Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe
Analysis ID:	1338659
MD5:	b4324daee90171c1d0dc8076413a50d8
SHA1:	e10a9026f12ad75262a0c1fe95d3e32a531cdacc
SHA256:	0f7104c5e354b112379c9371c52738a4de9e872bdf793a2216bc33d8e2c3c8cc
Tags:	exe
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

PE file does not import any functions

One or more processes crash

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe (PID: 1556 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe MD5: B4324DAEE90171C1D0DC8076413A50D8)

WerFault.exe (PID: 3604 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 224 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Avira: detected

Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: c:\buildbot\bt_release_slave\bt_fork_release\build\Build\BitTorrentRelease\bittorrent.pdb source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: %s%s\|%S%s{searchTerms}http://tshttp://update.bittorrent.com/time.phphttp://www.facebook.com/bittorrenthttp://twitter.com/bittorrent '%s' (%s) equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: %s%s\|%S%s{searchTerms}http://tshttp://update.bittorrent.com/time.phphttp://www.facebook.com/bittorrenthttp://twitter.com/bittorrent '%s' (%s) equals www.twitter.com (Twitter)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: BPenterleave%c%S%cport=%d&pair=%Hhttp://www.facebook.com/plugins/like.php?.cleverbridge.comcleverbridge.com.utorrent.com.bittorrent.comhttp://featuredcontent.staging.utorrent.comhttp://featuredcontent.utorrent.com/mailto:btresource:// equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: Nhttps://www.facebook.com/dialog/apprequestsapp_id=%S&display=popup&message=%s&redirect_uri=%s%s&to=%Shttp://www.facebook.com/dialog/oauthQ{J equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.facebook.com/bittorrent equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.facebook.com/checkpoint/ equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.facebook.com/connect/login_success.html equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.facebook.com/connect/uiserver.php equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.facebook.com/dialog/oauth equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.facebook.com/dialog/permissions.request equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.facebook.com/login.php equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: https://www.facebook.com/checkpoint/ equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: https://www.facebook.com/connect/login_success.html equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: https://www.facebook.com/connect/uiserver.php equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: https://www.facebook.com/dialog/apprequests equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: https://www.facebook.com/dialog/oauth equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: https://www.facebook.com/dialog/permissions.request equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: https://www.facebook.com/login.php equals www.facebook.com (Facebook)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: {Jcancelledhttps://www.facebook.com/dialog/oauthclient_id=%S&redirect_uri=%s&response_type=token&display=popup%s&scope=%Shttp://www.facebook.com/checkpoint/https://www.facebook.com/checkpoint/http://www.facebook.com/dialog/permissions.requesthttps://www.facebook.com/dialog/permissions.requesthttp://www.facebook.com/connect/uiserver.phphttps://www.facebook.com/connect/uiserver.phphttp://www.facebook.com/login.phphttps://www.facebook.com/login.phphttp://www.facebook.com/connect/login_success.htmlhttps://www.facebook.com/connect/login_success.htmlQ{J equals www.facebook.com (Facebook)

Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://%s/installstats.php
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://%s/update_event.php
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://%s/updatestats.php
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://%s/updatestats.phphttp://%s/installstats.phphttp://%s/update_event.php/AUTOUPDATE
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://127.0.0.1:%d/proxy?sid=%S&file=%d%S#http://localhost:%dfile=%Ubtapp:/select
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://127.0.0.1:%d/proxy?sid=%x&file=%dBittorrent
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://127.0.0.1:%d/search?q=%%shttp://www.bittorrent.comdlimagecache
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://2851619.ourtoolbar.com/eula
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://CT3274043.ourtoolbar.com/LearnMore
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://apps.bittorrent.com/conduit/eula/ByChoosingToInstall.html
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://apps.bittorrent.com/conduit/eula/ByChoosingToInstall.htmlOV_COL_DISK_JOBOV_COL_SAVE_DIROV_COL
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://apps.bittorrent.com/discoverContent/discoverContent.btapp
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://apps.bittorrent.com/featuredcontent/featuredcontent.btapp
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://apps.bittorrent.com/store/store.btapp
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://apps.bittorrent.com/store/store.btapphttp://apps.bittorrent.com/featuredcontent/featuredconte
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://apps.bittorrent.com/torque/pairing/style.%s%scss
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://apps.bittorrent.com/torque/pairing/style.%s%scssstyleiframe/gui/pairimage/x-ms-bmp/gui/pingim
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://apps.bittorrent.com/utorrent-onboarding/player.btapp
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://apps.bittorrent.com/utorrent-onboarding/plus-bt2.btapp
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://apps.bittorrent.com/utorrent-onboarding/welcome-upsell.btapp
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://apps.bittorrent.com/utorrent-onboarding/welcome.btapp
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://apps.bittorrent.com/utorrent-onboarding/welcome.btapphttp://apps.bittorrent.com/utorrent-onbo
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://bench.utorrent.com
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://bench.utorrent.comeventNamelamelaielarelaaelcic_1lcic_0ltic_1ltic_0lreftectslclh
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://certificates.godaddy.com/repository/gd_intermediate.crt0
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://certificates.godaddy.com/repository100.
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://crl.godaddy.com/gds1-14.crl0S
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://crl.thawte.com/ThawteServerPremiumCA.crl0
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://download.mybrowserbar.com/kits/sds/Toolbar-SetDefaultSearch.exe
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://download.utorrent.com/help/bittorrent-help-7800.zip
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://download.utorrent.com/help/bittorrent-help-7800.zip%s
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://download.utorrent.com/public/DivXPlayer.htmlhttp://download.utorrent.com/public/DivXPlayer.ht
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://dslreports.com/speedtest/
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://events.bittorrent.com/startConversion
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://forum.bittorrent.com/.
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://forum.bittorrent.com/?client=bittorrent7800
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://help.bittorrent.com
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://help.utorrent.com/customer/portal/articles/257678
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://help.utorrent.com/customer/portal/articles/257678Q
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://ll.www.bittorrent.com/llspeedtest/
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://ll.www.bittorrent.com/llspeedtest/Mbit/skbit/sbit/sok%s%d:%d:%d:%d:%shttp://update.utorrent.c
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://ll.www.bittorrent.com/llspeedtest/speedtestobjects.txt
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://ocsp.godaddy.com/0J
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://offers.bittorrent.com/w/1.0/arjhttp://events.bittorrent.com/startConversionAutoExecFailedsett
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://portforward.com/
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://pr.apps.bittorrent.com/share/share.btapp
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://remote.utorrent.com/
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://remote.utorrent.com/send?btih=
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://rssfeed.com/rss.xmlactive_panead_barplus_bgfile=%sXULUUL
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://search.bittorrent.com/bntop.html
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://search.conduit.com/Results.aspx?ctid=CT3083942&searchsource=45&&%s
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://svr-ov-crl.thawte.com/ThawteOV.crl0
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://tinyurl.com/api-create.php?url=%U
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://tinyurl.com/api-create.php?url=%U%s%H&dn=%U&message=%U%s%H&dn=%U&message=%U&sid=%s&cid=%Uhttp
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://tracker001.legaltorrents.com:7070/announce
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://twitter.com/bittorrent
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://update.bittorrent.com/time.php
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://update.utorrent.com/hang.php
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://update.utorrent.com/hang.phpunhungmtNA-%ddisknet:%d
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://update.utorrent.com/installoffer.php
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://update.utorrent.com/installoffer.phpOfferNotReadyNotProvidedDefaultBunndledecline_all_radio_m
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://update.utorrent.com/speedserverlist.php
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://update.utorrent.com/speedserverlist.phphttp://ll.www.bittorrent.com/llspeedtest/speedtestobje
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://update.utorrent.com/speedstats.php?result=
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://update.utorrent.com/survey%s
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://update.utorrent.com/uninstall?type=%s-%U&h=%s&v=%d
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://utorrent.com/download/langpacks/dl.php?build=29575&ref=client&client=bittorrent&sys_l=%s&sel_
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://utorrent.com/rsstutorial.php
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://utorrent.com/rsstutorial.phpQ
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://utorrent.com/testport?plain=1
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://utorrent.com/webui-guide.php
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://utorrent.com/webui/version-%s
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://utorrent.com/webui/webui-%s-%s.zip
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://utorrent.com/webui/webui-%s-%s.zip7.8http://utorrent.com/webui/version-%s.gz...gz
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.apple.com/itunes
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.bittorrent.com
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.bittorrent.com.
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.bittorrent.com/btusers/guidesPublisherBitTorrent
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.bittorrent.com/btusers/help/faq?client=bittorrent7800
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.bittorrent.com/btusers/help/faq?client=bittorrent7800http://forum.bittorrent.com/?client=
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.bittorrent.com/certified-devices/
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.bittorrent.com/certified-devices/http://www.apple.com/itunesdevice
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.bittorrent.com/downloads
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.bittorrent.com/downloads%d
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.bittorrent.com/legal/bittorrent-eula.
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.bittorrent.com/search?client=%v&search=
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.bittorrent.com?client=bittorrent7800
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.bittorrent.com?client=bittorrent7800BitTorrentutorrent.combittorrent.comdefaultuser_set.b
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.bittorrent.comNoRepairNoModifyMinorVersionVersionMinorMajorVersionVersionMajorDisplayVers
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.clamav.net
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.mininova.org/search/?cat=0&search=
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.mininova.org/search/?cat=0&search=0
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.mybrowserbar.com/images/pixel.gif?tb=1&cnid=817612
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.mybrowserbar.com/images/pixel.gif?tb=2&cnid=817612
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.mybrowserbar.com/images/pixel.gif?tb=2&cnid=817612http://www.mybrowserbar.com/images/pixe
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.utorrent.com/faq
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.utorrent.com/faq#mlabs
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.utorrent.com/faq.php100
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://www.utorrent.com/testport.php?port=%d
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://yogi.apps.bittorrent.com/track/?data=%s&ip=1
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: https://activate.utorrent.com
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: https://activate.utorrent.com/get_av
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: https://activate.utorrent.com/get_codec
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: https://activate.utorrent.com/get_player
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: https://activate.utorrent.comGetProcessMemoryInfopsapi.dllHTTP
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: https://remote.bittorrent.comhttp://www.bittorrent.com/dna/whatisdna/http://bit.ly/xaRsjr%Z

Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Static PE information: No import functions for PE file found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 224

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	Code function: 0_2_0043900A	0_2_0043900A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	Code function: 0_2_0043B14E	0_2_0043B14E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	Code function: 0_2_00439189	0_2_00439189
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	Code function: 0_2_0043724B	0_2_0043724B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	Code function: 0_2_004084F4	0_2_004084F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	Code function: 0_2_0043F8EB	0_2_0043F8EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	Code function: 0_2_00422957	0_2_00422957
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	Code function: 0_2_0043BBF7	0_2_0043BBF7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	Code function: 0_2_00437CA9	0_2_00437CA9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	Code function: 0_2_00438D50	0_2_00438D50

Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 224

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1556

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c55003d4-8c14-4c85-a264-b55fee2a7cd7

Jump to behavior

Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: bittorrent-help.zip
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://download.utorrent.com/help/bittorrent-help-7800.zip
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: @ms-its:%s::%s\hh.exebittorrent.chmbittorrent-780-29575.chmbittorrent-help.zipmagnetMemory Compacted, released %zMemory Compacting, system memory is low (%u%% CPU usage)
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://download.utorrent.com/help/bittorrent-help-7800.zip
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: To learn about your new features, please refer to the BitTorrent Plus Alpha forums./get_playerplayer.btinstall{E3DC5C2B-082C-4800-8C52-B9F655B94D2C}/get_codecstranscode.btinstall{CF59774A-CE9D-454D-AF29-1556367E1AC7}/get_avbitdefender.btinstallActivation error: %skernel32.dllGetProductInfohttp://download.utorrent.com/help/bittorrent-help-7800.zip%s
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: add-stopped
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: {"name":%S, "hash":%H, "sid":%s, "completed_on":%J, "primary_label":%S, "files": [image/, "streamables": [liststreamablesapp_update_url,"error": %Suudownload_dir,"filter_ident": "%I","rss_ident": "%I"postpone-modeadd-stoppedsmart-ep-filterorignameepisode-filternot-filtersave-infilter-idupdatesmart-filtersubscribealiasfeedidfeed-idCan't accept remote configuration request while another is pendingCan't accept configuration change from other than administrative loginu,"token": %s
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: %I.in-addr.arpa
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: %c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.%c.ip6.arpa%I.in-addr.arpaIpFilter invalid line: [%S]ipfilter.daticon_urlchannellistinstalled_frommodifiedsinceupdate_url_btinstallsignerprocess_namepretty_nameinstall_dirproduct_codeinstall_stateV4ExlF^
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://%s/installstats.php
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http%s://%s/checkupdate.phphttp://%s/updatestats.phphttp://%s/installstats.phphttp://%s/update_event.php/AUTOUPDATE "%s"/AUTOUPDATE "%s" -1 /C .bat%s -n 2 127.0.0.1
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: -set-default-search -show-start-page
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: -open-thank-you-page -open-welcome -pair-key "%1" -launch-app client "%2" -ie -ff -chrome
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: -show-start-page
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: -open-thank-you-page -open-welcome -pair-key "%1" -launch-app client "%2"
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: HelpLinkhttp://www.bittorrent.com/btusers/guidesPublisherBitTorrent Inc.URLInfoAbouthttp://www.bittorrent.comNoRepairNoModifyMinorVersionVersionMinorMajorVersionVersionMajorDisplayVersionDisplayNameDisplayIcon%d.%d.%d.%d%s,0" /UNINSTALLCLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}CLSID\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}CLSID\{3041D03E-FD4B-44E0-B742-2D9B88305F98}Software\AppDataLow\Software\AskToolbar\MacroSoftware\AskToolbar\MacroSoftware\AppDataLow\AskBarDis\barToolbarNametbBTUTNULLyandexconduit-bing2conduit-google1showtoolbar-set-default-search -show-start-pageSet my default search and home page to Conduit search. Install and enable Search Protect to notify me of changes.-open-thank-you-page -open-welcome -pair-key "%1" -launch-app client "%2" -ie -ff -chromeInstall the Toolbar including <a href="http://2851619.ourtoolbar.com/eula">Value Apps</a> (Recommended). Value Apps selects the app that bring you the best daily offers based on your browsing information.By choosing to install the Toolbar and/or set the search features and install Search Protect, you agree to these product terms, license-agreements, and privacy policies and/or to the Value Apps third parties terms and privacy policies. Conduit is not responsible for the practices of third parties. In addition to Value Apps, other apps may access, collect, and use your personal data, including your IP address and the address and content of web pages you visit.Thank you for choosing to install BitTorrentBitTorrent Installationtoolbar1-store-revertAllow my current home page and default search settings to be stored for easy reverting later.revert-show-start-pageSet my home page to Conduit Search and notify me of changes.homepage-set-default-searchSet my default search to Conduit Search and notify me of changes.searchInstall the Toolbarparameter-open-thank-you-page -open-welcome -pair-key "%1" -launch-app client "%2"depends_ontoolbarrequiredcheckboxeschrome_paramff_paramie_paramfooter_textBy choosing to install the Toolbar and/or set the search features and install Search Protect, you agree to these product terms, license-agreements, and privacy policies and/or to the Value Apps third parties terms and privacy policies. Conduit is not responsible for the practices of third parties. In addition to Value Apps, other apps may access, collect, and use your personal data, including your IP address and the address and content of web pages you visit.body_textGet the official BitTorrent Toolbar and Value Apps for IE
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: HelpLinkhttp://www.bittorrent.com/btusers/guidesPublisherBitTorrent Inc.URLInfoAbouthttp://www.bittorrent.comNoRepairNoModifyMinorVersionVersionMinorMajorVersionVersionMajorDisplayVersionDisplayNameDisplayIcon%d.%d.%d.%d%s,0" /UNINSTALLCLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}CLSID\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}CLSID\{3041D03E-FD4B-44E0-B742-2D9B88305F98}Software\AppDataLow\Software\AskToolbar\MacroSoftware\AskToolbar\MacroSoftware\AppDataLow\AskBarDis\barToolbarNametbBTUTNULLyandexconduit-bing2conduit-google1showtoolbar-set-default-search -show-start-pageSet my default search and home page to Conduit search. Install and enable Search Protect to notify me of changes.-open-thank-you-page -open-welcome -pair-key "%1" -launch-app client "%2" -ie -ff -chromeInstall the Toolbar including <a href="http://2851619.ourtoolbar.com/eula">Value Apps</a> (Recommended). Value Apps selects the app that bring you the best daily offers based on your browsing information.By choosing to install the Toolbar and/or set the search features and install Search Protect, you agree to these product terms, license-agreements, and privacy policies and/or to the Value Apps third parties terms and privacy policies. Conduit is not responsible for the practices of third parties. In addition to Value Apps, other apps may access, collect, and use your personal data, including your IP address and the address and content of web pages you visit.Thank you for choosing to install BitTorrentBitTorrent Installationtoolbar1-store-revertAllow my current home page and default search settings to be stored for easy reverting later.revert-show-start-pageSet my home page to Conduit Search and notify me of changes.homepage-set-default-searchSet my default search to Conduit Search and notify me of changes.searchInstall the Toolbarparameter-open-thank-you-page -open-welcome -pair-key "%1" -launch-app client "%2"depends_ontoolbarrequiredcheckboxeschrome_paramff_paramie_paramfooter_textBy choosing to install the Toolbar and/or set the search features and install Search Protect, you agree to these product terms, license-agreements, and privacy policies and/or to the Value Apps third parties terms and privacy policies. Conduit is not responsible for the practices of third parties. In addition to Value Apps, other apps may access, collect, and use your personal data, including your IP address and the address and content of web pages you visit.body_textGet the official BitTorrent Toolbar and Value Apps for IE
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: http://update.utorrent.com/installoffer.php
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: TBRequestThreadRetrieveOffer %stsub=%ddb=%URetrieveOffer browser %Shttp://update.utorrent.com/installoffer.phpOfferNotReadyNotProvidedDefaultBunndledecline_all_radio_msgaccept_bundle_radio_msgaccept_all_radio_msgspigottestonPageInit:DLG_OFFER_NON_GOOGLE: displaying body_text_rtfcontent_offer_alttextcontent_offer_radio_declinecontent_offer_checkeduTorrentInstallPath7.829575onPageInit:DLG_OFFER_NON_GOOGLE: checkbox %d %s [%s]DISABLEDXonPageInit:DLG_OFFER_NON_GOOGLE: displaying body_textonPageInit:DLG_YANDEX: displaying body_text_rtfbody_text_rtfBitTorrent is a peer-to-peer file sharing application distributed by BitTorrent, Inc.
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: %s /NOINSTALL /BRINGTOFRONT%s /MINIMIZED%s /AUTOMATION%s /LAUNCHBUNDLEDURLTYPE %s%s /LAUNCHBUNDLEDURL %s%s /STARTAPP %sopencandyofferfiletypesbasicsetuplicensescamwarnwelcomewk2warningMicrosoft Sans Serif----- STARTING INSTALL -----http://apps.bittorrent.com/conduit/eula/ByChoosingToInstall.htmlOV_COL_DISK_JOBOV_COL_SAVE_DIROV_COL_FORMATOV_COL_EPISODEOV_COL_SOURCE_URLOV_COL_ELAPSEDOV_COL_LAST_ACTIVEOV_COL_DEBUGOV_COL_TRACKERSTATUSOV_COL_BWALLOCOV_COL_DOWNRATE_LIMITOV_COL_UPRATE_LIMITOV_COL_TRACKEROV_COL_COMPLETED_ONOV_COL_ADDED_ONOV_COL_LABELOV_COL_AVAILOV_COL_SHAREDOV_COL_UPPEDOV_COL_SEEEDS_PEERSOV_COL_PEERSOV_COL_SEEDSOV_COL_APPORIGINOV_COL_STREAMABLE_PROGRESSOV_COL_ANTIVIRUSOV_COL_RATINGOV_COL_ETAOV_COL_UPSPDOV_COL_DOWNSPDOV_COL_HEALTHOV_COL_STATUSOV_COL_DONEOV_COL_REMAININGOV_COL_DOWNLOADEDOV_COL_COMPLETEOV_COL_SELECTED_SIZEOV_COL_SIZEOV_COL_ORDEROV_COL_NAME
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: Not-Installed
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: OSysListView32InstalledReady to installNot-Installedstore_apps_totalfree_playerplayerlibvlc_newlibvlc_releaselibvlc_media_new_pathlibvlc_media_player_new_from_medialibvlc_media_releaselibvlc_media_player_get_hwndlibvlc_media_player_set_hwndlibvlc_media_player_playlibvlc_media_player_set_pauselibvlc_media_player_pauselibvlc_media_player_stoplibvlc_media_player_releaselibvlc_event_attachlibvlc_event_detachlibvlc_media_player_event_managerlibvlc_set_fullscreenlibvlc_media_player_get_positionlibvlc_media_player_set_positionlibvlc_media_player_get_statelibvlc_audio_get_volumelibvlc_audio_set_volumelibvlc_media_player_next_framelibvlc_media_player_get_ratelibvlc_media_player_set_ratelibvlc_audio_toggle_mutelibvlc_audio_get_mutelibvlc_audio_set_mutelibvlc_media_player_newlibvlc_get_versionlibvlc_add_intflibvlc_media_player_get_lengthlibvlc_media_player_get_timelibvlc_media_player_set_timelibvlc_media_player_is_playinglibvlc_media_player_set_medialibvlc_video_set_key_inputlibvlc_video_set_mouse_inputlibvlc_media_player_is_seekable&VLCStop%s\%s\%S%s\%SSoftware\VideoLAN\VLCInstallDirlibvlccore.dlllibvlc.dll1.2cart=bt_transcodecart=bt_antivirusQ{J
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: Start/Stop
Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	String found in binary or memory: Start/Stop

Source: classification engine

Classification label: mal48.winEXE@2/5@0/0

Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Static file information: File size 2453504 > 1048576

Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x12d000

Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\buildbot\bt_release_slave\bt_fork_release\build\Build\BitTorrentRelease\bittorrent.pdb source: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	Code function: 0_2_004013EF push ecx; ret	0_2_004013FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	Code function: 0_2_0043ECA0 push 8B000004h; iretd	0_2_0043ECA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	Code function: 0_2_0043ED81 push 8B30FFCDh; iretd	0_2_0043ED8A

Source: initial sample

Static PE information: section name: .text entropy: 6.835347377116387

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Code function: 0_2_004A75F2 EntryPoint,LdrInitializeThunk,

0_2_004A75F2

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Software Packing	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	100%	Avira	HEUR/AGEN.1353371

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.thawte.com0	0%	URL Reputation	safe
https://remote.bittorrent.comhttp://www.bittorrent.com/dna/whatisdna/http://bit.ly/xaRsjr%Z	0%	Avira URL Cloud	safe
http://rssfeed.com/rss.xmlactive_panead_barplus_bgfile=%sXULUUL	0%	Avira URL Cloud	safe
http://127.0.0.1:%d/proxy?sid=%S&file=%d%S#http://localhost:%dfile=%Ubtapp:/select	0%	Avira URL Cloud	safe
http://%s/installstats.php	0%	Avira URL Cloud	safe
http://127.0.0.1:%d/proxy?sid=%x&file=%dBittorrent	0%	Avira URL Cloud	safe
http://www.mybrowserbar.com/images/pixel.gif?tb=1&cnid=817612	0%	Avira URL Cloud	safe
http://www.bittorrent.comNoRepairNoModifyMinorVersionVersionMinorMajorVersionVersionMajorDisplayVers	0%	Avira URL Cloud	safe
http://tracker001.legaltorrents.com:7070/announce	0%	Avira URL Cloud	safe
http://%s/update_event.php	0%	Avira URL Cloud	safe
https://activate.utorrent.comGetProcessMemoryInfopsapi.dllHTTP	0%	Avira URL Cloud	safe
http://www.mybrowserbar.com/images/pixel.gif?tb=2&cnid=817612	0%	Avira URL Cloud	safe
http://%s/updatestats.php	0%	Avira URL Cloud	safe
http://%s/updatestats.phphttp://%s/installstats.phphttp://%s/update_event.php/AUTOUPDATE	0%	Avira URL Cloud	safe
http://127.0.0.1:%d/search?q=%%shttp://www.bittorrent.comdlimagecache	0%	Avira URL Cloud	safe
http://bench.utorrent.comeventNamelamelaielarelaaelcic_1lcic_0ltic_1ltic_0lreftectslclh	0%	Avira URL Cloud	safe
http://download.mybrowserbar.com/kits/sds/Toolbar-SetDefaultSearch.exe	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://apps.bittorrent.com/utorrent-onboarding/welcome.btapp	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://apps.bittorrent.com/discoverContent/discoverContent.btapp	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.utorrent.com/faq	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
https://activate.utorrent.com	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.bittorrent.com?client=bittorrent7800BitTorrentutorrent.combittorrent.comdefaultuser_set.b	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://apps.bittorrent.com/utorrent-onboarding/plus-bt2.btapp	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://offers.bittorrent.com/w/1.0/arjhttp://events.bittorrent.com/startConversionAutoExecFailedsett	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.bittorrent.com/downloads%d	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://utorrent.com/webui/webui-%s-%s.zip	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://dslreports.com/speedtest/	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://utorrent.com/webui/version-%s	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.bittorrent.com/certified-devices/	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://apps.bittorrent.com/utorrent-onboarding/welcome.btapphttp://apps.bittorrent.com/utorrent-onbo	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://search.bittorrent.com/bntop.html	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://update.utorrent.com/installoffer.php	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.bittorrent.com/btusers/help/faq?client=bittorrent7800http://forum.bittorrent.com/?client=	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
https://remote.bittorrent.comhttp://www.bittorrent.com/dna/whatisdna/http://bit.ly/xaRsjr%Z	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	Avira URL Cloud: safe	unknown
http://yogi.apps.bittorrent.com/track/?data=%s&ip=1	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.bittorrent.com/legal/bittorrent-eula.	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.clamav.net	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://update.utorrent.com/speedstats.php?result=	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://apps.bittorrent.com/utorrent-onboarding/welcome-upsell.btapp	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://utorrent.com/webui/webui-%s-%s.zip7.8http://utorrent.com/webui/version-%s.gz...gz	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://update.utorrent.com/speedserverlist.phphttp://ll.www.bittorrent.com/llspeedtest/speedtestobje	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.bittorrent.com/btusers/guidesPublisherBitTorrent	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://127.0.0.1:%d/proxy?sid=%S&file=%d%S#http://localhost:%dfile=%Ubtapp:/select	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	Avira URL Cloud: safe	low
http://portforward.com/	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
https://activate.utorrent.comGetProcessMemoryInfopsapi.dllHTTP	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	Avira URL Cloud: safe	unknown
http://www.mininova.org/search/?cat=0&search=0	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://schemas.xmlsoap.org/soap/encoding/	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://apps.bittorrent.com/utorrent-onboarding/player.btapp	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://svr-ov-crl.thawte.com/ThawteOV.crl0	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.bittorrent.com?client=bittorrent7800	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://rssfeed.com/rss.xmlactive_panead_barplus_bgfile=%sXULUUL	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	Avira URL Cloud: safe	unknown
http://apps.bittorrent.com/torque/pairing/style.%s%scssstyleiframe/gui/pairimage/x-ms-bmp/gui/pingim	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://utorrent.com/testport?plain=1	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://update.utorrent.com/uninstall?type=%s-%U&h=%s&v=%d	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://certificates.godaddy.com/repository/gd_intermediate.crt0	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://%s/installstats.php	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	Avira URL Cloud: safe	low
http://ll.www.bittorrent.com/llspeedtest/Mbit/skbit/sbit/sok%s%d:%d:%d:%d:%shttp://update.utorrent.c	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://update.utorrent.com/speedserverlist.php	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://utorrent.com/download/langpacks/dl.php?build=29575&ref=client&client=bittorrent&sys_l=%s&sel_	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://%s/update_event.php	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	Avira URL Cloud: safe	low
http://www.bittorrent.comNoRepairNoModifyMinorVersionVersionMinorMajorVersionVersionMajorDisplayVers	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	Avira URL Cloud: safe	unknown
http://www.bittorrent.com	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://127.0.0.1:%d/proxy?sid=%x&file=%dBittorrent	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	Avira URL Cloud: safe	low
http://help.utorrent.com/customer/portal/articles/257678Q	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://search.conduit.com/Results.aspx?ctid=CT3083942&searchsource=45&&%s	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://forum.bittorrent.com/?client=bittorrent7800	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://crl.godaddy.com/gds1-14.crl0S	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://utorrent.com/webui-guide.php	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://CT3274043.ourtoolbar.com/LearnMore	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://ll.www.bittorrent.com/llspeedtest/	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://utorrent.com/rsstutorial.php	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://tracker001.legaltorrents.com:7070/announce	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	Avira URL Cloud: safe	unknown
http://tinyurl.com/api-create.php?url=%U%s%H&dn=%U&message=%U%s%H&dn=%U&message=%U&sid=%s&cid=%Uhttp	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.mybrowserbar.com/images/pixel.gif?tb=1&cnid=817612	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	Avira URL Cloud: safe	unknown
http://certificates.godaddy.com/repository/0	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://update.utorrent.com/installoffer.phpOfferNotReadyNotProvidedDefaultBunndledecline_all_radio_m	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.bittorrent.com/downloads	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.utorrent.com/faq.php100	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.mybrowserbar.com/images/pixel.gif?tb=2&cnid=817612	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://certificates.godaddy.com/repository100.	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://forum.bittorrent.com/.	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://%s/updatestats.php	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	Avira URL Cloud: safe	low
http://update.utorrent.com/survey%s	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://twitter.com/bittorrent	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://127.0.0.1:%d/search?q=%%shttp://www.bittorrent.comdlimagecache	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	Avira URL Cloud: safe	low
http://utorrent.com/rsstutorial.phpQ	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://%s/updatestats.phphttp://%s/installstats.phphttp://%s/update_event.php/AUTOUPDATE	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	Avira URL Cloud: safe	low
http://update.utorrent.com/hang.phpunhungmtNA-%ddisknet:%d	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://apps.bittorrent.com/featuredcontent/featuredcontent.btapp	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://apps.bittorrent.com/store/store.btapphttp://apps.bittorrent.com/featuredcontent/featuredconte	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://update.bittorrent.com/time.php	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.utorrent.com/testport.php?port=%d	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://download.utorrent.com/help/bittorrent-help-7800.zip%s	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://apps.bittorrent.com/conduit/eula/ByChoosingToInstall.htmlOV_COL_DISK_JOBOV_COL_SAVE_DIROV_COL	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://download.mybrowserbar.com/kits/sds/Toolbar-SetDefaultSearch.exe	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	Avira URL Cloud: safe	unknown
http://www.bittorrent.com.	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.bittorrent.com/search?client=%v&search=	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://crl.thawte.com/ThawteServerPremiumCA.crl0	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://remote.utorrent.com/send?btih=	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://apps.bittorrent.com/store/store.btapp	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://help.bittorrent.com	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://download.utorrent.com/help/bittorrent-help-7800.zip	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.mininova.org/search/?cat=0&search=	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://ocsp.thawte.com0	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false		high
http://2851619.ourtoolbar.com/eula	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://www.utorrent.com/faq#mlabs	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://apps.bittorrent.com/conduit/eula/ByChoosingToInstall.html	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://ll.www.bittorrent.com/llspeedtest/speedtestobjects.txt	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://remote.utorrent.com/	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://events.bittorrent.com/startConversion	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
https://activate.utorrent.com/get_codec	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://bench.utorrent.comeventNamelamelaielarelaaelcic_1lcic_0ltic_1ltic_0lreftectslclh	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false	Avira URL Cloud: safe	low
http://tinyurl.com/api-create.php?url=%U	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://apps.bittorrent.com/torque/pairing/style.%s%scss	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high
http://update.utorrent.com/hang.php	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1338659
Start date and time:	2023-11-08 00:27:24 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe
Detection:	MAL
Classification:	mal48.winEXE@2/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 10
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Simulations

Behavior and APIs

Time	Type	Description
00:28:47	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_6eb839318b688379bd91126a189c4cd57139c93e_6e83953b_e4dd6269-cf32-4efc-8e3b-df7df54b38e5\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6948128180630573
Encrypted:	false
SSDEEP:	192:EkbobF70E04DmIwsZjEzuiF8Z24IO8ri:EYobF70/4Dm9sZjEzuiF8Y4IO8r
MD5:	298DEACB606268F51907E8DFE1D0B398
SHA1:	28398C5B00CD3CEA7DD9296590AAD54D29B29A50
SHA-256:	F460504BE97BD7BF1871310DDDFC1108EF11B286AC8849CEF6AFEBBEA51E772A
SHA-512:	B7364DA95E7B68561F41A5125557937999CDD2931AB403558886F311204EFA695D67B2A431C95A1EC5E1CDE5947C9AB29C53F9715735E29A57A889C3190D14DA
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.3.8.7.3.3.2.1.1.4.3.8.0.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.3.8.7.3.3.2.4.5.8.1.3.1.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.d.d.6.2.6.9.-.c.f.3.2.-.4.e.f.c.-.8.e.3.b.-.d.f.7.d.f.5.4.b.3.8.e.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.f.d.d.8.6.5.0.-.2.c.d.3.-.4.d.1.3.-.a.6.1.6.-.3.c.d.5.0.a.8.d.f.5.6.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...A.p.p.l.i.c.a.t.i.o.n...O.p.e.n.C.a.n.d.y...R...2.2.4.3.7...1.9.7.9.1...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.1.4.-.0.0.0.1.-.0.0.1.3.-.3.2.4.c.-.e.e.2.3.d.2.1.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.8.5.8.4.9.6.6.6.f.b.5.f.0.0.e.2.a.2.2.1.3.6.e.3.5.8.e.b.5.3.b.0.0.0.0.f.f.f.f.!.0.0.0.0.e.1.0.a.9.0.2.6.f.1.2.a.d.7.5.2.6.2.a.0.c.1.f.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER58DB.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Nov 7 23:28:41 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	3021780
Entropy (8bit):	0.8084602745698963
Encrypted:	false
SSDEEP:	6144:/4qtOy5FL1WCpAgv8ItrUwZlctprtmt/L1mD:yyWNo8htprtGRmD
MD5:	04DA0F1F304F8EC1CC73E5D74B5108A7
SHA1:	37951456862B1BB89B6BC9AE0969A9676AF9A661
SHA-256:	F7F42841A5E5AF8E0249290B3ABE8115AB53AF4D8F7B6C9AE4B1BE35715A0FFD
SHA-512:	7B86500B8ADAC0AAFC0A02CE40C304D350AC18203A88E27A0312D7655B38502EBF2C8557D1FF1793F8120260DA6983C42E79BB81575EEA52EBB8EFAAE6A76E4D
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......).Je............4...............<.......D...............T.......8...........T........... ...........................................................................................................eJ......L.......GenuineIntel............T...........(.Je.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6521.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8598
Entropy (8bit):	3.702416580840334
Encrypted:	false
SSDEEP:	192:R6l7wVeJm06g6YWtSU9Vqgmf3pP6cI0pDt89bt4sf4vm:R6lXJV6g6Y8SU9IgmfZP6c2trfN
MD5:	5477676F0F0180425B80699938FB1025
SHA1:	435E1F16EF69DD8B3866BBE5EF48B94E1A40A34C
SHA-256:	E40CFEA4C4D5CE25AB24D78A131C1061A2E9DF34DBEED76DCCFFE7E0286369B0
SHA-512:	B6612727029A7A583AEEF79129D204AA10F7300D3FB6CF57ED9C4A8FC063B6598BDC516A65F3C184653C9EE8BDA6DE0F3BAAD7B7AA98DDD84A7221A41A093C1B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6561.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4963
Entropy (8bit):	4.577715935679347
Encrypted:	false
SSDEEP:	48:cvIwWl8zsKJg77aI9vUWpW8VYgYm8M4JuOgO3Fr+q8vHOgOZFE9Rk+Zk7+vLd:uIjfYI7FN7VAJKKK5RRJU+vLd
MD5:	9B93C3895091FA6A383F50175FEFC5B5
SHA1:	006911850B7C13522BD3BABFB1A89B1E13E94705
SHA-256:	A124F2CB0472F0CB19067BAA20BBD082C6719F73E51F5F6A4846ACADF3711F27
SHA-512:	B6F4445F2D188E7766BD9A5D63CE982215697A8EE0917270E601851F770C601C6F6FC9C120F679D3907F5F62371BB5932D1597BF6E767E808881E6923EC7DF09
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="51271" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.29594967065101
Encrypted:	false
SSDEEP:	6144:S41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+73mBMZJh1VjP:b1/YCW2AoQ0Nih3wMHrVb
MD5:	C15A91C8E0664CF1BE382D1B8C7C158B
SHA1:	CD15790190266939E7F3344E535D7FFCEEDD49C2
SHA-256:	795E188A78A340D3D0FBE05F9F9D9393487B47DD5FEB49BB44EDB985E0D26C04
SHA-512:	786685D46CBA26DBD80F40E19EA69123638AFEEAD732EDB5DFCF21A190E1B18926B3A54618F7469EC918BDECCCC4E6A835A44C4081369392587A64EA48B8147F
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.hJ$.................................................................................................................................................................................................................................................................................................................................................s_.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.60905212631924
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe
File size:	2'453'504 bytes
MD5:	b4324daee90171c1d0dc8076413a50d8
SHA1:	e10a9026f12ad75262a0c1fe95d3e32a531cdacc
SHA256:	0f7104c5e354b112379c9371c52738a4de9e872bdf793a2216bc33d8e2c3c8cc
SHA512:	e799bb293d2f147420bfecc312cadab86cb738f8ef8f335b5be808e6824cd6a9180c0bd9320b4dab6b036cd3d0fc76285a1356ecf8294660836e82dc768095db
SSDEEP:	49152:DEvydkkWjfq6h3LriBCPOcgZinHsJ9Pz:4vyd4fqI/ZAPz
TLSH:	56B59DE1EBBF9009D6BF0D724821952A06B2EF144375C6976358B925B330AF29D3CB47
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM.....................J.......u.....

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4a75f2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00576660h
push 004A7530h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0052E448h]
pop ecx
or dword ptr [005D7098h], FFFFFFFFh
or dword ptr [005D709Ch], FFFFFFFFh
call dword ptr [0052E44Ch]
mov ecx, dword ptr [005CF2A4h]
mov dword ptr [eax], ecx
call dword ptr [0052E450h]
mov ecx, dword ptr [005CF2A0h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0052E454h]
mov eax, dword ptr [eax]
mov dword ptr [005D7094h], eax
call 00007F2541F75C3Eh
cmp dword ptr [005A4120h], ebx
jne 00007F2530D7531Eh
push 004EEF5Eh
call dword ptr [0052E458h]
pop ecx
call 00007F25973F5D3Eh
push 00592A20h
push 00592A1Ch
call 00007F25913F5D3Eh
mov eax, dword ptr [005CF29Ch]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [005CF298h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0052E460h]
push 00592A18h
push 00592000h
call 00007F2530D75D3Eh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18e124	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d8000	0x68d60	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x241000	0x10424	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x12ea50	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x12e000	0xa44	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12d000	0x12d000	False	0.5442389301287376	data	6.835347377116387	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x12e000	0x64000	0x64000	False	0.3475732421875	data	4.594601279311397	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x192000	0x46000	0x46000	False	0.11323939732142857	data	2.0181951575563617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1d8000	0x69000	0x69000	False	0.12824590773809524	data	3.4487898602226252	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x241000	0x13000	0x13000	False	0.0012592516447368421	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe
• WerFault.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exePID: 1556, Parent PID: 3968

Function Logs

General

Target ID:	0
Start time:	00:28:40
Start date:	08/11/2023
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe
Imagebase:	0x400000
File size:	2'453'504 bytes
MD5 hash:	B4324DAEE90171C1D0DC8076413A50D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	2
Total number of Limit Nodes:	0

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_6eb839318b688379bd91126a189c4cd57139c93e_6e83953b_e4dd6269-cf32-4efc-8e3b-df7df54b38e5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER58DB.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6521.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6561.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exePID: 1556, Parent PID: 3968

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Windows Analysis Report
SecuriteInfo.com.Win32.Application.OpenCandy.R.22437.19791.exe