Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
Analysis ID:	800793
MD5:	bd13975abc6ac3e5a97706a45f48f7df
SHA1:	154e70c5150815308e17bbb74cae4ee79948e438
SHA256:	7bda9944d4b4a62a86088d56ad964c0a4b98516c93f6467cd89a8f8f655a0029
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

PE file does not import any functions

One or more processes crash

PE file contains an invalid checksum

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe (PID: 5948 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe MD5: BD13975ABC6AC3E5A97706A45F48F7DF)

WerFault.exe (PID: 6040 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5772 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

ReversingLabs: Detection: 12%

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	String found in binary or memory: http://www.clamav.net

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Static PE information: No import functions for PE file found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_00412098
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_0040D0A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_00420B22
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_0040DBDA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_00412D62
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_00414691
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Code function: 0_2_0041BF83

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

ReversingLabs: Detection: 12%

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER79AB.tmp

Jump to behavior

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: classification engine

Classification label: mal56.winEXE@3/10@0/0

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5948

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Static PE information: real checksum: 0x32ef3 should be: 0x38ad4

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Code function: 0_2_00418A50 push eax; ret

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Process queried: DebugPort

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Code function: 0_2_0041CA40 LdrInitializeThunk,

Source: Amcache.hve.3.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	13%	ReversingLabs
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	100%	Avira	TR/Crypt.XPACK.Gen

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
0.0.SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.clamav.net	SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe	false		high
http://upx.sf.net	Amcache.hve.3.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800793
Start date and time:	2023-02-07 19:58:56 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 37s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
Detection:	MAL
Classification:	mal56.winEXE@3/10@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 23%) Quality average: 19.5% Quality standard deviation: 36.8%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 13.89.179.12
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_63a32cbc58eca2f445502337681ea96cbf1e38a6_5c1322d7_17cc865d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6785938513999892
Encrypted:	false
SSDEEP:	192:eqj19H2YGwHBUZMXUKOjE/u7shS274It6LG:DR9H2YGYBUZMXUKOjE/u7shX4It6LG
MD5:	9E6F5F83756A722153DE06DB0296E447
SHA1:	938128D2C7E77AD36D0FDE60E0E156BD5ABDDB75
SHA-256:	49810D9D418FACA0C29426E9D0D040328CCD0145CE8EB0C30BF3BADF70139C90
SHA-512:	7ADAD777C04BDA5F89CC9895CA634870FD38B40BBC0C2D795B9541DB8460688A7013BA878A13C16151D7E87F040EB1D4170A14C2020C38347B76E12E6FC855BA
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.0.3.0.2.3.9.7.7.0.2.4.7.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.0.3.0.2.3.9.8.3.1.1.7.9.5.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.b.e.7.0.e.a.a.-.9.c.a.2.-.4.f.a.e.-.b.7.5.1.-.e.d.7.7.0.8.c.4.f.a.3.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.d.f.d.7.8.6.-.4.c.5.b.-.4.b.c.8.-.8.9.8.7.-.3.5.0.1.0.e.3.4.e.d.2.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...T.R...C.r.y.p.t...X.P.A.C.K...G.e.n...2.3.8.6.2...2.3.7.8.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.3.c.-.0.0.0.1.-.0.0.1.a.-.9.0.9.3.-.3.c.c.e.7.1.3.b.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.e.4.4.4.f.b.3.6.6.f.a.4.3.2.4.0.c.d.5.7.5.d.7.a.5.8.e.1.3.b.3.0.0.0.0.f.f.f.f.!.0.0.0.0.1.5.4.e.7.0.c.5.1.5.0.8.1.5.3.0.8.e.1.7.b.b.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_f8b2f5d487f13ef078ee9e48b4dedc7a1e0c36a_5c1322d7_16d906f7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6890775397208573
Encrypted:	false
SSDEEP:	192:8zj19H2YlyOHK5S5KOjE/u7sGS274It6LG:QR9H2YlyGK5S5KOjE/u7sGX4It6LG
MD5:	53685A419CF7EC9EEB8E8B262B84AB14
SHA1:	664EB1A851BEE5C23313419260831F03DDEFD44A
SHA-256:	16706EECDC267A278870AEA6F43800D7FFBCAAAF1AADE5B3411689A9F186B983
SHA-512:	5F79E1FA7C6538F3D0CDF2607FFD7F73107BA54998AEB247ECDCA23E347649C19116420CF603DC6E3367794412610DEC3E3114DBC3583641C11AB3E90E1F6BB9
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.0.3.0.2.4.3.2.5.7.8.9.8.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.0.3.0.2.4.3.3.1.2.5.8.6.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.6.6.a.5.d.7.-.3.9.b.c.-.4.7.e.f.-.8.5.c.b.-.b.8.5.d.3.3.7.7.9.9.1.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.3.d.2.0.6.c.-.d.f.3.7.-.4.7.8.4.-.a.b.b.0.-.0.e.f.c.1.2.6.6.6.5.b.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...T.R...C.r.y.p.t...X.P.A.C.K...G.e.n...2.3.8.6.2...2.3.7.8.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.3.c.-.0.0.0.1.-.0.0.1.a.-.9.0.9.3.-.3.c.c.e.7.1.3.b.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.e.4.4.4.f.b.3.6.6.f.a.4.3.2.4.0.c.d.5.7.5.d.7.a.5.8.e.1.3.b.3.0.0.0.0.f.f.f.f.!.0.0.0.0.1.5.4.e.7.0.c.5.1.5.0.8.1.5.3.0.8.e.1.7.b.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E6.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Feb 8 04:00:32 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	18004
Entropy (8bit):	2.184282510089021
Encrypted:	false
SSDEEP:	96:548i5X8Q/ZtaLyR9ii7kw4QTnHS44XbX5v9FtZSXJgI9WInWIXQIwLQ0+JSa:Ji5bZtyk9iOQd5vlZMJgvLv+JSa
MD5:	2F9CBFAF66514F6F949E2DA828278CF1
SHA1:	4ED77862C2ED12163C281022D7BF71CDD4861424
SHA-256:	2C2259EFDA83A91C63F67A22DBB273E23FA0196CF8CEC79886A16EA6D2B31759
SHA-512:	2D16BF8D36FFD0E6BB3409CECF443E1BCD0E2867313D04E81541168F79E18E1DB9834A743023A757886DC8AB291C3B9DE56AAD6B3C65AEA477975F9B5DF01D4B
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......`..c............4........... ...<.......D...l...........T.......8...........T................=..........\...........H....................................................................U...........B..............GenuineIntelW...........T.......<...<..c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER284.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8584
Entropy (8bit):	3.7190717986753423
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNipmla6Q36YAPSUoYfpgmf9VYXS7CpDR89b+Rwsfcqm:RrlsNipmI6Q36YYSUVxgmf9mXSV+1fA
MD5:	C216304369B0861C406CD0E8BF90B9C9
SHA1:	F4D169D2A08B632CA02F68D4F495DBAC9C6ED0B4
SHA-256:	FB31C1BECD68341E91C0CA0F6D920106E7766B84B69913C88B8C3EA9A1027A12
SHA-512:	8E2E0F499E638C4B39D302BBA012FC804370E7A147E6489E83F24670BA6E251E61EC098CB7029205DD8FFFD8F6C66D94A42F41AC6388BA69160153877808588B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.4.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4925
Entropy (8bit):	4.666777965909841
Encrypted:	false
SSDEEP:	48:cvIwSD8zsbJgtWI9lxWgc8sqYjN8fm8M4JK+PFs6+q81PqntU1+xcd:uITf1eggrsqYuJVTtU1+xcd
MD5:	B91254BEBC2CB3BBCC3C2FD371C19BCD
SHA1:	0AF037B5BACAC11F3A80D9806B508BAE5A3BD476
SHA-256:	4E143D383879AB8AF86555DDB5A14E556CE8B072DA21F021BD03AFABDE3A1185
SHA-512:	F1532FBCFEB9CB14037B9724395DB886EBF29F8FB6527BE9F3589D666AB044721482160C35852CA933B43F7A302B84544D2C461C353FB680E6C32B6B49709860
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1903031" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER79AB.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Feb 8 03:59:57 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	18136
Entropy (8bit):	2.2063334751789574
Encrypted:	false
SSDEEP:	96:5F8igX8Q/vyRCp+ii7kHX/uSOz7244XbXtv9NtZSXWI9WInWIXQI4bCSGq1r4:8igbvkY+iOYGgtvNZMWXbCG1r4
MD5:	D863407F220D9FCD294967B7B3A22500
SHA1:	9D89BA50795E74E905744C983121466734A9476E
SHA-256:	E9873D794BA3AB454452DBE67EB39D5438A29AD201AE1C2828C3CABA4B851205
SHA-512:	12449996E5505F14AD65EC7EFEB172835D2C471EA584B981A76EC08B47BA361089611ABB0856A28D0D5876E25BF86FD7ADB42B089EF10AE2F2A2AE24A8857536
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......=..c............4........... ...<.......T...l...........T.......8...........T................>..........\...........H....................................................................U...........B..............GenuineIntelW...........T.......<...<..c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7AA6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8482
Entropy (8bit):	3.7119871307963144
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNipmlN6ii6YAKSUdhgmf9VXSiCprN89beRwsfZqm:RrlsNipmP6ii6YdSUdhgmf9VSwe1f1
MD5:	64BECBF4071943E2B8CD287D5DCEBA86
SHA1:	B886DA8B4862216F5F1BA7D3E8910506AD91DA1C
SHA-256:	052FBCEC73916EFFE070CEC471F8408E2F0A3006EC9A7F305C492B29631387A2
SHA-512:	B997E14E220F537522D947456A77C0D1535310C729F340F4D1BC53A3459423ACC7B7721199D5EEE2B2B57B09CE61612F62D0900F556C04625F4E401086DC29CF
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.4.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B15.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4827
Entropy (8bit):	4.614432447858704
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6tJgtWI9lxWgc8sqYjz8fm8M4JKvZFaXA+q8+fQntU1+xcd:uITf6HeggrsqYUJQ+Qb+tU1+xcd
MD5:	CDEA9895AE45FAA2B9145C5C8277D26B
SHA1:	09D422C225D41E09692A2934E47959B7AC92E608
SHA-256:	9BB95FD6833B02A12E68F8CF95AB581F45CD1D404768FB9AEA4BAC64E3A09DF1
SHA-512:	6DE03DE585C08C738A8CA1EAAB0DF952D708B02DF995DAEF14BA35396C824BAE1969805BF8B0D6B69A751A817DECBDB47B812DACDE11F0EA1E3A6F257F60F9E5
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1903030" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.289519862686535
Encrypted:	false
SSDEEP:	12288:+JgdyhLVs1tqONcKyQL0gGJiBpoIbM6yvUVD1quejGjL+GEkyP:k2yhLVs1tqONcKMBUo6
MD5:	8F475F956A1FDD12DB994C03ED7E6F23
SHA1:	0E3C19098B8C41C4AD1DCD78DB9FB80F0366081A
SHA-256:	F3C1A9728423119F5C89F7B63A644156E106D0A509B030FBC58D1D936AF6C2BA
SHA-512:	02026AE0107171BFF194BE972531CB3F71C24DED5FEEDE8085A841AD4416C6ABB587C22024635ADC28380A6304049AA25F3760E5696EA13AC31FAB9E3B2D1096
Malicious:	false
Preview:	regf_..._...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.*..q;..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.0177781802530625
Encrypted:	false
SSDEEP:	384:2q85SnX9SaPySp9sJImYwSxrZK/MFsJImYwSD:7KStSaPBpWzYwSNZK/dzYwS
MD5:	CA4E9267CF91757F5744DD8FF9324565
SHA1:	C24424A4F80676739C5ACFFED25A9E9583633320
SHA-256:	4726BCB33D0EDE6651D680A10581DA4DC78300259B0CABD83298C0DA94B1B141
SHA-512:	757E694FB09A82E16990AFCB3A52EE2549505AE88E4741591168B4B5A75B0BDE8C2C659D10178249427E7254873395FF7C6BC7EC00767BBB367F5F5B5A7675A5
Malicious:	false
Preview:	regf^...^...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...q;..................................................................................................................................................................................................................................................................................................................................................HvLE.>......^.................Z3.)z.\|.S.........0..............hbin................p.\..,..........nk,.....q;.................................. ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .....q;...... ...........8~.............. .......Z.......................Root........lf......Root....nk .....q;................................. ..............................DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.8855949580269264
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
File size:	188416
MD5:	bd13975abc6ac3e5a97706a45f48f7df
SHA1:	154e70c5150815308e17bbb74cae4ee79948e438
SHA256:	7bda9944d4b4a62a86088d56ad964c0a4b98516c93f6467cd89a8f8f655a0029
SHA512:	9fee403e82536f4c3c42225762e2ebd1c66496fb94ca1b97ccdc11ced2e56211e60159d6b183667a8fdf270faec42d31888ef60be0f1e401f5d12fb976732178
SSDEEP:	3072:jCY64XFREi9URWKznfMvJ/zl6HvK2KkAtZodTzHHNaTrOT:tTORmLyJdvH4TrOT
TLSH:	EB046C316842A495F0E3E8F3C9EBD47DBB0977A0030224F761CC065AA7625FA763E553
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM................. ..........k......

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x41856b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 004234E8h
push 0041CA40h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [004230CCh]
xor edx, edx
mov dl, ah
mov dword ptr [0042C508h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0042C504h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0042C500h], ecx
shr eax, 10h
mov dword ptr [0042C4FCh], eax
push 00000001h
call 00007F3F2A4A3236h
pop ecx
test eax, eax
jne 00007F3F58A4312Ah
push 0000001Ch
call 00007F3EED1A3236h
pop ecx
call 00007F3FD0723236h
test eax, eax
jne 00007F3F58A4312Ah
push 00000010h
call 00007F3EED1A3236h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F3F1EF73236h
call dword ptr [004230C8h]
mov dword ptr [0042CB34h], eax
call 00007F3F9E713236h
mov dword ptr [0042C560h], eax
call 00007F3F516E3236h
call 00007F3F986E3236h
call 00007F3EDFF43236h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [00423088h]
call 00007F3F406D3236h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F3F58A43128h
movzx eax, word ptr [ebp+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x23f88	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x23000	0x1a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x22000	0x22000	False	0.4499942555147059	data	6.458075836010223	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x23000	0x2000	0x2000	False	0.2213134765625	data	2.8987922797855528	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x25000	0x9000	0x9000	False	0.20203993055555555	data	3.054353288110077	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exePID: 5948, Parent PID: 3320

General

Target ID:	0
Start time:	19:59:56
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe
Imagebase:	0x400000
File size:	188416 bytes
MD5 hash:	BD13975ABC6AC3E5A97706A45F48F7DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: WerFault.exePID: 6040, Parent PID: 5948

General

Target ID:	3
Start time:	19:59:56
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220
Imagebase:	0x80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 5772, Parent PID: 5948

General

Target ID:	12
Start time:	20:00:32
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 220
Imagebase:	0x80000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_63a32cbc58eca2f445502337681ea96cbf1e38a6_5c1322d7_17cc865d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_f8b2f5d487f13ef078ee9e48b4dedc7a1e0c36a_5c1322d7_16d906f7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E6.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER284.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E2.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER79AB.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7AA6.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B15.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exePID: 5948, Parent PID: 3320

General

Analysis Process: WerFault.exePID: 6040, Parent PID: 5948

General

Analysis Process: WerFault.exePID: 5772, Parent PID: 5948

Windows Analysis Report
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.23862.23788.exe