Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe
Analysis ID:	1366090
MD5:	7a11bd87c3e54ee1c792f41b68cf9be1
SHA1:	b3ced53a95b39b346927c42ca58f881677b7eb8f
SHA256:	baef0df0350146bd74555bd687f67f6b2be5eb0e3209e8293a6d33225906f84e
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to detect virtual machines (SGDT)

Contains functionality to read the PEB

Detected potential crypto function

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe (PID: 5712 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe MD5: 7A11BD87C3E54EE1C792F41B68CF9BE1)

WerFault.exe (PID: 6564 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 2820 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 252 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	ReversingLabs: Detection: 37%
Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	Virustotal: Detection: 36%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	String found in binary or memory: http://counter.sina.com.cn/ip
Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	String found in binary or memory: http://open.baidu.com/special/time/
Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	String found in binary or memory: http://open.baidu.com/special/time/);window.baidu_time(http://www.time.ac.cn/stime.asp
Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	String found in binary or memory: http://pv.sohu.com/cityjson?ie=gb2312
Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	String found in binary or memory: http://pv.sohu.com/cityjson?ie=gb2312#
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	String found in binary or memory: http://www.baidu.com
Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	String found in binary or memory: http://www.baidu.comtest
Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	String found in binary or memory: http://www.cdmaria.com/zhuan/2013/toupiao_data.php
Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	String found in binary or memory: http://www.cdmaria.com/zhuan/2013/xpic.php?classid=152&piao=19&sex=0
Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	String found in binary or memory: http://www.cdmaria.com/zhuan/2013/xpic.php?classid=152&piao=19&sex=0Accept-
Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	String found in binary or memory: http://www.clamav.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	String found in binary or memory: http://www.mmwzpt.cn/mmrj/u.asp?Action=upsuccess&KEY=
Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	String found in binary or memory: http://www.mmwzpt.cn/mmrj/zx.asp?Action=zx&taskname=cdmaria_wzc
Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	String found in binary or memory: http://www.time.ac.cn/stime.asp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	Code function: 0_2_00498926	0_2_00498926
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	Code function: 0_2_00432A90	0_2_00432A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	Code function: 0_2_0044A510	0_2_0044A510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	Code function: 0_2_0049C7FC	0_2_0049C7FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	Code function: 0_2_004547B0	0_2_004547B0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 232

Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe

Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.winEXE@3/9@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5712

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\147f527d-7fab-49a9-815b-5d7d958dceaa

Jump to behavior

Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	ReversingLabs: Detection: 37%
Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	Virustotal: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 232
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 252

Source: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe

Static file information: File size 1220608 > 1048576

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe

Code function: 0_2_0045D100 sgdt fword ptr [ebp-08h]

0_2_0045D100

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe

Code function: 0_2_0049115C LdrInitializeThunk,

0_2_0049115C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe

Code function: 0_2_0041D884 mov ecx, dword ptr fs:[00000030h]

0_2_0041D884

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	38%	ReversingLabs
SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	36%	Virustotal		Browse
SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	100%	Avira	TR/Crypt.XPACK.Gen
SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.mmwzpt.cn/mmrj/u.asp?Action=upsuccess&KEY=	0%	Avira URL Cloud	safe
http://www.time.ac.cn/stime.asp	0%	Avira URL Cloud	safe
http://www.mmwzpt.cn/mmrj/zx.asp?Action=zx&taskname=cdmaria_wzc	0%	Avira URL Cloud	safe
http://counter.sina.com.cn/ip	0%	Avira URL Cloud	safe
http://www.mmwzpt.cn/mmrj/zx.asp?Action=zx&taskname=cdmaria_wzc	0%	Virustotal		Browse
http://www.baidu.comtest	0%	Avira URL Cloud	safe
http://www.cdmaria.com/zhuan/2013/toupiao_data.php	0%	Avira URL Cloud	safe
http://www.time.ac.cn/stime.asp	0%	Virustotal		Browse
http://www.mmwzpt.cn/mmrj/u.asp?Action=upsuccess&KEY=	0%	Virustotal		Browse
http://www.cdmaria.com/zhuan/2013/toupiao_data.php	0%	Virustotal		Browse
http://counter.sina.com.cn/ip	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://counter.sina.com.cn/ip	SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://open.baidu.com/special/time/);window.baidu_time(http://www.time.ac.cn/stime.asp	SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	false		high
http://pv.sohu.com/cityjson?ie=gb2312	SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	false		high
http://www.baidu.com	SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	false		high
http://www.baidu.comtest	SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	false	Avira URL Cloud: safe	unknown
http://www.mmwzpt.cn/mmrj/zx.asp?Action=zx&taskname=cdmaria_wzc	SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.mmwzpt.cn/mmrj/u.asp?Action=upsuccess&KEY=	SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://open.baidu.com/special/time/	SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	false		high
http://www.clamav.net	SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
http://www.time.ac.cn/stime.asp	SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pv.sohu.com/cityjson?ie=gb2312#	SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	false		high
http://www.cdmaria.com/zhuan/2013/toupiao_data.php	SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1366090
Start date and time:	2023-12-22 09:39:43 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe
Detection:	MAL
Classification:	mal60.winEXE@3/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94, 20.189.173.21
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_7276cb6b82f2de5d662b5e34686c7f69acebd88_1b796fe6_911806b5-0a5d-4dfe-9d9f-6653920611ed\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6843972037410334
Encrypted:	false
SSDEEP:	96:dYFaJa0+CUs1hMyok7JfXQXIDcQDc6XDcEhcw3lP+HbHg6ZAX/d5FMT2SlPkpXmD:GGa0zUl0drDLpUjEzuiF5Z24IO8bV
MD5:	7767493C3FFA95544669B791B1B9484D
SHA1:	707435C91F5609BCFB7824E4AE3C6BBE7CFDB136
SHA-256:	B40E514B2DAE022B7AD06FA2A411E15AC888A0822D43FE465621AC5DEB966766
SHA-512:	F3F50E626269EA15F3F5AF274D7A0327C4C9BA1FE9A55BEEDE8EDF5A46330C2491A245BBDEBC2896EAF8638BAF27B0E645E4A6D9608431CE7B0A2474A9FB96D5
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.7.7.0.8.0.6.8.2.3.2.3.4.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.7.7.0.8.0.6.8.5.7.6.0.9.2.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.1.8.0.6.b.5.-.0.a.5.d.-.4.d.f.e.-.9.d.9.f.-.6.6.5.3.9.2.0.6.1.1.e.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.c.9.8.9.8.6.-.f.1.9.8.-.4.d.c.7.-.b.d.8.9.-.1.b.7.d.1.0.0.4.e.9.b.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...T.r.o.j.a.n...P.S.E...1.T.Y.M.T.F.4...2.3.6.0...8.3.3.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.5.0.-.0.0.0.1.-.0.0.1.4.-.e.d.8.0.-.5.d.8.7.b.2.3.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.1.4.5.b.9.7.b.8.d.1.5.e.7.0.3.0.1.0.d.e.6.f.c.2.f.d.f.6.6.3.0.0.0.0.f.f.f.f.!.0.0.0.0.b.3.c.e.d.5.3.a.9.5.b.3.9.b.3.4.6.9.2.7.c.4.2.c.a.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9e8374491ebfcd5614ef4e824acfbd3ca36e6b86_1b796fe6_14ed891b-c6d3-4d2d-a6e5-e7069eb9c747\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6845189957218711
Encrypted:	false
SSDEEP:	96:PEvF7a0+Cxgs1hMyoI7JfdQXIDcQvc6QcEVcw3cE/f+HbHg6ZAX/d5FMT2SlPkp9:cvZa0zxgT0BU/4jEzuiF5Z24IO8bV
MD5:	1581A3D6DF041BFF3760EC346256B65D
SHA1:	6B4182A77B2C6A119DB2EC9B0799E1C79546F324
SHA-256:	72820B40F107D6DD718EE62904D9069669B7E3F906B1AF46C4A4A36CFBA5BCC0
SHA-512:	69E9EB363352C1FD2FEF84250ADE6CABB40B55FF1BBB2BE461DF574E66EDFE8EBDB348E7065C3FF51AFC03853036F195DB3538E722274CA976A762927766D520
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.7.7.0.8.0.3.4.7.1.9.3.0.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.7.7.0.8.0.3.5.1.8.8.0.4.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.e.d.8.9.1.b.-.c.6.d.3.-.4.d.2.d.-.a.6.e.5.-.e.7.0.6.9.e.b.9.c.7.4.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.3.d.d.c.0.5.-.b.9.6.e.-.4.e.6.f.-.8.7.4.c.-.9.a.8.0.0.5.7.b.1.e.2.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...T.r.o.j.a.n...P.S.E...1.T.Y.M.T.F.4...2.3.6.0...8.3.3.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.5.0.-.0.0.0.1.-.0.0.1.4.-.e.d.8.0.-.5.d.8.7.b.2.3.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.1.4.5.b.9.7.b.8.d.1.5.e.7.0.3.0.1.0.d.e.6.f.c.2.f.d.f.6.6.3.0.0.0.0.f.f.f.f.!.0.0.0.0.b.3.c.e.d.5.3.a.9.5.b.3.9.b.3.4.6.9.2.7.c.4.2.c.a.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66AC.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Dec 22 08:41:08 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	18578
Entropy (8bit):	1.9353820097179273
Encrypted:	false
SSDEEP:	96:5E8DE3YBeYLTaQ6F/5i7n9lQ49yrYI6Rhe5WIkWI5oIQUIZeWOJ2:x3Be1h3OcCBGJhZDOJ2
MD5:	CC2F1899F256436A9828744098030300
SHA1:	1768B77C2AE1892FB4BF52F5372172FD27A267F4
SHA-256:	BC294CC1DDAF525B87A4A62A217AC5EF9059A0A193F0BE2C0F8DD9F003BEA6E3
SHA-512:	E6F5F566ED53358BFED5120A9D0F0AFF6A14E76B4A335F3703F278AF80ACED269849947C2C0E71D58ECE2A8B7FD1EEFDE0CDAFCFC616D57B8B043AB2C1A67470
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........K.e............4...............<.......T...............T.......8...........T...........H...J?......................................................................................................eJ......L.......GenuineIntel............T.......P....K.e.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER670B.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8504
Entropy (8bit):	3.704986039478841
Encrypted:	false
SSDEEP:	192:R6l7wVeJ4N6Mil46YEI1SU9K5gmfIglGmpDG89bXLsfudm:R6lXJK6MiK6YEqSU9K5gmfXlbXQf1
MD5:	1E65A5F3E61B0FE953A03E04FD1898EE
SHA1:	496D31CFA2970FA9970798341F3969D8B113DDAE
SHA-256:	4B3CA4C728417F2ECF145D894AD4A65AB0A986DA63C7B0154DF423619788CF74
SHA-512:	01482B0E2A90C82F43356B622E4F1174F6520984149573E9F9FFE1C4232DE9354538730930495371AAFDBB782E09C206AC6F2358A660AB9123D3E90007B2CF81
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER673B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4828
Entropy (8bit):	4.607208793846622
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+uJg77aI93EWpW8VYhWYm8M4JGaOqFM+q8vUO1E+5+bUd:uIjfJI7hd7VOfJBoV8E+5+bUd
MD5:	6ED305B4548BC8C32BBD4BE1C923BB86
SHA1:	D413886E26C3EBCD9FE1E33D65A2F1100EC2C3EA
SHA-256:	09B19A04039104D75C3F1F34F160ADAD244E6B7E7A451A0CEF76DC95C713731A
SHA-512:	494213A957088563EFA7C77D8B559C24AA0C5B8730AFAA81B99D9D3F3094650A34F6A6C11FB4ADCDD2C69743FC6668BC37BDFE234D0E4D44BB5DFA13BF9688C1
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="115183" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE3D0.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Dec 22 08:40:34 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	18710
Entropy (8bit):	1.9749235234993834
Encrypted:	false
SSDEEP:	96:5e8/E3YeYLTaQdLg1wki7ndI40EEoEb5WIkWItoI4TheeNtjwV2sB:zre13JO6htTheeNpw4s
MD5:	6F3D39D83FA9528DCBF710890FDE2A7D
SHA1:	13C0CAEE7E66C6516500508DA8A99C92B9323A5C
SHA-256:	DF98C1AA0BFFA0F8FDB87989905050E151FB4DD9A6EE600F003BEB3D57E665C3
SHA-512:	8427CC86BA7EE0B417BF702C148AB27E4829C7A13D53B25CB2201436D3ACCDD9CE20FCE0FB4ECC8D96D37857733318B18E87BEB17046DF167C324E09F9DEC7CE
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........K.e............4...............<.......d...............T.......8...........T...............~?......................................................................................................eJ......L.......GenuineIntel............T.......P....K.e.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE48C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8492
Entropy (8bit):	3.7085925425638866
Encrypted:	false
SSDEEP:	192:R6l7wVeJ4/6x46YEIDSU9EegmfIC6prx89bZLsfoTm:R6lXJY6+6YEcSU9EegmfBRZQfx
MD5:	26F27877C2E90EA0030B64B30E51C0B3
SHA1:	4AA55FA483EA948A39C5AD4C8591BEFE5216A26E
SHA-256:	3ED79B40C9730C6BA0DF9068470B529397BB7D489DD2B27361D7B148F706CCD2
SHA-512:	999F417AEC2E86CF13D5C4A4571BE80642CABE97CC6DA24C00B53889094F735D14B5862ABC12C3C9643B377CA70A90A2BE0603686D1E7CB12FDBA4B965331E1E
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE4BC.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4824
Entropy (8bit):	4.607725293440294
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+uJg77aI93EWpW8VYjvYm8M4JGgFb+q8R/E+5+bUd:uIjfJI7hd7VsyJN+E+5+bUd
MD5:	8DE134EC21CBADC54C1173C80A4ECEA5
SHA1:	3CCE143B2E09DD7332B1434FF88C8F7239656B0A
SHA-256:	6F87E3AA72C7F659A8BBE621DECF47F6C6C7431FFBBA1B6F0A0291165D5A5B7F
SHA-512:	2382D3B5CE0A895CBE710E05290841B4B62547064F13958B4E6B4FA206DD1C940B93F2E24E1D2B7495EEDF5782F1EA41D31C6A8097183BDE2C6E19D3640F3873
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="115183" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421755575217419
Encrypted:	false
SSDEEP:	6144:FSvfpi6ceLP/9skLmb0OTIWSPHaJG8nAgeMZMMhA2fX4WABlEnNZ0uhiTw:MvloTIW+EZMM6DFyT03w
MD5:	002AF8B03CDF750FB4DD692259426F38
SHA1:	CED9038FD5500DDAD333C54A7276B9225E65AC84
SHA-256:	C58A3E3349E9EDB99C0756054406F084CDAA901DF0FB7A15839AB56740BA6E62
SHA-512:	FCB2FAD7771D69E18DCE25DA990D5698BE426B79273854DFC1CB7F418A2614C0EDBCDA079FE79C53B296DBF4870202DD6222259322B5568E0B5B26A644D63C57
Malicious:	false
Reputation:	low
Preview:	regf?...?....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmRV...4..............................................................................................................................................................................................................................................................................................................................................F...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.353451322831142
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe
File size:	1'220'608 bytes
MD5:	7a11bd87c3e54ee1c792f41b68cf9be1
SHA1:	b3ced53a95b39b346927c42ca58f881677b7eb8f
SHA256:	baef0df0350146bd74555bd687f67f6b2be5eb0e3209e8293a6d33225906f84e
SHA512:	458401fd8f477292f489c8969128b148563dc6bc8165b6af757498e4d97784d098ad740bd53de9229f6da77f4be6c6cf28ab27a177404ca6a82277ad8799a344
SSDEEP:	12288:7YizhtuzGLEUM5QPKbl1e0qbPNEqYyyL:7YizhtuiWoKR1e0CV1Yd
TLSH:	7C457D16F75200D5D207513229F3133937799B930A29FBE3DB99CE6D2E72366AD32281
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM...................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x48ecff
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 004C7AF8h
push 0049115Ch
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [004B1194h]
xor edx, edx
mov dl, ah
mov dword ptr [0051F324h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0051F320h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0051F31Ch], ecx
shr eax, 10h
mov dword ptr [0051F318h], eax
push 00000001h
call 00007F687C2464D3h
pop ecx
test eax, eax
jne 00007F68B0ED5BBAh
push 0000001Ch
call 00007F68D9CB63D3h
pop ecx
call 00007F68392264D3h
test eax, eax
jne 00007F68B0ED5BBAh
push 00000010h
call 00007F68D9CB63D3h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F687D2064D3h
call dword ptr [004B1300h]
mov dword ptr [00520B44h], eax
call 00007F684B1F64D3h
mov dword ptr [0051F2E0h], eax
call 00007F68FE1D64D3h
call 00007F68451C64D3h
call 00007F68540A64D3h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [004B1248h]
call 00007F68ED1C64D3h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F68B0ED5BB8h
movzx eax, word ptr [ebp+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd0b78	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x121000	0x5f30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb1000	0x7f0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb0000	0xb0000	False	0.4167258522727273	DIY-Thermocam raw data (Lepton 3.x), scale 0-199, spot sensor temperature 731709760.000000, unit celsius, color scheme 0, calibration: offset -255088476028928.000000, slope 38774585650963597903265792.000000	6.582151904200077	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb1000	0x23000	0x23000	False	0.2443359375	data	4.358326476642518	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd4000	0x4d000	0x4d000	False	0.06546456473214286	data	1.3194057986163656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x121000	0x6000	0x6000	False	0.21712239583333334	data	3.539452466912043	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe
• WerFault.exe
• WerFault.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe
• WerFault.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe
• WerFault.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exePID: 5712, Parent PID: 1028

Function Logs

General

Target ID:	0
Start time:	09:40:34
Start date:	22/12/2023
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe
Imagebase:	0x400000
File size:	1'220'608 bytes
MD5 hash:	7A11BD87C3E54EE1C792F41B68CF9BE1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6564, Parent PID: 5712

Function Logs

General

Target ID:	4
Start time:	09:40:34
Start date:	22/12/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 232
Imagebase:	0xef0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Attributes Queried

Other File Operations

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Deleted

Key Value Created

Key Monitored

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Process Suspended

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Terminated

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 2820, Parent PID: 5712

Function Logs

General

Target ID:	8
Start time:	09:41:08
Start date:	22/12/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 252
Imagebase:	0xef0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Attributes Queried

Other File Operations

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Created

Key Deleted

Key Monitored

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Process Information Set

Process Suspended

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Terminated

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exePID: 5712, Parent PID: 1028COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	60%
Total number of Nodes:	5
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Executed Functions

Function 0049115C Relevance: 1.6, APIs: 1, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(?,000000FF), ref: 00491203

Memory Dump Source

Source File: 00000000.00000002.2698978531.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2698967647.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699022165.00000000004B1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004E2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699080778.0000000000521000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f252c843b9cc76f55e65d48c86f6f541ae4eed9f35cf3a0950094a62666eae2
Instruction ID: 058ac11fbc23ad831e9a0090845b2c1bdf7e757ce130b0b61cd8d2f6543f15b6
Opcode Fuzzy Hash: 3f252c843b9cc76f55e65d48c86f6f541ae4eed9f35cf3a0950094a62666eae2
Instruction Fuzzy Hash: 0C21B832501209ABCB10EF5CDC849A6BB64FB04370F4547A6ED29972D5D735FA64CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0048ECFF Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0048ED25

Memory Dump Source

Source File: 00000000.00000002.2698978531.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2698967647.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699022165.00000000004B1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004E2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699080778.0000000000521000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 45c8cc10e329208bc712a00821304d7dfb65caba442e057c67fa58d7fd7eb59d
Instruction ID: acf7f1d0b85b25f20fd0311194323a81b57558800ab76e03451c929eeb111168
Opcode Fuzzy Hash: 45c8cc10e329208bc712a00821304d7dfb65caba442e057c67fa58d7fd7eb59d
Instruction Fuzzy Hash: DD21F8B19407159FDB149FB6DC14BAD7BA8EF18730F104B2AE9359A2F0DB344940CB55

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0049C7FC Relevance: 26.7, Strings: 21, Instructions: 417COMMON

Download Yara Rule

Strings

-, xrefs: 0049C9FA
9, xrefs: 0049C911
0, xrefs: 0049CA6A
c, xrefs: 0049C8EB
+, xrefs: 0049C9F1
-, xrefs: 0049C8D3
0, xrefs: 0049C926
9, xrefs: 0049C8BD
9, xrefs: 0049CA7D
1, xrefs: 0049CA41
+, xrefs: 0049C8CE
1, xrefs: 0049CA74
E, xrefs: 0049C8E6
0, xrefs: 0049C8D8
0, xrefs: 0049CA9B
9, xrefs: 0049CA49
9, xrefs: 0049C86B
C, xrefs: 0049C8DD
e, xrefs: 0049C8F4
9, xrefs: 0049CA8D
0, xrefs: 0049C99D

Memory Dump Source

Source File: 00000000.00000002.2698978531.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2698967647.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699022165.00000000004B1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004E2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699080778.0000000000521000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: 7cbada5784930834bba95c74c4e690b0926d54e1b1e814339718582167c4ecb5
Instruction ID: 65e8e4423bf83fd9087cfed76da5c012e2285f4fe5bad7304be8205b63a0b014
Opcode Fuzzy Hash: 7cbada5784930834bba95c74c4e690b0926d54e1b1e814339718582167c4ecb5
Instruction Fuzzy Hash: DAE1E071D54249DEEF24CFA8D8963FE7FB1AB00311F680237D411A62D2D7789A82CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004547B0 Relevance: 3.1, Strings: 2, Instructions: 638COMMON

Download Yara Rule

Strings

/L, xrefs: 00454ECD
/L, xrefs: 00454F64

Memory Dump Source

Source File: 00000000.00000002.2698978531.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2698967647.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699022165.00000000004B1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004E2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699080778.0000000000521000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: /L$/L
API String ID: 0-1765371763
Opcode ID: 819e99ede213d519f8d9555e9e1649905cbf37d63d0da9efc1bb8b6ac4454096
Instruction ID: 90a2bb01d5782d46153b0e13c0391caf74225f6061a6622fa00f70f364d0e4e1
Opcode Fuzzy Hash: 819e99ede213d519f8d9555e9e1649905cbf37d63d0da9efc1bb8b6ac4454096
Instruction Fuzzy Hash: 2342C671E00205DFCB14CFA8C881BEEB7B1BF89325F14466AD915AB381D734AD85CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00432A90 Relevance: .9, Instructions: 860COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2698978531.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2698967647.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699022165.00000000004B1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004E2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699080778.0000000000521000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d44304b516871154518afb9bb5ef290511a748aec987195c366189a0da2dfa9
Instruction ID: 8c274ea355cc5b7c10da19112e72771e7adbf9ee9ed39881f7e4fe20d8519c39
Opcode Fuzzy Hash: 8d44304b516871154518afb9bb5ef290511a748aec987195c366189a0da2dfa9
Instruction Fuzzy Hash: F572B271A00606DFCB14CF58C884AAEB7B5FF48320F24976EE8659B3A0D7789D41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044A510 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2698978531.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2698967647.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699022165.00000000004B1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004E2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699080778.0000000000521000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a4973dc17b5fe325a86a90d6b9392d5d8ed34af9b83b354f8a932a0c9a5c47
Instruction ID: 21429c6b24ecc349679ee25cc06bc4d87151441ee2826e0ab52a5b3386855af9
Opcode Fuzzy Hash: b1a4973dc17b5fe325a86a90d6b9392d5d8ed34af9b83b354f8a932a0c9a5c47
Instruction Fuzzy Hash: 04B1AC702407029BE720DF68C9C4BABB7E4FF44310F544A2EE5AA87391DB34B955CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00498926 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2698978531.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2698967647.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699022165.00000000004B1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004E2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699080778.0000000000521000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc2e14f915b3f951bbbf9d8e52103f219b9eb251892a45589a5208c74514bdf
Instruction ID: fcc48940fa8ca596609b12604b7800b67ec064750f60f4d86740c434c7462e27
Opcode Fuzzy Hash: 5dc2e14f915b3f951bbbf9d8e52103f219b9eb251892a45589a5208c74514bdf
Instruction Fuzzy Hash: 5DB15D75A0020ADFDB15CF08C5D0AA9BBA1FF59314F18C1AED85A5B342CB35EA46CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0045D100 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2698978531.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2698967647.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699022165.00000000004B1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004E2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699080778.0000000000521000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22e125e7f3907fa7696133c1115b255786f70e800c61341e24226e06c8c0568
Instruction ID: 32ea2530651c2d5ae84ea865585975cd92707d4c9687876518954d6432a2a3ef
Opcode Fuzzy Hash: d22e125e7f3907fa7696133c1115b255786f70e800c61341e24226e06c8c0568
Instruction Fuzzy Hash: C911E72491460496DB209B78D40419FB7F4EF55321F50C56ECCA9D73A1E3788949C39A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D884 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2698978531.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2698967647.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699022165.00000000004B1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699042008.00000000004E2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2699080778.0000000000521000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636f311a4b50d9411882654b697dc7159330f5e4c35e5a2960643c4933482fb7
Instruction ID: 2c5420dbf88dc77790db2490dc3de10d80152d4396f80ce379ba92d962d99b38
Opcode Fuzzy Hash: 636f311a4b50d9411882654b697dc7159330f5e4c35e5a2960643c4933482fb7
Instruction Fuzzy Hash: B901DAF4E2424887DF78AD0495D03FA7319EB16715F3020ABC9374A749D61E58C2EAAF

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_7276cb6b82f2de5d662b5e34686c7f69acebd88_1b796fe6_911806b5-0a5d-4dfe-9d9f-6653920611ed\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9e8374491ebfcd5614ef4e824acfbd3ca36e6b86_1b796fe6_14ed891b-c6d3-4d2d-a6e5-e7069eb9c747\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66AC.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER670B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER673B.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE3D0.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE48C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE4BC.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exePID: 5712, Parent PID: 1028

General

File Activities

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan.PSE.1TYMTF4.2360.8338.exe