IOC Report
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

loading gif

Files

File Path
Type
Category
Malicious
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_7a157073226634c33dd8e08437f6e586c2306e78_5c1322d7_140d63f1\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_f8b2f5d487f13ef078ee9e48b4dedc7a1e0c36a_5c1322d7_12416ae6\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A9A.tmp.dmp
Mini DuMP crash report, 14 streams, Wed Feb 8 03:55:10 2023, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B57.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BF4.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6604.tmp.dmp
Mini DuMP crash report, 14 streams, Wed Feb 8 03:55:12 2023, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER66A1.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6700.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
C:\Windows\appcompat\Programs\Amcache.hve.LOG1
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
 malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5380 -s 212

URLs

Name
IP
Malicious
http://www.clamav.net
unknown
http://upx.sf.net
unknown

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHivePermissionsCorrect
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AmiHiveOwnerCorrect
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
ProgramId
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
FileId
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
LowerCaseLongPath
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
LongPathHash
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
Name
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
Publisher
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
Version
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
BinFileVersion
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
BinaryType
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
ProductName
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
ProductVersion
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
LinkDate
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
BinProductVersion
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
Size
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
Language
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
IsPeFile
\REGISTRY\A\{3a52133f-bb59-6ced-5f1e-641ef122b3e2}\Root\InventoryApplicationFile\securiteinfo.com|f47bdf91
IsOsComponent
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug
ExceptionRecord
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Property
001840064172BCE4
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
ClockTimeSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
TickCount
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\Debug
ExceptionRecord
There are 17 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
570000
heap
page read and write
19D000
stack
page read and write
42B000
unkown
page write copy
423000
unkown
page readonly
425000
unkown
page write copy
401000
unkown
page execute read
9D000
stack
page read and write
69A000
heap
page read and write
401000
unkown
page execute read
690000
heap
page read and write
400000
unkown
page readonly
42B000
unkown
page write copy
1F0000
heap
page read and write
423000
unkown
page readonly
425000
unkown
page write copy
400000
unkown
page readonly
30000
heap
page read and write
There are 7 hidden memdumps, click here to show them.