Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
Analysis ID:	800793
MD5:	bd13975abc6ac3e5a97706a45f48f7df
SHA1:	154e70c5150815308e17bbb74cae4ee79948e438
SHA256:	7bda9944d4b4a62a86088d56ad964c0a4b98516c93f6467cd89a8f8f655a0029
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

PE file does not import any functions

One or more processes crash

PE file contains an invalid checksum

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe (PID: 5948 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe MD5: BD13975ABC6AC3E5A97706A45F48F7DF)

WerFault.exe (PID: 6040 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5772 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

ReversingLabs: Detection: 12%

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	String found in binary or memory: http://www.clamav.net

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Static PE information: No import functions for PE file found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_00412098	0_2_00412098
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_0040D0A4	0_2_0040D0A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_00420B22	0_2_00420B22
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_0040DBDA	0_2_0040DBDA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_00412D62	0_2_00412D62
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_00414691	0_2_00414691
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_0041BF83	0_2_0041BF83

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

ReversingLabs: Detection: 12%

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER79AB.tmp

Jump to behavior

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: classification engine

Classification label: mal56.winEXE@3/10@0/0

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5948

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Static PE information: real checksum: 0x32ef3 should be: 0x38ad4

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Code function: 0_2_00418A50 push eax; ret

0_2_00418A7E

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Code function: 0_2_0041CA40 LdrInitializeThunk,

0_2_0041CA40

Source: Amcache.hve.3.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	13%	ReversingLabs
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	100%	Avira	TR/Crypt.XPACK.Gen

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
0.0.SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.clamav.net	SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	false		high
http://upx.sf.net	Amcache.hve.3.dr	false		high

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800793
Start date and time:	2023-02-07 19:58:56 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
Detection:	MAL
Classification:	mal56.winEXE@3/10@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 23%) Quality average: 19.5% Quality standard deviation: 36.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 13.89.179.12
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Joe Sandbox View / Context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_63a32cbc58eca2f445502337681ea96cbf1e38a6_5c1322d7_17cc865d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6785938513999892
Encrypted:	false
SSDEEP:	192:eqj19H2YGwHBUZMXUKOjE/u7shS274It6LG:DR9H2YGYBUZMXUKOjE/u7shX4It6LG
MD5:	9E6F5F83756A722153DE06DB0296E447
SHA1:	938128D2C7E77AD36D0FDE60E0E156BD5ABDDB75
SHA-256:	49810D9D418FACA0C29426E9D0D040328CCD0145CE8EB0C30BF3BADF70139C90
SHA-512:	7ADAD777C04BDA5F89CC9895CA634870FD38B40BBC0C2D795B9541DB8460688A7013BA878A13C16151D7E87F040EB1D4170A14C2020C38347B76E12E6FC855BA
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.0.3.0.2.3.9.7.7.0.2.4.7.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.0.3.0.2.3.9.8.3.1.1.7.9.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.b.e.7.0.e.a.a.-.9.c.a.2.-.4.f.a.e.-.b.7.5.1.-.e.d.7.7.0.8.c.4.f.a.3.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.d.f.d.7.8.6.-.4.c.5.b.-.4.b.c.8.-.8.9.8.7.-.3.5.0.1.0.e.3.4.e.d.2.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...T.R...C.r.y.p.t...X.P.A.C.K...G.e.n...2.3.8.6.2...2.3.7.8.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.3.c.-.0.0.0.1.-.0.0.1.a.-.9.0.9.3.-.3.c.c.e.7.1.3.b.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.e.4.4.4.f.b.3.6.6.f.a.4.3.2.4.0.c.d.5.7.5.d.7.a.5.8.e.1.3.b.3.0.0.0.0.f.f.f.f.!.0.0.0.0.1.5.4.e.7.0.c.5.1.5.0.8.1.5.3.0.8.e.1.7.b.b.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_f8b2f5d487f13ef078ee9e48b4dedc7a1e0c36a_5c1322d7_16d906f7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6890775397208573
Encrypted:	false
SSDEEP:	192:8zj19H2YlyOHK5S5KOjE/u7sGS274It6LG:QR9H2YlyGK5S5KOjE/u7sGX4It6LG
MD5:	53685A419CF7EC9EEB8E8B262B84AB14
SHA1:	664EB1A851BEE5C23313419260831F03DDEFD44A
SHA-256:	16706EECDC267A278870AEA6F43800D7FFBCAAAF1AADE5B3411689A9F186B983
SHA-512:	5F79E1FA7C6538F3D0CDF2607FFD7F73107BA54998AEB247ECDCA23E347649C19116420CF603DC6E3367794412610DEC3E3114DBC3583641C11AB3E90E1F6BB9
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.0.3.0.2.4.3.2.5.7.8.9.8.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.0.3.0.2.4.3.3.1.2.5.8.6.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.6.6.a.5.d.7.-.3.9.b.c.-.4.7.e.f.-.8.5.c.b.-.b.8.5.d.3.3.7.7.9.9.1.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.3.d.2.0.6.c.-.d.f.3.7.-.4.7.8.4.-.a.b.b.0.-.0.e.f.c.1.2.6.6.6.5.b.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...T.R...C.r.y.p.t...X.P.A.C.K...G.e.n...2.3.8.6.2...2.3.7.8.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.3.c.-.0.0.0.1.-.0.0.1.a.-.9.0.9.3.-.3.c.c.e.7.1.3.b.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.e.4.4.4.f.b.3.6.6.f.a.4.3.2.4.0.c.d.5.7.5.d.7.a.5.8.e.1.3.b.3.0.0.0.0.f.f.f.f.!.0.0.0.0.1.5.4.e.7.0.c.5.1.5.0.8.1.5.3.0.8.e.1.7.b.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E6.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Feb 8 04:00:32 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	18004
Entropy (8bit):	2.184282510089021
Encrypted:	false
SSDEEP:	96:548i5X8Q/ZtaLyR9ii7kw4QTnHS44XbX5v9FtZSXJgI9WInWIXQIwLQ0+JSa:Ji5bZtyk9iOQd5vlZMJgvLv+JSa
MD5:	2F9CBFAF66514F6F949E2DA828278CF1
SHA1:	4ED77862C2ED12163C281022D7BF71CDD4861424
SHA-256:	2C2259EFDA83A91C63F67A22DBB273E23FA0196CF8CEC79886A16EA6D2B31759
SHA-512:	2D16BF8D36FFD0E6BB3409CECF443E1BCD0E2867313D04E81541168F79E18E1DB9834A743023A757886DC8AB291C3B9DE56AAD6B3C65AEA477975F9B5DF01D4B
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......`..c............4........... ...<.......D...l...........T.......8...........T................=..........\...........H....................................................................U...........B..............GenuineIntelW...........T.......<...<..c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER284.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8584
Entropy (8bit):	3.7190717986753423
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNipmla6Q36YAPSUoYfpgmf9VYXS7CpDR89b+Rwsfcqm:RrlsNipmI6Q36YYSUVxgmf9mXSV+1fA
MD5:	C216304369B0861C406CD0E8BF90B9C9
SHA1:	F4D169D2A08B632CA02F68D4F495DBAC9C6ED0B4
SHA-256:	FB31C1BECD68341E91C0CA0F6D920106E7766B84B69913C88B8C3EA9A1027A12
SHA-512:	8E2E0F499E638C4B39D302BBA012FC804370E7A147E6489E83F24670BA6E251E61EC098CB7029205DD8FFFD8F6C66D94A42F41AC6388BA69160153877808588B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.4.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4925
Entropy (8bit):	4.666777965909841
Encrypted:	false
SSDEEP:	48:cvIwSD8zsbJgtWI9lxWgc8sqYjN8fm8M4JK+PFs6+q81PqntU1+xcd:uITf1eggrsqYuJVTtU1+xcd
MD5:	B91254BEBC2CB3BBCC3C2FD371C19BCD
SHA1:	0AF037B5BACAC11F3A80D9806B508BAE5A3BD476
SHA-256:	4E143D383879AB8AF86555DDB5A14E556CE8B072DA21F021BD03AFABDE3A1185
SHA-512:	F1532FBCFEB9CB14037B9724395DB886EBF29F8FB6527BE9F3589D666AB044721482160C35852CA933B43F7A302B84544D2C461C353FB680E6C32B6B49709860
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1903031" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER79AB.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Feb 8 03:59:57 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	18136
Entropy (8bit):	2.2063334751789574
Encrypted:	false
SSDEEP:	96:5F8igX8Q/vyRCp+ii7kHX/uSOz7244XbXtv9NtZSXWI9WInWIXQI4bCSGq1r4:8igbvkY+iOYGgtvNZMWXbCG1r4
MD5:	D863407F220D9FCD294967B7B3A22500
SHA1:	9D89BA50795E74E905744C983121466734A9476E
SHA-256:	E9873D794BA3AB454452DBE67EB39D5438A29AD201AE1C2828C3CABA4B851205
SHA-512:	12449996E5505F14AD65EC7EFEB172835D2C471EA584B981A76EC08B47BA361089611ABB0856A28D0D5876E25BF86FD7ADB42B089EF10AE2F2A2AE24A8857536
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......=..c............4........... ...<.......T...l...........T.......8...........T................>..........\...........H....................................................................U...........B..............GenuineIntelW...........T.......<...<..c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7AA6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8482
Entropy (8bit):	3.7119871307963144
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNipmlN6ii6YAKSUdhgmf9VXSiCprN89beRwsfZqm:RrlsNipmP6ii6YdSUdhgmf9VSwe1f1
MD5:	64BECBF4071943E2B8CD287D5DCEBA86
SHA1:	B886DA8B4862216F5F1BA7D3E8910506AD91DA1C
SHA-256:	052FBCEC73916EFFE070CEC471F8408E2F0A3006EC9A7F305C492B29631387A2
SHA-512:	B997E14E220F537522D947456A77C0D1535310C729F340F4D1BC53A3459423ACC7B7721199D5EEE2B2B57B09CE61612F62D0900F556C04625F4E401086DC29CF
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.4.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B15.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4827
Entropy (8bit):	4.614432447858704
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6tJgtWI9lxWgc8sqYjz8fm8M4JKvZFaXA+q8+fQntU1+xcd:uITf6HeggrsqYUJQ+Qb+tU1+xcd
MD5:	CDEA9895AE45FAA2B9145C5C8277D26B
SHA1:	09D422C225D41E09692A2934E47959B7AC92E608
SHA-256:	9BB95FD6833B02A12E68F8CF95AB581F45CD1D404768FB9AEA4BAC64E3A09DF1
SHA-512:	6DE03DE585C08C738A8CA1EAAB0DF952D708B02DF995DAEF14BA35396C824BAE1969805BF8B0D6B69A751A817DECBDB47B812DACDE11F0EA1E3A6F257F60F9E5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1903030" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.289519862686535
Encrypted:	false
SSDEEP:	12288:+JgdyhLVs1tqONcKyQL0gGJiBpoIbM6yvUVD1quejGjL+GEkyP:k2yhLVs1tqONcKMBUo6
MD5:	8F475F956A1FDD12DB994C03ED7E6F23
SHA1:	0E3C19098B8C41C4AD1DCD78DB9FB80F0366081A
SHA-256:	F3C1A9728423119F5C89F7B63A644156E106D0A509B030FBC58D1D936AF6C2BA
SHA-512:	02026AE0107171BFF194BE972531CB3F71C24DED5FEEDE8085A841AD4416C6ABB587C22024635ADC28380A6304049AA25F3760E5696EA13AC31FAB9E3B2D1096
Malicious:	false
Preview:	regf_..._...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.*..q;..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.0177781802530625
Encrypted:	false
SSDEEP:	384:2q85SnX9SaPySp9sJImYwSxrZK/MFsJImYwSD:7KStSaPBpWzYwSNZK/dzYwS
MD5:	CA4E9267CF91757F5744DD8FF9324565
SHA1:	C24424A4F80676739C5ACFFED25A9E9583633320
SHA-256:	4726BCB33D0EDE6651D680A10581DA4DC78300259B0CABD83298C0DA94B1B141
SHA-512:	757E694FB09A82E16990AFCB3A52EE2549505AE88E4741591168B4B5A75B0BDE8C2C659D10178249427E7254873395FF7C6BC7EC00767BBB367F5F5B5A7675A5
Malicious:	false
Preview:	regf^...^...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...q;..................................................................................................................................................................................................................................................................................................................................................HvLE.>......^.................Z3.)z.\|.S.........0..............hbin................p.\..,..........nk,.....q;.................................. ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .....q;...... ...........8~.............. .......Z.......................Root........lf......Root....nk .....q;................................. ..............................DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.8855949580269264
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
File size:	188416
MD5:	bd13975abc6ac3e5a97706a45f48f7df
SHA1:	154e70c5150815308e17bbb74cae4ee79948e438
SHA256:	7bda9944d4b4a62a86088d56ad964c0a4b98516c93f6467cd89a8f8f655a0029
SHA512:	9fee403e82536f4c3c42225762e2ebd1c66496fb94ca1b97ccdc11ced2e56211e60159d6b183667a8fdf270faec42d31888ef60be0f1e401f5d12fb976732178
SSDEEP:	3072:jCY64XFREi9URWKznfMvJ/zl6HvK2KkAtZodTzHHNaTrOT:tTORmLyJdvH4TrOT
TLSH:	EB046C316842A495F0E3E8F3C9EBD47DBB0977A0030224F761CC065AA7625FA763E553
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM................. ..........k......

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x41856b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 004234E8h
push 0041CA40h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [004230CCh]
xor edx, edx
mov dl, ah
mov dword ptr [0042C508h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0042C504h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0042C500h], ecx
shr eax, 10h
mov dword ptr [0042C4FCh], eax
push 00000001h
call 00007F3F2A4A3236h
pop ecx
test eax, eax
jne 00007F3F58A4312Ah
push 0000001Ch
call 00007F3EED1A3236h
pop ecx
call 00007F3FD0723236h
test eax, eax
jne 00007F3F58A4312Ah
push 00000010h
call 00007F3EED1A3236h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F3F1EF73236h
call dword ptr [004230C8h]
mov dword ptr [0042CB34h], eax
call 00007F3F9E713236h
mov dword ptr [0042C560h], eax
call 00007F3F516E3236h
call 00007F3F986E3236h
call 00007F3EDFF43236h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [00423088h]
call 00007F3F406D3236h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F3F58A43128h
movzx eax, word ptr [ebp+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x23f88	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x23000	0x1a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x22000	0x22000	False	0.4499942555147059	data	6.458075836010223	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x23000	0x2000	0x2000	False	0.2213134765625	data	2.8987922797855528	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x25000	0x9000	0x9000	False	0.20203993055555555	data	3.054353288110077	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

High Level Behavior Distribution

Click to dive into process behavior distribution

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exePID: 5948, Parent PID: 3320COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	60%
Total number of Nodes:	5
Total number of Limit Nodes:	0

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(?,000000FF), ref: 0041CAE7

Memory Dump Source

Source File: 00000000.00000002.394108259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.394102029.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394134533.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9df07fe0a5360a6fa3f4799f177a1ed3ae493763ea1264db40e7928e7bd1b2f0
Instruction ID: 168d2fb0cbf042809f3ae9973fe51a40b403337f2e3bc75f788b16fe48173bff
Opcode Fuzzy Hash: 9df07fe0a5360a6fa3f4799f177a1ed3ae493763ea1264db40e7928e7bd1b2f0
Instruction Fuzzy Hash: B521653254020CDBCB11DF18DC84AAAB764FF043B1F458696ED159B285E735F9A5CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0041856B Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00418591

Memory Dump Source

Source File: 00000000.00000002.394108259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.394102029.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394134533.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1c076d7714d3392c8b8bde5020116fb24754d3af25a5e139b439ef1b9a48488a
Instruction ID: b3b3d47726f897b7252c10fee9d9eb87aad623cb3e1b1b84787dc3625582f111
Opcode Fuzzy Hash: 1c076d7714d3392c8b8bde5020116fb24754d3af25a5e139b439ef1b9a48488a
Instruction Fuzzy Hash: 9B21E5B1A40315AFDB249FA5DC44A6D7AB8EF04730F10472AE430A72E0DB388481C768

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00420B22 Relevance: 26.7, Strings: 21, Instructions: 417COMMON

Download Yara Rule

Strings

+, xrefs: 00420D17
0, xrefs: 00420DC1
0, xrefs: 00420D90
-, xrefs: 00420BF9
9, xrefs: 00420C37
+, xrefs: 00420BF4
9, xrefs: 00420DB3
0, xrefs: 00420BFE
C, xrefs: 00420C03
-, xrefs: 00420D20
9, xrefs: 00420D6F
9, xrefs: 00420BE3
9, xrefs: 00420DA3
0, xrefs: 00420C4C
E, xrefs: 00420C0C
e, xrefs: 00420C1A
9, xrefs: 00420B91
1, xrefs: 00420D67
c, xrefs: 00420C11
1, xrefs: 00420D9A
0, xrefs: 00420CC3

Memory Dump Source

Source File: 00000000.00000002.394108259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.394102029.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394134533.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: f2ecf1970130bb78c94640e21700b67d711bf2072f2f0acfb0efca193b38d8fa
Instruction ID: b0757a456eea038ff0bfd6fb163243673d58cb598574da436b838a0f2048d9a0
Opcode Fuzzy Hash: f2ecf1970130bb78c94640e21700b67d711bf2072f2f0acfb0efca193b38d8fa
Instruction Fuzzy Hash: F4E1F271F55229CEEB248FA4E8553FE7BF1EB04310FA8452BD410AA293C7789982C75D

Uniqueness

Uniqueness Score: -1.00%

Function 00412D62 Relevance: 19.8, Strings: 15, Instructions: 1086COMMON

Download Yara Rule

Strings

Status, xrefs: 00413027
Diag %04x: %s Disabled, xrefs: 00414019
Status, xrefs: 0041410B
Diag %04x: %s Malfunction, xrefs: 0041404F
Msg, xrefs: 00412FE4
Diag %04x: %s Enabled, xrefs: 00413FE1
/VOC, xrefs: 00413AA7
Type I, xrefs: 00413D43
E, xrefs: 00412FA0
Type II, xrefs: 00413DB3
corrupt value for nstacked, xrefs: 00412F0C
Astro, xrefs: 00413C38
Type II, xrefs: 00413D31
Astro, xrefs: 00413A88
Block %d <0..7> is Type IIi , xrefs: 0041387B

Memory Dump Source

Source File: 00000000.00000002.394108259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.394102029.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394134533.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Astro$ Astro$/VOC$Block %d <0..7> is Type IIi $Diag %04x: %s Disabled$Diag %04x: %s Enabled$Diag %04x: %s Malfunction$E$Msg$Status$Status$Type I$Type II$Type II$corrupt value for nstacked
API String ID: 0-853403465
Opcode ID: 016e66bdd0a3350a3145b47dd2a0af76d8bd1336016564a5d90f5d58920b15d4
Instruction ID: 1208059041685f65eb15f1cfe67646e2deafe42a3ce333709acfb41ac6234d15
Opcode Fuzzy Hash: 016e66bdd0a3350a3145b47dd2a0af76d8bd1336016564a5d90f5d58920b15d4
Instruction Fuzzy Hash: 7D92827170420296E729EF35ECA27BF33A6AB44720F944379D425872F5EA3849D6CB1C

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0A4 Relevance: 7.9, Strings: 6, Instructions: 373COMMON

Download Yara Rule

Strings

----- %-*.*s, xrefs: 0040D4B0
%5hu %-*.*s, xrefs: 0040D493
%-*.*s %5s , xrefs: 0040D273
%.2d, xrefs: 0040D1AB
%.4hX %-*.*s, xrefs: 0040D462
c, xrefs: 0040D193

Memory Dump Source

Source File: 00000000.00000002.394108259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.394102029.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394134533.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %.4hX %-*.*s$%-*.*s %5s $%.2d$%5hu %-*.*s$----- %-*.*s$c
API String ID: 0-4163069520
Opcode ID: 462a4206c534b9ea8ce254b3adb29a83e1649e654a678ab514145c1d90c058f4
Instruction ID: 694b9b517696a9f959aeb3d2f2e11f1723035b44a40c0d577ff468ef31acd605
Opcode Fuzzy Hash: 462a4206c534b9ea8ce254b3adb29a83e1649e654a678ab514145c1d90c058f4
Instruction Fuzzy Hash: 61E1F7B0F002069BD704DFA5DC41ABFB7B2AF88310F548669D425AB3D1E739D846CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00412098 Relevance: 7.8, Strings: 6, Instructions: 273COMMON

Download Yara Rule

Strings

%hu, xrefs: 0041222F
%hu, xrefs: 004123F6
F, xrefs: 004122DC
%hx, xrefs: 004121B8
%hx, xrefs: 0041236F
%-5.5s, xrefs: 00412159

Memory Dump Source

Source File: 00000000.00000002.394108259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.394102029.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394134533.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %-5.5s$%hu$%hu$%hx$%hx$F
API String ID: 0-758360261
Opcode ID: 04df81291b3466d79236c39a6cf768e38316d25091ffe4db853101d6d4fc7473
Instruction ID: 7707673af5da670e4c8d62f588a49adad05244a2cdd18be9ae02ba93bbff3943
Opcode Fuzzy Hash: 04df81291b3466d79236c39a6cf768e38316d25091ffe4db853101d6d4fc7473
Instruction Fuzzy Hash: 66A14D70B00201D6DB289FA4EE917EE3310EB19720F948336E526C23E0E6B655D6C75F

Uniqueness

Uniqueness Score: -1.00%

Function 00414691 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

L, xrefs: 0041473D

Memory Dump Source

Source File: 00000000.00000002.394108259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.394102029.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394134533.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L
API String ID: 0-2909332022
Opcode ID: e7eb5275c67930e18a9e70852314b739697d57e21d7fd7c7796568afbb7c789b
Instruction ID: 38ebb43d0bad984ae7251ea612102e57c732bb0493eca0e3bdbf6d9ab6fefd43
Opcode Fuzzy Hash: e7eb5275c67930e18a9e70852314b739697d57e21d7fd7c7796568afbb7c789b
Instruction Fuzzy Hash: 63A14D78E0414A8FDB14CF98C492AFFBBB1BF89304F68815DC545AB342CB355992CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041BF83 Relevance: .3, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0041BF83(signed int* _a4, signed int _a8, char _a11, signed int _a12, char _a15) {
				signed int _v8;
				signed char _v12;
				intOrPtr _v16;
				intOrPtr _t186;
				void* _t187;
				signed int _t188;
				signed int* _t189;
				intOrPtr _t190;
				signed int* _t191;
				signed int* _t192;
				signed char _t193;
				signed int _t194;
				intOrPtr* _t195;
				signed int _t198;
				signed int _t201;
				signed int _t206;
				signed int _t208;
				signed int _t217;
				signed int _t220;
				signed int* _t221;
				signed int _t226;
				intOrPtr _t227;
				intOrPtr _t228;
				intOrPtr _t229;
				char _t232;
				char _t233;
				signed char _t234;
				char* _t243;
				signed char _t249;
				intOrPtr _t251;
				intOrPtr _t255;
				signed int _t256;
				char _t257;
				char _t258;
				signed char _t259;
				char* _t266;
				char* _t269;
				signed int _t273;
				unsigned int _t274;
				unsigned int _t276;
				signed int _t278;
				signed char _t279;
				signed int _t288;
				signed char _t291;
				signed int _t294;
				signed int _t298;
				char* _t300;
				signed int _t315;

				_t221 = _a4;
				_t278 = _a8;
				_t186 =  *((intOrPtr*)(_t221 + 0x10));
				_t288 = _a12 + 0x00000017 & 0xfffffff0;
				_t273 = _t278 -  *((intOrPtr*)(_t221 + 0xc)) >> 0xf;
				_v16 = _t273 * 0x204 + _t186 + 0x144;
				_t226 =  *((intOrPtr*)(_t278 - 4)) - 1;
				_a12 = _t226;
				_t193 =  *(_t226 + _t278 - 4);
				_t279 = _t226 + _t278 - 4;
				_v8 = _t193;
				if(_t288 <= _t226) {
					L27:
					if(_t315 < 0) {
						_t194 = _a8;
						_a12 = _a12 - _t288;
						_t227 = _t288 + 1;
						 *((intOrPtr*)(_t194 - 4)) = _t227;
						_t195 = _t194 + _t288 - 4;
						_a8 = _t195;
						_t291 = (_a12 >> 4) - 1;
						 *((intOrPtr*)(_t195 - 4)) = _t227;
						if(_t291 > 0x3f) {
							_t291 = 0x3f;
						}
						if((_v8 & 0x00000001) == 0) {
							_t294 = (_v8 >> 4) - 1;
							if(_t294 > 0x3f) {
								_t294 = 0x3f;
							}
							if( *((intOrPtr*)(_t279 + 4)) ==  *(_t279 + 8)) {
								if(_t294 >= 0x20) {
									_t128 = _t294 - 0x20; // -32
									_t130 = _t186 + 4; // 0x4
									_t243 = _t294 + _t130;
									_t198 =  !(0x80000000 >> _t128);
									 *(_t186 + 0xc4 + _t273 * 4) =  *(_t186 + 0xc4 + _t273 * 4) & 0x80000000;
									 *_t243 =  *_t243 - 1;
									if( *_t243 == 0) {
										_a4[1] = _a4[1] & _t198;
									}
								} else {
									_t300 = _t294 + _t186 + 4;
									_t201 =  !(0x80000000 >> _t294);
									 *(_t186 + 0x44 + _t273 * 4) =  *(_t186 + 0x44 + _t273 * 4) & 0x80000000;
									 *_t300 =  *_t300 - 1;
									if( *_t300 == 0) {
										 *_a4 =  *_a4 & _t201;
									}
								}
								_t195 = _a8;
							}
							 *((intOrPtr*)( *(_t279 + 8) + 4)) =  *((intOrPtr*)(_t279 + 4));
							 *( *((intOrPtr*)(_t279 + 4)) + 8) =  *(_t279 + 8);
							_t298 = _a12 + _v8;
							_a12 = _t298;
							_t291 = (_t298 >> 4) - 1;
							if(_t291 > 0x3f) {
								_t291 = 0x3f;
							}
						}
						_t228 = _v16;
						_t229 = _t228 + _t291 * 8;
						 *((intOrPtr*)(_t195 + 4)) =  *((intOrPtr*)(_t228 + 4 + _t291 * 8));
						 *((intOrPtr*)(_t195 + 8)) = _t229;
						 *((intOrPtr*)(_t229 + 4)) = _t195;
						 *((intOrPtr*)( *((intOrPtr*)(_t195 + 4)) + 8)) = _t195;
						if( *((intOrPtr*)(_t195 + 4)) ==  *((intOrPtr*)(_t195 + 8))) {
							_t232 =  *((intOrPtr*)(_t291 + _t186 + 4));
							_a11 = _t232;
							_t233 = _t232 + 1;
							 *((char*)(_t291 + _t186 + 4)) = _t233;
							if(_t233 >= 0) {
								if(_a11 == 0) {
									_a4[1] = _a4[1] | 0x80000000 >> _t291 - 0x00000020;
								}
								_t189 = _t186 + 0xc4 + _t273 * 4;
								_t234 = _t291 - 0x20;
								_t274 = 0x80000000;
							} else {
								if(_a11 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t291;
								}
								_t189 = _t186 + 0x44 + _t273 * 4;
								_t274 = 0x80000000;
								_t234 = _t291;
							}
							 *_t189 =  *_t189 | _t274 >> _t234;
						}
						_t188 = _a12;
						 *_t195 = _t188;
						 *((intOrPtr*)(_t188 + _t195 - 4)) = _t188;
					}
					_t187 = 1;
					return _t187;
				}
				if((_t193 & 0x00000001) != 0 || _t288 > _t193 + _t226) {
					L26:
					_t186 = 0;
					goto L27;
				} else {
					_t249 = (_v8 >> 4) - 1;
					_v12 = _t249;
					if(_t249 > 0x3f) {
						_t249 = 0x3f;
						_v12 = _t249;
					}
					if( *((intOrPtr*)(_t279 + 4)) ==  *(_t279 + 8)) {
						if(_t249 >= 0x20) {
							_t266 = _v12 + _t186 + 4;
							_t217 =  !(0x80000000 >> _t249 + 0xffffffe0);
							 *(_t186 + 0xc4 + _t273 * 4) =  *(_t186 + 0xc4 + _t273 * 4) & 0x80000000;
							 *_t266 =  *_t266 - 1;
							if( *_t266 == 0) {
								_a4[1] = _a4[1] & _t217;
							}
						} else {
							_t269 = _v12 + _t186 + 4;
							_t220 =  !(0x80000000 >> _t249);
							 *(_t186 + 0x44 + _t273 * 4) =  *(_t186 + 0x44 + _t273 * 4) & 0x80000000;
							 *_t269 =  *_t269 - 1;
							if( *_t269 == 0) {
								 *_a4 =  *_a4 & _t220;
							}
						}
					}
					 *((intOrPtr*)( *(_t279 + 8) + 4)) =  *((intOrPtr*)(_t279 + 4));
					_t251 =  *((intOrPtr*)(_t279 + 4));
					_t279 =  *(_t279 + 8);
					 *(_t251 + 8) = _t279;
					_v8 = _v8 + _a12 - _t288;
					if(_v8 <= 0) {
						_t273 = _a8;
					} else {
						_t279 = (_v8 >> 4) - 1;
						_t255 = _a8 + _t288 - 4;
						if(_t279 > 0x3f) {
							_t279 = 0x3f;
						}
						_t206 = _v16 + _t279 * 8;
						_a12 = _t206;
						 *((intOrPtr*)(_t255 + 4)) =  *((intOrPtr*)(_t206 + 4));
						_t208 = _a12;
						 *(_t255 + 8) = _t208;
						 *((intOrPtr*)(_t208 + 4)) = _t255;
						 *((intOrPtr*)( *((intOrPtr*)(_t255 + 4)) + 8)) = _t255;
						if( *((intOrPtr*)(_t255 + 4)) ==  *(_t255 + 8)) {
							_t257 =  *((intOrPtr*)(_t279 + _t186 + 4));
							_a15 = _t257;
							_t258 = _t257 + 1;
							 *((char*)(_t279 + _t186 + 4)) = _t258;
							if(_t258 >= 0) {
								if(_a15 == 0) {
									_t84 = _t279 - 0x20; // -33
									_a4[1] = _a4[1] | 0x80000000 >> _t84;
								}
								_t192 = _t186 + 0xc4 + _t273 * 4;
								_t91 = _t279 - 0x20; // -33
								_t259 = _t91;
								_t276 = 0x80000000;
							} else {
								if(_a15 == 0) {
									 *_a4 =  *_a4 | 0x80000000 >> _t279;
								}
								_t192 = _t186 + 0x44 + _t273 * 4;
								_t276 = 0x80000000;
								_t259 = _t279;
							}
							 *_t192 =  *_t192 | _t276 >> _t259;
							_t315 =  *_t192;
						}
						_t273 = _a8;
						_t256 = _v8;
						_t191 = _t273 + _t288 - 4;
						 *_t191 = _t256;
						 *(_t256 + _t191 - 4) = _t256;
					}
					_t190 = _t288 + 1;
					 *((intOrPtr*)(_t273 - 4)) = _t190;
					 *((intOrPtr*)(_t273 + _t288 - 8)) = _t190;
					goto L26;
				}
			}

0x0041bf89
0x0041bf92
0x0041bf9d
0x0041bfa0
0x0041bfa3
0x0041bfb5
0x0041bfbb
0x0041bfbe
0x0041bfc1
0x0041bfc5
0x0041bfc9
0x0041bfcc
0x0041c131
0x0041c131
0x0041c137
0x0041c13a
0x0041c13d
0x0041c140
0x0041c143
0x0041c14a
0x0041c150
0x0041c151
0x0041c157
0x0041c15b
0x0041c15b
0x0041c160
0x0041c16c
0x0041c170
0x0041c174
0x0041c174
0x0041c17b
0x0041c180
0x0041c1a0
0x0041c1aa
0x0041c1aa
0x0041c1ae
0x0041c1b0
0x0041c1b7
0x0041c1b9
0x0041c1be
0x0041c1be
0x0041c182
0x0041c18b
0x0041c18f
0x0041c191
0x0041c195
0x0041c197
0x0041c19c
0x0041c19c
0x0041c197
0x0041c1c1
0x0041c1c1
0x0041c1ca
0x0041c1d3
0x0041c1d9
0x0041c1dc
0x0041c1e2
0x0041c1e6
0x0041c1ea
0x0041c1ea
0x0041c1e6
0x0041c1eb
0x0041c1f2
0x0041c1f5
0x0041c1f8
0x0041c1fb
0x0041c201
0x0041c20a
0x0041c20c
0x0041c213
0x0041c216
0x0041c218
0x0041c21c
0x0041c243
0x0041c252
0x0041c252
0x0041c255
0x0041c25c
0x0041c25f
0x0041c21e
0x0041c222
0x0041c230
0x0041c230
0x0041c232
0x0041c236
0x0041c23b
0x0041c23b
0x0041c266
0x0041c266
0x0041c268
0x0041c26b
0x0041c26d
0x0041c26d
0x0041c273
0x0041c278
0x0041c278
0x0041bfd5
0x0041c12a
0x0041c12a
0x00000000
0x0041bfe5
0x0041bfeb
0x0041bfef
0x0041bff2
0x0041bff6
0x0041bff7
0x0041bff7
0x0041c000
0x0041c005
0x0041c033
0x0041c037
0x0041c039
0x0041c040
0x0041c042
0x0041c047
0x0041c047
0x0041c007
0x0041c011
0x0041c015
0x0041c017
0x0041c01b
0x0041c01d
0x0041c022
0x0041c022
0x0041c01d
0x0041c005
0x0041c050
0x0041c053
0x0041c056
0x0041c059
0x0041c061
0x0041c068
0x0041c118
0x0041c06e
0x0041c077
0x0041c078
0x0041c07f
0x0041c083
0x0041c083
0x0041c087
0x0041c08a
0x0041c090
0x0041c093
0x0041c096
0x0041c099
0x0041c09f
0x0041c0a8
0x0041c0aa
0x0041c0b1
0x0041c0b4
0x0041c0b6
0x0041c0ba
0x0041c0e1
0x0041c0e3
0x0041c0f0
0x0041c0f0
0x0041c0f3
0x0041c0fa
0x0041c0fa
0x0041c0fd
0x0041c0bc
0x0041c0c0
0x0041c0ce
0x0041c0ce
0x0041c0d0
0x0041c0d4
0x0041c0d9
0x0041c0d9
0x0041c104
0x0041c104
0x0041c104
0x0041c106
0x0041c109
0x0041c10c
0x0041c110
0x0041c112
0x0041c112
0x0041c11b
0x0041c11e
0x0041c121
0x00000000
0x0041c121

Memory Dump Source

Source File: 00000000.00000002.394108259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.394102029.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394134533.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6f8a3a8b461eff8a9df3fe6d30354c6da305bdc1e6974d39d43d06fa44f1c3d
Instruction ID: 20d1490a87714100cfdd18dbf202dce7e0241b0f08138d8ba2da77ab3be3fbfb
Opcode Fuzzy Hash: d6f8a3a8b461eff8a9df3fe6d30354c6da305bdc1e6974d39d43d06fa44f1c3d
Instruction Fuzzy Hash: 03B17B75A4020ADFDB15CF44C9D0AE9BBA1BB59318F24C19ED80A5B342C735EE82CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBDA Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.394108259.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.394102029.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394134533.0000000000423000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.394139859.000000000042B000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2673a877b544f24bf78c87af1c552c10ce5562ff597f67bdf9a1114b5b2fa5d
Instruction ID: 9d545a050f72413be5056948d7628c7602dc72f706a07ce1ba076b258e16ea5e
Opcode Fuzzy Hash: e2673a877b544f24bf78c87af1c552c10ce5562ff597f67bdf9a1114b5b2fa5d
Instruction Fuzzy Hash: 1F71D174E04245DBDB18DFA8C450AADBBB2FF89314F1581E9C442AB3E1D7759E86CB08

Uniqueness

Uniqueness Score: -1.00%

Target ID:	0
Start time:	19:59:56
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
Imagebase:	0x400000
File size:	188416 bytes
MD5 hash:	BD13975ABC6AC3E5A97706A45F48F7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Target ID:	3
Start time:	19:59:56
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220
Imagebase:	0x80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Target ID:	12
Start time:	20:00:32
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220
Imagebase:	0x80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_63a32cbc58eca2f445502337681ea96cbf1e38a6_5c1322d7_17cc865d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_f8b2f5d487f13ef078ee9e48b4dedc7a1e0c36a_5c1322d7_16d906f7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E6.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER284.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E2.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER79AB.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7AA6.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B15.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exePID: 5948, Parent PID: 3320

Windows Analysis Report
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Function 0041CA40 Relevance: 1.6, APIs: 1, Instructions: 73
libraryCOMMON

Function 0041856B Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Function 0041BF83 Relevance: .3, Instructions: 259
COMMONCrypto