Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

SecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	7.526170097073496
Filename:	SecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exe
Filesize:	175240
MD5:	13595ca5d5503aee4b4c67cd2ed5730c
SHA1:	64a9bcc3e14191f5a9c3fe658c3dbd99e179d001
SHA256:	0a3c781e42db27377f9790a4cd0c5f73f33c93255ba51dd2e5e517fa7482e2de
SHA512:	ba9e79ecc32bb2a916f9e872952012646928fcc07a448adf95599ca5c78dcc786e9ad0da9ea3e4942fc0d9915210c18bff13d943e47b661d3bf9b0d1045b0155
SSDEEP:	3072:bv4C5qhzZdgq7CeRZlTQCAKNq6b8iiQytEdezhQp4aOjPxED:bNoEq/j96KNbdiNEde6p4aOa
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................T...........r... ........@.. ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains method to dynamically call methods (often used by packers)	Data Obfuscation
.NET source code references suspicious native API functions	HIPS / PFW / Operating System Protection Evasion	Native API
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Checks if the current process is being debugged	Anti Debugging
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
One or more processes crash	System Summary
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses 32bit PE files	Compliance, System Summary	Masquerading
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary
.NET source code contains calls to encryption/decryption functions	System Summary	Disable or Modify Tools Deobfuscate/Decode Files or Information
.NET source code contains many randomly named methods	Data Obfuscation	Disable or Modify Tools
.NET source code contains suspicious URLs	System Summary	Disable or Modify Tools
Contains functionality to modify the execution of threads in other processes
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Uses Microsoft Silverlight	System Summary

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_ab57bd3284d196bd7ec453d15d15a137caef7f6_11f66400_82455a3c-da68-4fcf-a9d1-0c34bf279a06\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_ab57bd3284d196bd7ec453d15d15a137caef7f6_11f66400_82455a3c-da68-4fcf-a9d1-0c34bf279a06\Report.wer
Category:	dropped
Dump:	Report.wer.6.dr
ID:	dr_6
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	0.9170271694489426
Encrypted:	false
Ssdeep:	192:94tQgOo9nVoTGjc0BU/KaGvzuiFiZ24IO8KU:XgOo9nCijXBU/Ka+zuiFiY4IO8K
Size:	65536
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER748C.tmp.dmp

Mini DuMP crash report, 15 streams, Thu Mar 28 09:25:30 2024, 0x1205a4 type

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER748C.tmp.dmp
Category:	dropped
Dump:	WER748C.tmp.dmp.6.dr
ID:	dr_3
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	Mini DuMP crash report, 15 streams, Thu Mar 28 09:25:30 2024, 0x1205a4 type
Entropy:	3.421936843946023
Encrypted:	false
Ssdeep:	1536:ZHLHkhcCpN4uE2aOmfLWLTgW1qCBxeCDPe7kSdOgcqcs2WLGeWB4uT:lj+4uEqnLTgW11b9Pe7kSdOZ
Size:	144525
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER76AF.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER76AF.tmp.WERInternalMetadata.xml
Category:	dropped
Dump:	WER76AF.tmp.WERInternalMetadata.xml.6.dr
ID:	dr_4
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy:	3.7033959593450283
Encrypted:	false
Ssdeep:	192:R6l7wVeJ8P6s6YSOSU93wgmfA4J6Fprr89b7+sfpg3Jm:R6lXJk6s6YLSU9ggmfA4Jn79fpg0
Size:	8476
Whitelisted:	false
Reputation:	low

C:\ProgramData\Microsoft\Windows\WER\Temp\WER772D.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\Microsoft\Windows\WER\Temp\WER772D.tmp.xml
Category:	dropped
Dump:	WER772D.tmp.xml.6.dr
ID:	dr_5
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Entropy:	4.561778000670956
Encrypted:	false
Ssdeep:	48:cvIwWl8zssJg77aI9l6WpW8VYX5Ym8M4JKghAFN+q87M0LGGts4pthd:uIjfqI7n77VQoJAuLGGs4Lhd
Size:	4842
Whitelisted:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Category:	dropped
Dump:	RegAsm.exe.log.3.dr
ID:	dr_0
Target ID:	3
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.347863460191528
Encrypted:	false
Ssdeep:	24:ML9E4KlKDE4KhKiKhIE4KnKIE4oKNzKoZAE4Kze41qE4qpsXE4qdKm:MxHKlYHKh3oIHKntHo6hAHKze41qHpHA
Size:	1248
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\VFZJMER1OXAF8SLHTCHET0W3HVJJKMG5

Zip archive data, at least v2.0 to extract, compression method=store

dropped

Details

File:	C:\Users\user\AppData\Local\VFZJMER1OXAF8SLHTCHET0W3HVJJKMG5
Category:	dropped
Dump:	VFZJMER1OXAF8SLHTCHET0W3HVJJKMG5.3.dr
ID:	dr_1
Target ID:	3
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Type:	Zip archive data, at least v2.0 to extract, compression method=store
Entropy:	7.845337114801841
Encrypted:	false
Ssdeep:	1536:i/oRkoMRZ6EWsHm1QGVSbhZu1QhlvxDFvc6BaIXPoVy6Gf:iQqo4Dm1tV6+m7DxczUoVy6Gf
Size:	87573
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates files inside the user directory	System Summary	Masquerading

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.6.dr
ID:	dr_2
Target ID:	6
Process:	C:\Windows\SysWOW64\WerFault.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.37255338575641
Encrypted:	false
Ssdeep:	6144:MFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNGiL:8V1syWWI/glMM6kF7kq
Size:	1835008
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exe

"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7016
Target ID:	0
Parent PID:	4084
Name:	SecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exe
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exe
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exe"
Size:	175240
MD5:	13595CA5D5503AEE4B4C67CD2ED5730C
Time:	10:25:29
Date:	28/03/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x870000
Modulesize:	180224
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected PureLog Stealer	Stealing of Sensitive Information, Remote Access Functionality
Yara detected Xehook Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE / OLE file has an invalid certificate	System Summary
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)	System Summary	Software Packing
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Binary contains paths to debug symbols	Compliance, System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Details

Is windows:	true
Is dropped:	false
PID:	3148
Target ID:	3
Parent PID:	7016
Name:	RegAsm.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Size:	65440
MD5:	0D5DF43AF2916F47D00C1573797C1A13
Time:	10:25:30
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x9d0000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Xehook Stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2920
Target ID:	1
Parent PID:	7016
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	10:25:29
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6ee680000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 984

Details

Is windows:	true
Is dropped:	false
PID:	2736
Target ID:	6
Parent PID:	7016
Name:	WerFault.exe
Path:	C:\Windows\SysWOW64\WerFault.exe
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 984
Size:	483680
MD5:	C31336C1EFC2CCB44B4326EA793040F2
Time:	10:25:30
Date:	28/03/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1a0000
Modulesize:	499712
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://trecube.com/getjson.php?id=40

172.67.177.174

https://trecube.com/

172.67.177.174

https://trecube.com/gate.php?id=40&build=kokaine&passwords=0&cookies=2&username=user&country=US&ip=102.165.48.43&BSSID=f97a416a99bc6b1f20bdfbfefa6a73cf&wallets=0&token=xehook40788749&ext=0&filters=0&pcname=305090&cardsc=0&telegram=False&discord=False&steam=False&domaindetect=

172.67.177.174

https://trecube.com/getloader.php?id=40

172.67.177.174

https://unotree.ru/

unknown

http://ip-api.com/json/?fields=11827

208.95.112.1

http://ip-api.com

unknown

https://t.me/xehook

unknown

http://upx.sf.net

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://trecube.com

unknown

http://trecube.com

unknown

https://www.cloudflare.com/5xx-error-landing

unknown

http://ip-api.com/line/?fields=hosting

unknown

https://trecube.com/gate.php?id=40&build=kokaine&passwords=0&cookies=2&username=user&country=US&ip

unknown

There are 5 hidden URLs, click here to show them.

Domains

Name

Malicious

trecube.com

172.67.177.174

Details

Name:	trecube.com
IP:	172.67.177.174
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
HTTP GET or POST without a user agent	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

172.67.177.174

trecube.com

United States

Details

IP:	172.67.177.174
TargetID:	3
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	trecube.com

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Uses insecure TLS / SSL version for HTTPS connection	Compliance, Networking

208.95.112.1

ip-api.com

United States

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\RegAsm_RASMANCS

FileDirectory

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

ProgramId

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

FileId

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

LowerCaseLongPath

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

LongPathHash

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

Name

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

OriginalFileName

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

Publisher

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

Version

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

BinFileVersion

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

BinaryType

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

ProductName

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

ProductVersion

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

LinkDate

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

BinProductVersion

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

AppxPackageFullName

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

AppxPackageRelativeId

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

Size

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

Language

\REGISTRY\A\{40a76fbc-8b14-eb5f-a555-3b49f07326d7}\Root\InventoryApplicationFile\securiteinfo.com|22dfda6f9f78231a

Usn

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceTicket

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

DeviceId

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}

ApplicationFlags

HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property

0018C00B8F8B0D2B

There are 28 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

872000

unkown

page readonly

2AA0000

heap

page read and write

6700000

trusted library allocation

page read and write

E45000

heap

page read and write

F70000

heap

page read and write

2EA4000

trusted library allocation

page read and write

2F47000

trusted library allocation

page read and write

6580000

trusted library allocation

page read and write

2C91000

trusted library allocation

page read and write

51E3000

trusted library allocation

page read and write

51C4000

trusted library allocation

page read and write

CFA000

stack

page read and write

F60000

trusted library allocation

page read and write

2F87000

trusted library allocation

page read and write

2C58000

trusted library allocation

page read and write

30B8000

trusted library allocation

page read and write

E3D000

heap

page read and write

11CE000

stack

page read and write

3EC4000

trusted library allocation

page read and write

3E57000

trusted library allocation

page read and write

2E51000

trusted library allocation

page read and write

649E000

stack

page read and write

6435000

trusted library allocation

page read and write

109B000

trusted library allocation

page execute and read and write

100F000

heap

page read and write

6950000

heap

page read and write

2C6E000

stack

page read and write

5FE3000

heap

page read and write

121B000

trusted library allocation

page execute and read and write

5FFA000

heap

page read and write

532E000

stack

page read and write

2F6E000

trusted library allocation

page read and write

2D2C000

stack

page read and write

51B2000

trusted library allocation

page read and write

694A000

heap

page read and write

1230000

trusted library allocation

page read and write

FA1000

heap

page read and write

5E4E000

stack

page read and write

6013000

heap

page read and write

5190000

trusted library allocation

page read and write

620D000

stack

page read and write

51D6000

trusted library allocation

page read and write

F64000

trusted library allocation

page read and write

9F0000

heap

page read and write

EC0000

heap

page read and write

2FA9000

trusted library allocation

page read and write

658A000

trusted library allocation

page read and write

2A70000

trusted library allocation

page read and write

E90000

heap

page read and write

556E000

stack

page read and write

2E9E000

trusted library allocation

page read and write

5E8E000

stack

page read and write

115F000

stack

page read and write

542F000

stack

page read and write

624E000

stack

page read and write

1202000

trusted library allocation

page read and write

9ED000

stack

page read and write

11F0000

trusted library allocation

page read and write

E53000

heap

page read and write

11EE000

stack

page read and write

9A0000

heap

page read and write

1017000

heap

page read and write

60CE000

stack

page read and write

2EC2000

trusted library allocation

page read and write

692D000

stack

page read and write

51BE000

trusted library allocation

page read and write

F53000

trusted library allocation

page execute and read and write

11E4000

trusted library allocation

page read and write

10E0000

heap

page read and write

11E0000

trusted library allocation

page read and write

61CE000

stack

page read and write

51E5000

trusted library allocation

page read and write

1217000

trusted library allocation

page execute and read and write

E1E000

heap

page read and write

3C95000

trusted library allocation

page read and write

F9F000

heap

page read and write

E88000

heap

page read and write

F54000

trusted library allocation

page read and write

1200000

trusted library allocation

page read and write

F69000

heap

page read and write

2E30000

trusted library allocation

page read and write

5200000

trusted library allocation

page read and write

D78000

stack

page read and write

2A90000

trusted library allocation

page execute and read and write

F3E000

stack

page read and write

2EC6000

trusted library allocation

page read and write

2C9A000

trusted library allocation

page read and write

402000

remote allocation

page execute and read and write

10C0000

trusted library allocation

page execute and read and write

6590000

trusted library allocation

page execute and read and write

400000

remote allocation

page execute and read and write

2C80000

heap

page execute and read and write

F4E000

stack

page read and write

6940000

heap

page read and write

51F0000

trusted library allocation

page read and write

5D4E000

stack

page read and write

2E86000

trusted library allocation

page read and write

638E000

stack

page read and write

EF5000

heap

page read and write

6AF0000

heap

page read and write

6450000

trusted library allocation

page execute and read and write

2F0E000

trusted library allocation

page read and write

628E000

stack

page read and write

10B0000

trusted library allocation

page read and write

E97000

heap

page read and write

EF0000

heap

page read and write

1206000

trusted library allocation

page execute and read and write

640E000

stack

page read and write

66CE000

stack

page read and write

11ED000

trusted library allocation

page execute and read and write

29CE000

stack

page read and write

2E96000

trusted library allocation

page read and write

65C0000

trusted library allocation

page read and write

2F6C000

trusted library allocation

page read and write

5F90000

heap

page read and write

6430000

trusted library allocation

page read and write

51E0000

heap

page execute and read and write

63CE000

stack

page read and write

E80000

heap

page read and write

54CE000

stack

page read and write

526E000

stack

page read and write

E10000

heap

page read and write

990000

heap

page read and write

DE0000

heap

page read and write

7FC40000

trusted library allocation

page execute and read and write

2FAF000

trusted library allocation

page read and write

1212000

trusted library allocation

page read and write

F60000

heap

page read and write

F5D000

trusted library allocation

page execute and read and write

2E2D000

stack

page read and write

2B2E000

stack

page read and write

1090000

trusted library allocation

page read and write

2C98000

trusted library allocation

page execute and read and write

FE9000

heap

page read and write

C7C000

stack

page read and write

574E000

stack

page read and write

2BAF000

stack

page read and write

2E84000

trusted library allocation

page read and write

2AEF000

stack

page read and write

E00000

trusted library allocation

page read and write

1210000

trusted library allocation

page read and write

2C30000

trusted library allocation

page execute and read and write

3E79000

trusted library allocation

page read and write

6750000

trusted library allocation

page read and write

4D8E000

stack

page read and write

560E000

stack

page read and write

1180000

heap

page read and write

2E92000

trusted library allocation

page read and write

F40000

heap

page read and write

2C2E000

stack

page read and write

1215000

trusted library allocation

page execute and read and write

674B000

stack

page read and write

2C40000

heap

page read and write

1097000

trusted library allocation

page execute and read and write

E3B000

heap

page read and write

52EE000

stack

page read and write

6760000

trusted library allocation

page read and write

2E8E000

trusted library allocation

page read and write

6770000

heap

page read and write

107F000

stack

page read and write

2EEA000

trusted library allocation

page read and write

550D000

stack

page read and write

546E000

stack

page read and write

F94000

heap

page read and write

5F8E000

stack

page read and write

3C91000

trusted library allocation

page read and write

120A000

trusted library allocation

page execute and read and write

6960000

heap

page read and write

92C000

stack

page read and write

10D0000

trusted library allocation

page read and write

2E40000

heap

page execute and read and write

1240000

heap

page read and write

30E6000

trusted library allocation

page read and write

11D0000

trusted library allocation

page read and write

3E99000

trusted library allocation

page read and write

E1A000

heap

page read and write

564E000

stack

page read and write

870000

unkown

page readonly

1045000

heap

page read and write

3EA1000

trusted library allocation

page read and write

11E3000

trusted library allocation

page execute and read and write

3E51000

trusted library allocation

page read and write

1187000

heap

page read and write

EA1000

heap

page read and write

5280000

heap

page execute and read and write

2E7D000

trusted library allocation

page read and write

2BED000

stack

page read and write

There are 177 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
SecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportSecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
SecuriteInfo.com.Win32.CrypterX-gen.9933.28197.exe