword ptr fs:[00000030h] 6_2_0107DBE9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011023E3 mov ecx, dword ptr fs:[00000030h] 6_2_011023E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011023E3 mov ecx, dword ptr fs:[00000030h] 6_2_011023E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011023E3 mov eax, dword ptr fs:[00000030h] 6_2_011023E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h] 6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h] 6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h] 6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106BA00 mov ecx, dword ptr fs:[00000030h] 6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h] 6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h] 6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h] 6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h] 6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h] 6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h] 6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h] 6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h] 6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h] 6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106BA00 mov eax, dword ptr fs:[00000030h] 6_2_0106BA00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111AA16 mov eax, dword ptr fs:[00000030h] 6_2_0111AA16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111AA16 mov eax, dword ptr fs:[00000030h] 6_2_0111AA16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01068A0A mov eax, dword ptr fs:[00000030h] 6_2_01068A0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105AA16 mov eax, dword ptr fs:[00000030h] 6_2_0105AA16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105AA16 mov eax, dword ptr fs:[00000030h] 6_2_0105AA16
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01055210 mov eax, dword ptr fs:[00000030h] 6_2_01055210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01055210 mov ecx, dword ptr fs:[00000030h] 6_2_01055210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01055210 mov eax, dword ptr fs:[00000030h] 6_2_01055210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01055210 mov eax, dword ptr fs:[00000030h] 6_2_01055210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01073A1C mov eax, dword ptr fs:[00000030h] 6_2_01073A1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01094A2C mov eax, dword ptr fs:[00000030h] 6_2_01094A2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01094A2C mov eax, dword ptr fs:[00000030h] 6_2_01094A2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01054A20 mov eax, dword ptr fs:[00000030h] 6_2_01054A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01054A20 mov eax, dword ptr fs:[00000030h] 6_2_01054A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h] 6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h] 6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h] 6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h] 6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h] 6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h] 6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h] 6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h] 6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107A229 mov eax, dword ptr fs:[00000030h] 6_2_0107A229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107B236 mov eax, dword ptr fs:[00000030h] 6_2_0107B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107B236 mov eax, dword ptr fs:[00000030h] 6_2_0107B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107B236 mov eax, dword ptr fs:[00000030h] 6_2_0107B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107B236 mov eax, dword ptr fs:[00000030h] 6_2_0107B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107B236 mov eax, dword ptr fs:[00000030h] 6_2_0107B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107B236 mov eax, dword ptr fs:[00000030h] 6_2_0107B236
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01111229 mov eax, dword ptr fs:[00000030h] 6_2_01111229
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01058239 mov eax, dword ptr fs:[00000030h] 6_2_01058239
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01058239 mov eax, dword ptr fs:[00000030h] 6_2_01058239
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01058239 mov eax, dword ptr fs:[00000030h] 6_2_01058239
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111EA55 mov eax, dword ptr fs:[00000030h] 6_2_0111EA55
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01059240 mov eax, dword ptr fs:[00000030h] 6_2_01059240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01059240 mov eax, dword ptr fs:[00000030h] 6_2_01059240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01059240 mov eax, dword ptr fs:[00000030h] 6_2_01059240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01059240 mov eax, dword ptr fs:[00000030h] 6_2_01059240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01111A5F mov eax, dword ptr fs:[00000030h] 6_2_01111A5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010E4257 mov eax, dword ptr fs:[00000030h] 6_2_010E4257
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01115A4F mov eax, dword ptr fs:[00000030h] 6_2_01115A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01115A4F mov eax, dword ptr fs:[00000030h] 6_2_01115A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01115A4F mov eax, dword ptr fs:[00000030h] 6_2_01115A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01115A4F mov eax, dword ptr fs:[00000030h] 6_2_01115A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01095A69 mov eax, dword ptr fs:[00000030h] 6_2_01095A69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01095A69 mov eax, dword ptr fs:[00000030h] 6_2_01095A69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01095A69 mov eax, dword ptr fs:[00000030h] 6_2_01095A69
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0110B260 mov eax, dword ptr fs:[00000030h] 6_2_0110B260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0110B260 mov eax, dword ptr fs:[00000030h] 6_2_0110B260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01128A62 mov eax, dword ptr fs:[00000030h] 6_2_01128A62
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0109927A mov eax, dword ptr fs:[00000030h] 6_2_0109927A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108DA88 mov eax, dword ptr fs:[00000030h] 6_2_0108DA88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108DA88 mov eax, dword ptr fs:[00000030h] 6_2_0108DA88
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111129A mov eax, dword ptr fs:[00000030h] 6_2_0111129A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108D294 mov eax, dword ptr fs:[00000030h] 6_2_0108D294
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108D294 mov eax, dword ptr fs:[00000030h] 6_2_0108D294
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010552A5 mov eax, dword ptr fs:[00000030h] 6_2_010552A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010552A5 mov eax, dword ptr fs:[00000030h] 6_2_010552A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010552A5 mov eax, dword ptr fs:[00000030h] 6_2_010552A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010552A5 mov eax, dword ptr fs:[00000030h] 6_2_010552A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010552A5 mov eax, dword ptr fs:[00000030h] 6_2_010552A5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01051AA0 mov eax, dword ptr fs:[00000030h] 6_2_01051AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010662A0 mov eax, dword ptr fs:[00000030h] 6_2_010662A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010662A0 mov eax, dword ptr fs:[00000030h] 6_2_010662A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010662A0 mov eax, dword ptr fs:[00000030h] 6_2_010662A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010662A0 mov eax, dword ptr fs:[00000030h] 6_2_010662A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01085AA0 mov eax, dword ptr fs:[00000030h] 6_2_01085AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01085AA0 mov eax, dword ptr fs:[00000030h] 6_2_01085AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010812BD mov esi, dword ptr fs:[00000030h] 6_2_010812BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010812BD mov eax, dword ptr fs:[00000030h] 6_2_010812BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010812BD mov eax, dword ptr fs:[00000030h] 6_2_010812BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106AAB0 mov eax, dword ptr fs:[00000030h] 6_2_0106AAB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106AAB0 mov eax, dword ptr fs:[00000030h] 6_2_0106AAB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108FAB0 mov eax, dword ptr fs:[00000030h] 6_2_0108FAB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01082ACB mov eax, dword ptr fs:[00000030h] 6_2_01082ACB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01055AC0 mov eax, dword ptr fs:[00000030h] 6_2_01055AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01055AC0 mov eax, dword ptr fs:[00000030h] 6_2_01055AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01055AC0 mov eax, dword ptr fs:[00000030h] 6_2_01055AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01053ACA mov eax, dword ptr fs:[00000030h] 6_2_01053ACA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01128ADD mov eax, dword ptr fs:[00000030h] 6_2_01128ADD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010512D4 mov eax, dword ptr fs:[00000030h] 6_2_010512D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01082AE4 mov eax, dword ptr fs:[00000030h] 6_2_01082AE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111B2E8 mov eax, dword ptr fs:[00000030h] 6_2_0111B2E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111B2E8 mov eax, dword ptr fs:[00000030h] 6_2_0111B2E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111B2E8 mov eax, dword ptr fs:[00000030h] 6_2_0111B2E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111B2E8 mov eax, dword ptr fs:[00000030h] 6_2_0111B2E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h] 6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h] 6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h] 6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h] 6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h] 6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h] 6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h] 6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h] 6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h] 6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h] 6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h] 6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h] 6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h] 6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01114AEF mov eax, dword ptr fs:[00000030h] 6_2_01114AEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01113518 mov eax, dword ptr fs:[00000030h] 6_2_01113518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01113518 mov eax, dword ptr fs:[00000030h] 6_2_01113518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01113518 mov eax, dword ptr fs:[00000030h] 6_2_01113518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010FCD04 mov eax, dword ptr fs:[00000030h] 6_2_010FCD04
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01059515 mov ecx, dword ptr fs:[00000030h] 6_2_01059515
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105751A mov eax, dword ptr fs:[00000030h] 6_2_0105751A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105751A mov eax, dword ptr fs:[00000030h] 6_2_0105751A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105751A mov eax, dword ptr fs:[00000030h] 6_2_0105751A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105751A mov eax, dword ptr fs:[00000030h] 6_2_0105751A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01128D34 mov eax, dword ptr fs:[00000030h] 6_2_01128D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111E539 mov eax, dword ptr fs:[00000030h] 6_2_0111E539
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108F527 mov eax, dword ptr fs:[00000030h] 6_2_0108F527
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108F527 mov eax, dword ptr fs:[00000030h] 6_2_0108F527
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108F527 mov eax, dword ptr fs:[00000030h] 6_2_0108F527
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h] 6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h] 6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h] 6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h] 6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h] 6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h] 6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h] 6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h] 6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h] 6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h] 6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h] 6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h] 6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01063D34 mov eax, dword ptr fs:[00000030h] 6_2_01063D34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01084D3B mov eax, dword ptr fs:[00000030h] 6_2_01084D3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01084D3B mov eax, dword ptr fs:[00000030h] 6_2_01084D3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01084D3B mov eax, dword ptr fs:[00000030h] 6_2_01084D3B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105AD30 mov eax, dword ptr fs:[00000030h] 6_2_0105AD30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010DA537 mov eax, dword ptr fs:[00000030h] 6_2_010DA537
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0110FD52 mov eax, dword ptr fs:[00000030h] 6_2_0110FD52
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105354C mov eax, dword ptr fs:[00000030h] 6_2_0105354C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0105354C mov eax, dword ptr fs:[00000030h] 6_2_0105354C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01093D43 mov eax, dword ptr fs:[00000030h] 6_2_01093D43
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D3540 mov eax, dword ptr fs:[00000030h] 6_2_010D3540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01103D40 mov eax, dword ptr fs:[00000030h] 6_2_01103D40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01077D50 mov eax, dword ptr fs:[00000030h] 6_2_01077D50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01108D47 mov eax, dword ptr fs:[00000030h] 6_2_01108D47
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01094D51 mov eax, dword ptr fs:[00000030h] 6_2_01094D51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01094D51 mov eax, dword ptr fs:[00000030h] 6_2_01094D51
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107C577 mov eax, dword ptr fs:[00000030h] 6_2_0107C577
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0107C577 mov eax, dword ptr fs:[00000030h] 6_2_0107C577
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01078D76 mov eax, dword ptr fs:[00000030h] 6_2_01078D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01078D76 mov eax, dword ptr fs:[00000030h] 6_2_01078D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01078D76 mov eax, dword ptr fs:[00000030h] 6_2_01078D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01078D76 mov eax, dword ptr fs:[00000030h] 6_2_01078D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01078D76 mov eax, dword ptr fs:[00000030h] 6_2_01078D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01082581 mov eax, dword ptr fs:[00000030h] 6_2_01082581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01082581 mov eax, dword ptr fs:[00000030h] 6_2_01082581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01082581 mov eax, dword ptr fs:[00000030h] 6_2_01082581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01082581 mov eax, dword ptr fs:[00000030h] 6_2_01082581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01052D8A mov eax, dword ptr fs:[00000030h] 6_2_01052D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01052D8A mov eax, dword ptr fs:[00000030h] 6_2_01052D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01052D8A mov eax, dword ptr fs:[00000030h] 6_2_01052D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01052D8A mov eax, dword ptr fs:[00000030h] 6_2_01052D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01052D8A mov eax, dword ptr fs:[00000030h] 6_2_01052D8A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111B581 mov eax, dword ptr fs:[00000030h] 6_2_0111B581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111B581 mov eax, dword ptr fs:[00000030h] 6_2_0111B581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111B581 mov eax, dword ptr fs:[00000030h] 6_2_0111B581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111B581 mov eax, dword ptr fs:[00000030h] 6_2_0111B581
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108FD9B mov eax, dword ptr fs:[00000030h] 6_2_0108FD9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0108FD9B mov eax, dword ptr fs:[00000030h] 6_2_0108FD9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01112D82 mov eax, dword ptr fs:[00000030h] 6_2_01112D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01112D82 mov eax, dword ptr fs:[00000030h] 6_2_01112D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01112D82 mov eax, dword ptr fs:[00000030h] 6_2_01112D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01112D82 mov eax, dword ptr fs:[00000030h] 6_2_01112D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01112D82 mov eax, dword ptr fs:[00000030h] 6_2_01112D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01112D82 mov eax, dword ptr fs:[00000030h] 6_2_01112D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01112D82 mov eax, dword ptr fs:[00000030h] 6_2_01112D82
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01053591 mov eax, dword ptr fs:[00000030h] 6_2_01053591
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010865A0 mov eax, dword ptr fs:[00000030h] 6_2_010865A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010865A0 mov eax, dword ptr fs:[00000030h] 6_2_010865A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010865A0 mov eax, dword ptr fs:[00000030h] 6_2_010865A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010835A1 mov eax, dword ptr fs:[00000030h] 6_2_010835A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01095DBF mov eax, dword ptr fs:[00000030h] 6_2_01095DBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01095DBF mov eax, dword ptr fs:[00000030h] 6_2_01095DBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01081DB5 mov eax, dword ptr fs:[00000030h] 6_2_01081DB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01081DB5 mov eax, dword ptr fs:[00000030h] 6_2_01081DB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01081DB5 mov eax, dword ptr fs:[00000030h] 6_2_01081DB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011205AC mov eax, dword ptr fs:[00000030h] 6_2_011205AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_011205AC mov eax, dword ptr fs:[00000030h] 6_2_011205AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0110FDD3 mov eax, dword ptr fs:[00000030h] 6_2_0110FDD3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D6DC9 mov eax, dword ptr fs:[00000030h] 6_2_010D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D6DC9 mov eax, dword ptr fs:[00000030h] 6_2_010D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D6DC9 mov eax, dword ptr fs:[00000030h] 6_2_010D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D6DC9 mov ecx, dword ptr fs:[00000030h] 6_2_010D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D6DC9 mov eax, dword ptr fs:[00000030h] 6_2_010D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D6DC9 mov eax, dword ptr fs:[00000030h] 6_2_010D6DC9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010515C1 mov eax, dword ptr fs:[00000030h] 6_2_010515C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01108DF1 mov eax, dword ptr fs:[00000030h] 6_2_01108DF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010895EC mov eax, dword ptr fs:[00000030h] 6_2_010895EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106D5E0 mov eax, dword ptr fs:[00000030h] 6_2_0106D5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0106D5E0 mov eax, dword ptr fs:[00000030h] 6_2_0106D5E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010E3DE3 mov ecx, dword ptr fs:[00000030h] 6_2_010E3DE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010E3DE3 mov eax, dword ptr fs:[00000030h] 6_2_010E3DE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010E3DE3 mov eax, dword ptr fs:[00000030h] 6_2_010E3DE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111FDE2 mov eax, dword ptr fs:[00000030h] 6_2_0111FDE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111FDE2 mov eax, dword ptr fs:[00000030h] 6_2_0111FDE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111FDE2 mov eax, dword ptr fs:[00000030h] 6_2_0111FDE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_0111FDE2 mov eax, dword ptr fs:[00000030h] 6_2_0111FDE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010595F0 mov eax, dword ptr fs:[00000030h] 6_2_010595F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010595F0 mov ecx, dword ptr fs:[00000030h] 6_2_010595F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01128C14 mov eax, dword ptr fs:[00000030h] 6_2_01128C14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D6C0A mov eax, dword ptr fs:[00000030h] 6_2_010D6C0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D6C0A mov eax, dword ptr fs:[00000030h] 6_2_010D6C0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D6C0A mov eax, dword ptr fs:[00000030h] 6_2_010D6C0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_010D6C0A mov eax, dword ptr fs:[00000030h] 6_2_010D6C0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01058410 mov eax, dword ptr fs:[00000030h] 6_2_01058410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01111C06 mov eax, dword ptr fs:[00000030h] 6_2_01111C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01111C06 mov eax, dword ptr fs:[00000030h] 6_2_01111C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01111C06 mov eax, dword ptr fs:[00000030h] 6_2_01111C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01111C06 mov eax, dword ptr fs:[00000030h] 6_2_01111C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01111C06 mov eax, dword ptr fs:[00000030h] 6_2_01111C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01111C06 mov eax, dword ptr fs:[00000030h] 6_2_01111C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01111C06 mov eax, dword ptr fs:[00000030h] 6_2_01111C06
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Code function: 6_2_01099860 NtQuerySystemInformation,LdrInitializeThunk, 6_2_01099860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 1110000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Thread register set: target process: 3324 Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Thread register set: target process: 3324 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Thread register set: target process: 3324 Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\owFIYUUG.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\owFIYUUG.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\owFIYUUG.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmpE80B.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\owFIYUUG" /XML "C:\Users\user\AppData\Local\Temp\tmp2BCB.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Process created: C:\Users\user\AppData\Roaming\owFIYUUG.exe C:\Users\user\AppData\Roaming\owFIYUUG.exe Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Roaming\owFIYUUG.exe" Jump to behavior
Source: explorer.exe, 0000000B.00000000.455879712.00000000086BD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.445782699.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.479992924.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.445782699.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.479992924.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.378208988.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: uProgram Manager*r
Source: explorer.exe, 0000000B.00000000.445782699.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.479992924.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.378208988.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000000.445782699.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.479992924.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000B.00000000.378208988.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000B.00000000.377066230.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.445159754.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000000.479345772.0000000000878000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanLoc*U
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Queries volume information: C:\Users\user\AppData\Roaming\owFIYUUG.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\owFIYUUG.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 6.0.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a9ff80.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe.3a339f0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.488494638.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.454264842.00000000079B3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.350969233.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.576589100.0000000000980000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.360338705.0000000003A33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.578229480.0000000004870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.578188907.0000000004840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756016 Sample: SecuriteInfo.com.Win32.Cryp... Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 58 Malicious sample detected (through community Yara rule) 2->58 60 Sigma detected: Scheduled temp file as task from temp location 2->60 62 Yara detected AntiVM3 2->62 64 5 other signatures 2->64 10 owFIYUUG.exe 5 2->10         started        13 SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe 7 2->13         started        process3 file4 70 Multi AV Scanner detection for dropped file 10->70 72 Machine Learning detection for dropped file 10->72 74 Tries to detect virtualization through RDTSC time measurements 10->74 16 owFIYUUG.exe 10->16         started        19 schtasks.exe 1 10->19         started        42 C:\Users\user\AppData\Roaming\owFIYUUG.exe, PE32 13->42 dropped 44 C:\Users\...\owFIYUUG.exe:Zone.Identifier, ASCII 13->44 dropped 46 C:\Users\user\AppData\Local\...\tmpE80B.tmp, XML 13->46 dropped 48 SecuriteInfo.com.W...24274.13707.exe.log, ASCII 13->48 dropped 76 Uses schtasks.exe or at.exe to add and modify task schedules 13->76 78 Adds a directory exclusion to Windows Defender 13->78 21 powershell.exe 21 13->21         started        23 schtasks.exe 1 13->23         started        25 SecuriteInfo.com.Win32.CrypterX-gen.24274.13707.exe 13->25         started        signatures5 process6 signatures7 50 Modifies the context of a thread in another process (thread injection) 16->50 52 Maps a DLL or memory area into another process 16->52 54 Sample uses process hollowing technique 16->54 56 Queues an APC in another process (thread injection) 16->56 27 explorer.exe 16->27 injected 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        process8 process9 35 msiexec.exe 27->35         started        signatures10 66 Modifies the context of a thread in another process (thread injection) 35->66 68 Maps a DLL or memory area into another process 35->68 38 cmd.exe 1 35->38         started        process11 process12 40 conhost.exe 38->40         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.shinecleaningasheville.com/f9r5/ true
  • Avira URL Cloud: safe
 low