Malware Analysis Report

2024-11-13 18:23

Sample ID 241106-p8nb5azhrd
Target SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
SHA256 bd749917837b3e6a48c15277cb0d5b39fd0c89e4f52be26a72e30b11816fc895
Tags
latentbot stormkitty xworm discovery execution rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd749917837b3e6a48c15277cb0d5b39fd0c89e4f52be26a72e30b11816fc895

Threat Level: Known bad

The file SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe was found to be: Known bad.

Malicious Activity Summary

latentbot stormkitty xworm discovery execution rat spyware stealer trojan

Xworm

Xworm family

Stormkitty family

StormKitty payload

StormKitty

Latentbot family

LatentBot

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 13:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 13:00

Reported

2024-11-06 13:02

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

LatentBot

trojan latentbot

Latentbot family

latentbot

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Xworm

trojan rat xworm

Xworm family

xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe N/A

Reads user/profile data of web browsers

spyware stealer

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2360 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
PID 2360 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
PID 2360 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
PID 2360 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
PID 2360 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
PID 2360 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
PID 2360 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
PID 2360 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DxVTeXwK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DxVTeXwK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3505.tmp"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2820 -ip 2820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 1648

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 weidmachane.zapto.org udp
BG 87.120.113.131:7000 weidmachane.zapto.org tcp
US 8.8.8.8:53 131.113.120.87.in-addr.arpa udp
BG 87.120.113.131:7000 weidmachane.zapto.org tcp
BG 87.120.113.131:7000 weidmachane.zapto.org tcp

Files

memory/2360-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

memory/2360-1-0x00000000008A0000-0x000000000091A000-memory.dmp

memory/2360-2-0x0000000005910000-0x0000000005EB4000-memory.dmp

memory/2360-3-0x0000000005360000-0x00000000053F2000-memory.dmp

memory/2360-4-0x00000000052D0000-0x00000000052DA000-memory.dmp

memory/2360-5-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/2360-6-0x0000000005620000-0x00000000056BC000-memory.dmp

memory/2360-7-0x0000000005520000-0x000000000553C000-memory.dmp

memory/2360-8-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

memory/2360-9-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/2360-10-0x0000000002D20000-0x0000000002D70000-memory.dmp

memory/4504-15-0x0000000002120000-0x0000000002156000-memory.dmp

memory/4504-16-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/4504-18-0x0000000004CA0000-0x00000000052C8000-memory.dmp

memory/4504-17-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/4504-19-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/2516-20-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/2516-29-0x0000000074BF0000-0x00000000753A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3505.tmp

MD5 d4c9675f6f3f53daa0f0120ddbad80f8
SHA1 0728c4bc15df65bb7b295e1a7341e1f648f3fdc9
SHA256 7032666b4012d311186e002a9207c531e863d3dc2268be23bc286972132805cd
SHA512 350eb895b5776d80081c488a0fed7f78adef364d6b0775f02442c8f0e680d4576c728dad41852370b24cc55d15cb0c5413bafb75b7a248d43d70c9fa6ba2e11d

memory/4504-28-0x00000000053B0000-0x0000000005416000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ltqxzeoo.pq3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2516-45-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/2820-46-0x0000000000400000-0x000000000040E000-memory.dmp

memory/4504-40-0x0000000005540000-0x0000000005894000-memory.dmp

memory/4504-24-0x0000000005340000-0x00000000053A6000-memory.dmp

memory/4504-21-0x0000000004C70000-0x0000000004C92000-memory.dmp

memory/2360-48-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/4504-49-0x0000000005A10000-0x0000000005A2E000-memory.dmp

memory/4504-50-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

memory/2516-52-0x00000000754A0000-0x00000000754EC000-memory.dmp

memory/2516-51-0x0000000006EF0000-0x0000000006F22000-memory.dmp

memory/2516-71-0x0000000007130000-0x000000000714E000-memory.dmp

memory/4504-53-0x00000000754A0000-0x00000000754EC000-memory.dmp

memory/2516-73-0x0000000007150000-0x00000000071F3000-memory.dmp

memory/2516-74-0x00000000078D0000-0x0000000007F4A000-memory.dmp

memory/2516-75-0x0000000007290000-0x00000000072AA000-memory.dmp

memory/4504-76-0x0000000006DD0000-0x0000000006DDA000-memory.dmp

memory/2516-77-0x0000000007510000-0x00000000075A6000-memory.dmp

memory/2516-78-0x0000000007490000-0x00000000074A1000-memory.dmp

memory/4504-79-0x0000000006F90000-0x0000000006F9E000-memory.dmp

memory/4504-80-0x0000000006FA0000-0x0000000006FB4000-memory.dmp

memory/2516-81-0x00000000075D0000-0x00000000075EA000-memory.dmp

memory/2516-82-0x00000000075B0000-0x00000000075B8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f7e4298cceba8ee92a5c09d9a9df079d
SHA1 3d200a4663a2aaa9ec99a9480c3c9ec963c79b5d
SHA256 a683d8b1362193b4732fcf82d9fd97dd7f4245568d8a6c2356b4359aa906fd98
SHA512 e8810169af7006379b799e00b6ae9ad2a4a0fbcffb662c637f216bf656546e76c4eeac31fc811bf348ddbdaf967a98ff9b4db0f599bdf1f4122573d71b418066

memory/4504-88-0x0000000074BF0000-0x00000000753A0000-memory.dmp

memory/2516-89-0x0000000074BF0000-0x00000000753A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/2820-90-0x0000000006B00000-0x0000000006C20000-memory.dmp

memory/2820-91-0x0000000007420000-0x0000000007774000-memory.dmp

memory/2820-92-0x0000000006930000-0x000000000697C000-memory.dmp

memory/2820-93-0x0000000006DD0000-0x0000000006DDE000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 13:00

Reported

2024-11-06 13:02

Platform

win7-20240903-en

Max time kernel

122s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

LatentBot

trojan latentbot

Latentbot family

latentbot

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Xworm

trojan rat xworm

Xworm family

xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1480 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1480 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\schtasks.exe
PID 1480 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\schtasks.exe
PID 1480 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\schtasks.exe
PID 1480 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Windows\SysWOW64\schtasks.exe
PID 1480 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
PID 1480 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
PID 1480 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
PID 1480 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
PID 1480 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
PID 1480 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
PID 1480 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
PID 1480 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe
PID 1480 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DxVTeXwK.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DxVTeXwK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7B19.tmp"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.17534.23664.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 weidmachane.zapto.org udp
BG 87.120.113.131:7000 weidmachane.zapto.org tcp
BG 87.120.113.131:7000 weidmachane.zapto.org tcp
BG 87.120.113.131:7000 weidmachane.zapto.org tcp

Files

memory/1480-0-0x00000000740BE000-0x00000000740BF000-memory.dmp

memory/1480-1-0x00000000011D0000-0x000000000124A000-memory.dmp

memory/1480-2-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/1480-3-0x00000000004F0000-0x000000000050C000-memory.dmp

memory/1480-4-0x00000000740BE000-0x00000000740BF000-memory.dmp

memory/1480-5-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/1480-6-0x00000000001D0000-0x0000000000220000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 b90631edc365051a24e9da4a3c8a5b98
SHA1 5188b5a37a8b1c7cbbc4d680dea081ae72b2ec6c
SHA256 87d74a440b5a5cec51438bceeba9f98c72508188284d204efc59ec845fd78eb7
SHA512 48431f27a1250f5cf7bd8733888d52538437193627fcc84da34292d5b26216158becf27502b4e2542ea6661f2c131d2d63364846e29c61ede77331a708d470b2

C:\Users\Admin\AppData\Local\Temp\tmp7B19.tmp

MD5 43cde4b1bc08ca653fa9e9f5a25d014b
SHA1 d70e87530f97434687304f1a14770ae032b1fe8e
SHA256 0d8c983bbb1593f871f21c6316b5b1825d56533da27ea7ba3a1969d52a3d2f39
SHA512 52fc4b4efeabc47945962b3e9f75a3604077a9109d84d52988ec5263e81c007bc263ffc5232bea31dd440838f9c1a4157f3fd79ab2aeecb92a93f8627024c1a0

memory/2676-22-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2676-29-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2676-28-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2676-20-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2676-19-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2676-27-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2676-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2676-24-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1480-30-0x00000000740B0000-0x000000007479E000-memory.dmp

memory/2676-31-0x0000000000530000-0x000000000053E000-memory.dmp

memory/2676-32-0x0000000006C50000-0x0000000006FA0000-memory.dmp

memory/2676-33-0x0000000006630000-0x0000000006750000-memory.dmp