Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe
Analysis ID:1277760
MD5:2d49d0d6906103a3f6c171d354faa0af
SHA1:1132e7c79711ca7358ef712f917ada28f7df0d1e
SHA256:ce3dab7e124372ea19e7e9e9b5c61a482951c72156d82196e9045cc2055d189c
Tags:exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Detected potential crypto function

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeAvira: detected
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeReversingLabs: Detection: 31%
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeVirustotal: Detection: 28%Perma Link
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeJoe Sandbox ML: detected
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeString found in binary or memory: http://www.clamav.net
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe, 00000000.00000002.456688112.00000000007CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeStatic PE information: No import functions for PE file found
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7388 -s 216
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_0040F5CF
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeReversingLabs: Detection: 31%
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeVirustotal: Detection: 28%
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER42B4.tmpJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: classification engineClassification label: mal60.winEXE@2/6@0/1
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7388 -s 216
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7388
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeStatic file information: File size 3444736 > 1048576
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x26a000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_004200F0 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_0041C17A push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_0041A270 push 0041A2BDh; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_0040E238 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_004072C8 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_0041C2DC push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_0041C298 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_0041E358 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_0041A338 push 0041A364h; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_004063B4 push 00406405h; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_00419448 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_00407524 push 004078A0h; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_004065E4 push 00406610h; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_00406674 push 004066A0h; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_0040E710 push 0040EB5Ch; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_00418718 push 0041878Eh; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_00418790 push 00418838h; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_0040886C push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_0041883A push 00418990h; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_0041CA14 pushad ; retf 0041h
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_0041CA34 pushad ; retf 0041h
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_0040EB5E push 0040EBCFh; ret
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_00418BF0 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_0041EEE4 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_0041BF54 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_00402FE8 push eax; ret
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: Amcache.hve.3.drBinary or memory string: VMware
Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.drBinary or memory string: VMware7,1
Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.me
Source: Amcache.hve.3.drBinary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exeCode function: 0_2_004C6734 EntryPoint,LdrInitializeThunk,
Source: Amcache.hve.3.drBinary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.drBinary or memory string: procexp.exe
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection
1
Virtualization/Sandbox Evasion
1
Input Capture
21
Security Software Discovery
Remote Services1
Input Capture
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop Protocol1
Archive Collected Data
Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information
Security Account Manager1
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
Remote System Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1277760 Sample: SecuriteInfo.com.Trojan.TR.... Startdate: 22/07/2023 Architecture: WINDOWS Score: 60 13 Antivirus / Scanner detection for submitted sample 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 Machine Learning detection for sample 2->17 6 SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe 2->6         started        process3 process4 8 WerFault.exe 24 9 6->8         started        dnsIp5 11 192.168.2.1 unknown unknown 8->11

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe32%ReversingLabs
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe28%VirustotalBrowse
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe100%AviraTR/Crypt.XPACK.Gen
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://www.clamav.netSecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exefalse
    high
    http://upx.sf.netAmcache.hve.3.drfalse
      high
      IPDomainCountryFlagASNASN NameMalicious
      IP
      192.168.2.1
      Joe Sandbox Version:38.0.0 Beryl
      Analysis ID:1277760
      Start date and time:2023-07-22 11:40:27 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 7m 1s
      Hypervisor based Inspection enabled:false
      Report type:light
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Run name:Run with higher sleep bypass
      Number of analysed new started processes analysed:8
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample file name:SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe
      Detection:MAL
      Classification:mal60.winEXE@2/6@0/1
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 52.168.117.173
      • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      No simulations
      No context
      No context
      No context
      No context
      No context
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.6790339392113841
      Encrypted:false
      SSDEEP:192:qMxBR+hfHBUZMXL30jE/u7srS274It6OgPI:dxBR+hfBUZMXL30jE/u7srX4It6OgPI
      MD5:EEC5A651477B43D76750B4AB116A646C
      SHA1:0106BE3143E7869AFB1ED9558E1C5549A2777AAD
      SHA-256:0A232FD1869EFB0AAEFD617A7D9D253027FAEADBE6249506A2D65A3BFB722DFB
      SHA-512:9A5883CF320C92C9A867860E4EBF7C62B9E63DB5EFAC036E87CC3E1AC9619DDA9C860F38B7288FA8BB60F04875EA06A36E2BD3A45625109F814EA7D330E66D60
      Malicious:false
      Reputation:low
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.4.5.2.4.8.8.3.5.9.6.2.3.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.4.5.2.4.8.8.4.1.8.9.9.9.1.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.8.e.8.a.f.b.-.6.f.0.6.-.4.f.7.2.-.8.d.d.a.-.a.3.0.4.0.3.f.4.9.8.6.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.f.6.3.1.c.e.3.-.2.2.0.e.-.4.0.5.2.-.b.b.f.0.-.b.3.9.a.7.3.f.1.c.a.a.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...T.R...C.r.y.p.t...X.P.A.C.K...G.e.n...1.0.8.8.1...3.1.0.6.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.c.-.0.0.0.1.-.0.0.1.f.-.e.8.1.0.-.9.e.1.c.c.c.b.c.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.6.e.0.0.9.a.9.e.6.4.1.b.7.0.0.9.2.2.f.9.4.4.3.2.6.f.b.0.a.9.2.0.0.0.0.f.f.f.f.!.0.0.0.0.1.1.3.2.e.7.c.7.9.7.1.1.c.a.7.3.5.8.e.f.7.1.
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Sat Jul 22 18:41:23 2023, 0x1205a4 type
      Category:dropped
      Size (bytes):18060
      Entropy (8bit):2.2014095982110486
      Encrypted:false
      SSDEEP:96:5l8i48D/ERPAKzft2i7k3Ey1dSVmm1P9zmCulRMeSWInWIX4I4fynq1l:gi/WAKjUOydSVmm1wRfbfqq1
      MD5:FD79B8E5738601C44A85C0DD4C7905AD
      SHA1:7E6B17F11B425F4E9DD357D5EF0BE5D214734AE4
      SHA-256:9AE7BA31EC5EB655CAEC36A78E6FEFCE843FB966C9458DC34C0E4E00BB52C90C
      SHA-512:075E9595C3884BB9297878E6D5B11891675A8FCD4F68D6ABA99A3778BB611388A4083EEBEA9D0EA0633AAB421ECF30558D4E34BE858E176F4BE5C4956D5D6C07
      Malicious:false
      Reputation:low
      Preview:MDMP....... ........".d............4........... ...<.......d...l...........T.......8...........T................=..........\...........H....................................................................U...........B..............GenuineIntelW...........T............".d.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8488
      Entropy (8bit):3.7118128131876573
      Encrypted:false
      SSDEEP:192:Rrl7r3GLNioj56Iq6YqfSU5gmf9DMSkCprp89brxsfCZm:RrlsNio9636YySU5gmf9oSqrqf1
      MD5:94EFBBBA13234E53BB4F468843F10BE2
      SHA1:F68404199B35F632BE001C6B7D727D5CCF927F52
      SHA-256:5C8372DE372CB5BB3882031EC6148374DB534231663182656525F0BE70AD6A90
      SHA-512:EE04D6F3A85F6C58D7D2AE4C3A92BE6C058C8E26F2E9B035295B7663DCC1C1309D31B8ADEF7DB42ECFBE29661EABFE8B139D4561742135A1EAC9C4B4819119C2
      Malicious:false
      Reputation:low
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.8.<./.P.i.d.>.......
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4823
      Entropy (8bit):4.601856115849031
      Encrypted:false
      SSDEEP:48:cvIwSD8zsAJgtWI9UyWgc8sqYjlu8fm8M4JqwtwT2ZFHk+q8BwPmSl048w0+Sw0p:uITfGPTgrsqY5LJ7yKwLuSl0I0+T07d
      MD5:1CBCD6846B7F518BDAA144CE5B55B7EB
      SHA1:2AF9AFE4D90720C5AC916247E0FA00B946014868
      SHA-256:F1C5D43E2ECCB7741F1B40BAFEE7ABB8ED8EC61ECDB6E9B92C243FE9F96CD6B9
      SHA-512:D2B1AE977102422D788B7814B66F0F4DA41A4244CFD94F30829CD64F4E6DA3552FFE66079DED9D37F9A77AF3ED851DD7A5ABC59D7680264CF24A48B1D6BA4BE5
      Malicious:false
      Reputation:low
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2140072" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):1572864
      Entropy (8bit):4.294500264710577
      Encrypted:false
      SSDEEP:12288:yaGwROAydfbcnGnwd6Lp6d40g3ANPIX2zN7NawVDrFOWIwhVZd0M1uB:MwROAydfbcnGnwin7
      MD5:989590E03485A40C52EA3ECB67693036
      SHA1:39C4702DAB3D9FA912062D1CDB8268B0425E9727
      SHA-256:1E7D9AE74EED738E3A39BB57913102D691BFC561E524B0E60FE17992A0EEC2EE
      SHA-512:253B2089C14739882163EBA1DEC402EC3DE89975C302BEEB077377AA745214F661734CF531C061D99E73B7B3C2D8420CD46772FF9C948B5731E1CA00EE4CC174
      Malicious:false
      Reputation:low
      Preview:regfj...j...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...................................................................................................................................................................................................................................................................................................................................................n..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):28672
      Entropy (8bit):3.8217116156174575
      Encrypted:false
      SSDEEP:768:TgrRftx1MJ4JDHNAJfGqpGBlkqICSC9OrMYPQo0:+WqRlb
      MD5:AA16146A041269C0EA9BEB9ABB0E694F
      SHA1:A4A763A049D01E4E96F1E89C25CA0D8B7D37E35C
      SHA-256:FD028F74175E64DF93D0E7C8458A4DDE54708F0A45CE947EED0770C75087E09D
      SHA-512:62728855AFEEFA3B17C096DCE3C3738D82A296A9CF0646EE3EF9B41D224B1B44660BDE6B4C419B08811214A53589E76E9F2603F7AA389CFC4F67E5E095ADB910
      Malicious:false
      Reputation:low
      Preview:regfi...i...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm...................................................................................................................................................................................................................................................................................................................................................h..@HvLE.n......i...............T.T...8L.t...........0...................0..hbin................p.\..,..........nk,............h........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ............ ........................... .......Z.......................Root........lf......Root....nk .........................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...
      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):7.210509338559239
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe
      File size:3'444'736 bytes
      MD5:2d49d0d6906103a3f6c171d354faa0af
      SHA1:1132e7c79711ca7358ef712f917ada28f7df0d1e
      SHA256:ce3dab7e124372ea19e7e9e9b5c61a482951c72156d82196e9045cc2055d189c
      SHA512:056d55cc21eacbb4727536ef760edf556c26e0a3ef2b40d9e4195cf6d1b8225e070f0439a9cd34cccbb9bbb1800d03e6c8edc1b1ff07292274612523892f3dc5
      SSDEEP:49152:Bq1vUXJXXcPMmtQk7AMS9CYS5DRzOmpinVI+kFLgDi9Ufbrr:Q+XJHcdTYS5lzOmpimtEDT
      TLSH:77F5E18742C10776C773B9384D5973BB4A19AA1359247CEAFD926B4C2B35E02FB20736
      File Content Preview:MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM.................X....'.....4g.....
      Icon Hash:90cececece8e8eb0
      Entrypoint:0x4c6734
      Entrypoint Section:CODE
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
      DLL Characteristics:
      Time Stamp:0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:
      Instruction
      push ebp
      mov ebp, esp
      add esp, FFFFFFF0h
      mov eax, 004C645Ch
      call 00007F164D29A230h
      push 00000036h
      call 00007F168533A230h
      push 00000036h
      call 00007F168533A230h
      push 00000036h
      call 00007F168533A230h
      push 00000036h
      call 00007F168533A230h
      push 00000036h
      call 00007F168533A230h
      mov dword ptr [004CAD3Ch], 00000001h
      push 00000036h
      call 00007F168533A230h
      inc dword ptr [004CAD3Ch]
      cmp dword ptr [004CAD3Ch], 06B3C41Dh
      jne 00007F16B0D4A1F9h
      mov eax, dword ptr [004C9808h]
      mov eax, dword ptr [eax]
      call 00007F17019AA830h
      mov ecx, dword ptr [004C9AB8h]
      mov eax, dword ptr [004C9808h]
      mov eax, dword ptr [eax]
      mov edx, dword ptr [004C5C40h]
      call 00007F17199AA830h
      mov eax, dword ptr [004C9808h]
      mov eax, dword ptr [eax]
      call 00007F16999AA830h
      call 00007F163104A230h
      nop
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0xcb0000x27ea.idata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0xdf0000x269e00.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000xefe4.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0xcf0000x18.rdata
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      CODE0x10000xc60000xc6000False0.44383655894886365data6.564348905944287IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      DATA0xc70000x30000x3000False0.3990885416666667data4.52569659394763IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      BSS0xca0000x10000x1000False0.00634765625data0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .idata0xcb0000x30000x3000False0.07210286458333333data1.1147063293278243IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .tls0xce0000x10000x1000False0.00634765625data0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rdata0xcf0000x10000x1000False0.010498046875data0.03316609302002148IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
      .reloc0xd00000xf0000xf000False0.0013346354166666667data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
      .rsrc0xdf0000x26a0000x26a000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
      No network behavior found
      Target ID:0
      Start time:11:41:22
      Start date:22/07/2023
      Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.10881.31061.exe
      Imagebase:0x400000
      File size:3'444'736 bytes
      MD5 hash:2D49D0D6906103A3F6C171D354FAA0AF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Target ID:3
      Start time:11:41:23
      Start date:22/07/2023
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7388 -s 216
      Imagebase:0xbe0000
      File size:434'592 bytes
      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      No disassembly