Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe
Analysis ID:	1375460
MD5:	a24c39a4dae35fb546dc63577d2f47d9
SHA1:	142c0a952b82bfa245624ca9ddcb009f9dfe6b37
SHA256:	e332591b9548f44f65ccf2c9aa10ffb499b178da68fce43ef7344fb6039dfc0e
Tags:	exe
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe (PID: 6312 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe MD5: A24C39A4DAE35FB546DC63577D2F47D9)

conhost.exe (PID: 6944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 5672 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 248 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3080 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 252 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Joe Sandbox Signatures

• AV Detection
• Compliance
• Software Vulnerabilities
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe

Virustotal: Detection: 10%

Perma Link

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then sub esp, 1Ch	1_2_00432260
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then mov edx, dword ptr [esp+08h]	1_2_00432260
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	1_2_00428460
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push ebx	1_2_004685EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push ebx	1_2_004685A2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push ebp	1_2_0047A5B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push ebp	1_2_0047A711
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	1_2_00452A70
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push edi	1_2_00462B12
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push edi	1_2_00464B22
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push ebx	1_2_00464C42
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push ebx	1_2_00462C32
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push esi	1_2_00482F60
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then sub esp, 1Ch	1_2_00430FC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	1_2_0045B490
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then sub esp, 4Ch	1_2_0048558A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push ebp	1_2_0043963D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push esi	1_2_004676BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push edi	1_2_00447770
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then sub esp, 1Ch	1_2_00451870
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push edi	1_2_0044D94A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push esi	1_2_00483920
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then sub esp, 1Ch	1_2_004879EA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push esi	1_2_00449B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push ebp	1_2_0044BE2A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 4x nop then push ebp	1_2_00439ECD

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://css.setti.info
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://css.setti.info/
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://css.setti.info/http://css.setti.info/Conexiune
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://css.setti.info/submit-server-2011-12-30/
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://css.setti.info/submit-server-2011-12-30/81.171.115.36:27017
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://css.setti.info/submit-server/
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://css.setti.info/submit-server//accepted
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://css.setti.infoReferer:
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://setmaster.info
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://setmaster.info/
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://setmaster.info/Conexiune
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://setmaster.info/Cookie:
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://setmaster.infoReferer:
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://tls.xhlds.com/asp.php?req=ads_txt1
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://tls.xhlds.com/asp.php?req=ads_txt1Conexiune
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://tls.xhlds.com/asp.php?req=ads_txt2
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://tls.xhlds.com/asp.php?req=ads_txt2Conexiune
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://tls.xhlds.com/asp.php?req=ip
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://tls.xhlds.com/asp.php?req=ipConexiune
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://www.clamav.net
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://xhlds.com/client/fds-check.php?c=%d&a=%s&i=%s&t=%d&h=%s
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://xhlds.com/client/fds-check.php?c=%d&a=%s&i=%s&t=%d&h=%shttp://xhlds.com/client/fds-first3n.ph
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://xhlds.com/client/fds-first3n.php?c=%d&a=%s&i=%s&r=%d&l=%d&p=%d&oh=%d&or=%d&v=%d&cn=%d
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://xhlds.com/client/fds-first3n.php?c=%d&a=%s&i=%s&r=%d&l=%d&p=%d&oh=%d&or=%d&v=%d&s=%s&cn=%d
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://xhlds.com/client/fds-univ3.php?c=%d&a=%s&i=%s&js=%d&jns=%d&t=%d&r=%d&l=%d&p=%d&oh=%d&or=%d&v=
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://xhlds.com/client/fds-univ3.php?c=%d&a=%s&i=%s&t=%d&r=%d&l=%d&p=%d&oh=%d&or=%d&v=%d&cn=%d
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://xhlds.com/client/fds-univ3.php?c=%d&a=%s&i=%s&t=%d&r=%d&l=%d&p=%d&oh=%d&or=%d&v=%d&s=%s&cn=%d
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://xhlds.com/client/fds-updatee3n.php?c=%d&f=%s&i=%s&js=%d&jns=%d&ds=%d&dns=%d&r=%d&l=%d&oh=%d&o
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://xhlds.com/client/freq.php?c=%d&req=%s&ds=%s&h=%s
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://xhlds.com/client/freq.php?c=%d&req=%s&h=%s
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	String found in binary or memory: http://xhlds.com/client/freq.php?c=%d&req=%s&h=%sConexiune

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_00402072	1_2_00402072
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_004160B7	1_2_004160B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_00412263	1_2_00412263
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_00464440	1_2_00464440
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0040E679	1_2_0040E679
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0042C888	1_2_0042C888
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_00414979	1_2_00414979
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_00428A42	1_2_00428A42
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_00428C8C	1_2_00428C8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_00410E3C	1_2_00410E3C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0041D2DC	1_2_0041D2DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_00423370	1_2_00423370
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0048D3BA	1_2_0048D3BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_004215BC	1_2_004215BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_00413DB8	1_2_00413DB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0040DE59	1_2_0040DE59
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0041FEAC	1_2_0041FEAC

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 248

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe

Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal48.winEXE@4/9@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6944:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6312

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b880ce02-abbb-4e45-86b5-23b7a15b165f

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe

Virustotal: Detection: 10%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 248
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 252

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe

Static file information: File size 1650688 > 1048576

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe

Static PE information: real checksum: 0xde5e8 should be: 0x19424b

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe

Static PE information: section name: .eh_fram

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0041C464 push ecx; mov dword ptr [esp], ebx	1_2_0041C47C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_00422764 push ecx; mov dword ptr [esp], 004D960Ch	1_2_0042279F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_00422764 push eax; mov dword ptr [esp], 0042281Fh	1_2_004227AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0042281F push eax; mov dword ptr [esp], 004D960Ch	1_2_0042284A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_00412E4C push eax; mov dword ptr [esp], 00000001h	1_2_00412EFA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_00412E8C push eax; mov dword ptr [esp], 00000001h	1_2_00412EFA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0044AF0E push FFFFFF89h; ret	1_2_0044AF26
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0048D3BA push ecx; mov dword ptr [esp], ebx	1_2_0048F7CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0048D3BA push eax; mov dword ptr [esp], ebx	1_2_004902F5
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0048D3BA push eax; mov dword ptr [esp], ebx	1_2_004910AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0048D3BA push ecx; mov dword ptr [esp], ebx	1_2_004920B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0048D3BA push eax; mov dword ptr [esp], 00002710h	1_2_004922C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0048D3BA push eax; mov dword ptr [esp], ebx	1_2_004925E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0048D3BA push edi; mov dword ptr [esp], eax	1_2_00493873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0048D3BA push edx; mov dword ptr [esp], ebx	1_2_00493B07
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0048D3BA push eax; mov dword ptr [esp], ebx	1_2_00493B8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_0048D3BA push edx; mov dword ptr [esp], eax	1_2_00496119
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Code function: 1_2_00475814 push eax; mov dword ptr [esp], eax	1_2_0047581F

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe

Code function: 1_2_00401243 EntryPoint,LdrInitializeThunk,

1_2_00401243

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Binary or memory string: Shell_traywndkernel32SetConsoleFontcould not convert calendar time to UTC timeDay of month value is out of range 1..31Day of month is not valid for yearUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0) Gecko/20100101 Firefox/10.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.3Accept-Language: en-us,en;q=0.5Cache-Control: max-age=0X-Requested-With: XMLHttpRequestOrigin: http://setmaster.infoReferer: http://setmaster.info/Cookie: __utma=1.2053247208.1325888509.1325888509.1326646749.2; __utmz=1.1325888509.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); itemMarking_forums_items=eJxLtDK0qs60MjS2MLAGUkbmlkaGlgZmZta1XDBbbAaS; cc=ro; __utmb=1.1.10.1326646749; __utmc=1; PHPSESSID=t3kdcc4q1s32fkke5vp65vkhu2; session_id=0ac8d838db333fd503a96089e36a693eContent-Type: application/x-www-form-urlencodedserver_address=&server_type=halflife&server_submit=Add+Serverhttp://setmaster.info/Conexiune distorsionata la preluarea datelor "SetMaster.info" !
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	Binary or memory string: Shell_traywnd

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe

Code function: 1_2_0041A070 cpuid

1_2_0041A070

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	Path Interception	2 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	8%	ReversingLabs
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	10%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://xhlds.com/client/fds-univ3.php?c=%d&a=%s&i=%s&js=%d&jns=%d&t=%d&r=%d&l=%d&p=%d&oh=%d&or=%d&v=	0%	Avira URL Cloud	safe
http://xhlds.com/client/fds-univ3.php?c=%d&a=%s&i=%s&t=%d&r=%d&l=%d&p=%d&oh=%d&or=%d&v=%d&cn=%d	0%	Avira URL Cloud	safe
http://css.setti.info	0%	Avira URL Cloud	safe
http://setmaster.info/Conexiune	0%	Avira URL Cloud	safe
http://css.setti.info/submit-server-2011-12-30/81.171.115.36:27017	0%	Avira URL Cloud	safe
http://tls.xhlds.com/asp.php?req=ads_txt1	0%	Avira URL Cloud	safe
http://tls.xhlds.com/asp.php?req=ads_txt2	0%	Avira URL Cloud	safe
http://css.setti.info	0%	Virustotal		Browse
http://xhlds.com/client/fds-univ3.php?c=%d&a=%s&i=%s&t=%d&r=%d&l=%d&p=%d&oh=%d&or=%d&v=%d&cn=%d	0%	Virustotal		Browse
http://css.setti.info/submit-server//accepted	0%	Avira URL Cloud	safe
http://tls.xhlds.com/asp.php?req=ads_txt2	0%	Virustotal		Browse
http://setmaster.info	0%	Avira URL Cloud	safe
http://css.setti.info/	0%	Avira URL Cloud	safe
http://setmaster.info/	0%	Avira URL Cloud	safe
http://xhlds.com/client/freq.php?c=%d&req=%s&h=%sConexiune	0%	Avira URL Cloud	safe
http://setmaster.info/Cookie:	0%	Avira URL Cloud	safe
http://setmaster.info	0%	Virustotal		Browse
http://css.setti.info/	0%	Virustotal		Browse
http://tls.xhlds.com/asp.php?req=ip	0%	Avira URL Cloud	safe
http://xhlds.com/client/freq.php?c=%d&req=%s&ds=%s&h=%s	0%	Avira URL Cloud	safe
http://tls.xhlds.com/asp.php?req=ads_txt1Conexiune	0%	Avira URL Cloud	safe
http://tls.xhlds.com/asp.php?req=ip	0%	Virustotal		Browse
http://css.setti.info/submit-server-2011-12-30/	0%	Avira URL Cloud	safe
http://css.setti.info/submit-server/	0%	Avira URL Cloud	safe
http://xhlds.com/client/freq.php?c=%d&req=%s&h=%s	0%	Avira URL Cloud	safe
http://xhlds.com/client/freq.php?c=%d&req=%s&ds=%s&h=%s	0%	Virustotal		Browse
http://setmaster.info/	0%	Virustotal		Browse
http://tls.xhlds.com/asp.php?req=ads_txt1	0%	Virustotal		Browse
http://xhlds.com/client/freq.php?c=%d&req=%s&h=%s	0%	Virustotal		Browse
http://xhlds.com/client/fds-univ3.php?c=%d&a=%s&i=%s&t=%d&r=%d&l=%d&p=%d&oh=%d&or=%d&v=%d&s=%s&cn=%d	0%	Avira URL Cloud	safe
http://css.setti.info/submit-server-2011-12-30/	0%	Virustotal		Browse
http://css.setti.info/submit-server/	0%	Virustotal		Browse
http://xhlds.com/client/fds-univ3.php?c=%d&a=%s&i=%s&t=%d&r=%d&l=%d&p=%d&oh=%d&or=%d&v=%d&s=%s&cn=%d	0%	Virustotal		Browse
http://css.setti.infoReferer:	0%	Avira URL Cloud	safe
http://setmaster.infoReferer:	0%	Avira URL Cloud	safe
http://xhlds.com/client/fds-first3n.php?c=%d&a=%s&i=%s&r=%d&l=%d&p=%d&oh=%d&or=%d&v=%d&cn=%d	0%	Virustotal		Browse
http://xhlds.com/client/fds-first3n.php?c=%d&a=%s&i=%s&r=%d&l=%d&p=%d&oh=%d&or=%d&v=%d&s=%s&cn=%d	0%	Virustotal		Browse
http://xhlds.com/client/fds-first3n.php?c=%d&a=%s&i=%s&r=%d&l=%d&p=%d&oh=%d&or=%d&v=%d&cn=%d	0%	Avira URL Cloud	safe
http://xhlds.com/client/fds-check.php?c=%d&a=%s&i=%s&t=%d&h=%s	0%	Virustotal		Browse
http://xhlds.com/client/fds-first3n.php?c=%d&a=%s&i=%s&r=%d&l=%d&p=%d&oh=%d&or=%d&v=%d&s=%s&cn=%d	0%	Avira URL Cloud	safe
http://xhlds.com/client/fds-check.php?c=%d&a=%s&i=%s&t=%d&h=%s	0%	Avira URL Cloud	safe
http://xhlds.com/client/fds-updatee3n.php?c=%d&f=%s&i=%s&js=%d&jns=%d&ds=%d&dns=%d&r=%d&l=%d&oh=%d&o	0%	Avira URL Cloud	safe
http://tls.xhlds.com/asp.php?req=ipConexiune	0%	Avira URL Cloud	safe
http://xhlds.com/client/fds-check.php?c=%d&a=%s&i=%s&t=%d&h=%shttp://xhlds.com/client/fds-first3n.ph	0%	Avira URL Cloud	safe
http://css.setti.info/http://css.setti.info/Conexiune	0%	Avira URL Cloud	safe
http://tls.xhlds.com/asp.php?req=ads_txt2Conexiune	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://xhlds.com/client/fds-univ3.php?c=%d&a=%s&i=%s&js=%d&jns=%d&t=%d&r=%d&l=%d&p=%d&oh=%d&or=%d&v=	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	Avira URL Cloud: safe	unknown
http://xhlds.com/client/fds-univ3.php?c=%d&a=%s&i=%s&t=%d&r=%d&l=%d&p=%d&oh=%d&or=%d&v=%d&cn=%d	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://css.setti.info/submit-server-2011-12-30/81.171.115.36:27017	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	Avira URL Cloud: safe	unknown
http://css.setti.info	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://setmaster.info/Conexiune	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.5.dr	false		high
http://tls.xhlds.com/asp.php?req=ads_txt1	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tls.xhlds.com/asp.php?req=ads_txt2	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://css.setti.info/submit-server//accepted	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	Avira URL Cloud: safe	unknown
http://setmaster.info	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://css.setti.info/	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://setmaster.info/	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://setmaster.info/Cookie:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	Avira URL Cloud: safe	unknown
http://xhlds.com/client/freq.php?c=%d&req=%s&h=%sConexiune	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	Avira URL Cloud: safe	unknown
http://tls.xhlds.com/asp.php?req=ip	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xhlds.com/client/freq.php?c=%d&req=%s&ds=%s&h=%s	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tls.xhlds.com/asp.php?req=ads_txt1Conexiune	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	Avira URL Cloud: safe	unknown
http://css.setti.info/submit-server-2011-12-30/	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://css.setti.info/submit-server/	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xhlds.com/client/freq.php?c=%d&req=%s&h=%s	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xhlds.com/client/fds-univ3.php?c=%d&a=%s&i=%s&t=%d&r=%d&l=%d&p=%d&oh=%d&or=%d&v=%d&s=%s&cn=%d	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://css.setti.infoReferer:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	Avira URL Cloud: safe	unknown
http://www.clamav.net	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false		high
http://setmaster.infoReferer:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	Avira URL Cloud: safe	unknown
http://xhlds.com/client/fds-first3n.php?c=%d&a=%s&i=%s&r=%d&l=%d&p=%d&oh=%d&or=%d&v=%d&s=%s&cn=%d	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xhlds.com/client/fds-first3n.php?c=%d&a=%s&i=%s&r=%d&l=%d&p=%d&oh=%d&or=%d&v=%d&cn=%d	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xhlds.com/client/fds-check.php?c=%d&a=%s&i=%s&t=%d&h=%s	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://xhlds.com/client/fds-updatee3n.php?c=%d&f=%s&i=%s&js=%d&jns=%d&ds=%d&dns=%d&r=%d&l=%d&oh=%d&o	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	Avira URL Cloud: safe	unknown
http://tls.xhlds.com/asp.php?req=ipConexiune	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	Avira URL Cloud: safe	unknown
http://xhlds.com/client/fds-check.php?c=%d&a=%s&i=%s&t=%d&h=%shttp://xhlds.com/client/fds-first3n.ph	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	Avira URL Cloud: safe	unknown
http://css.setti.info/http://css.setti.info/Conexiune	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	Avira URL Cloud: safe	unknown
http://tls.xhlds.com/asp.php?req=ads_txt2Conexiune	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1375460
Start date and time:	2024-01-16 16:38:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe
Detection:	MAL
Classification:	mal48.winEXE@4/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 43
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
16:39:08	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_52c39fc5bcdf1aa069192af103fe48fd9a11519_7dd17308_f500cfcd-0e44-4dc7-80f9-66804c930ec0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6864483271935383
Encrypted:	false
SSDEEP:	192:zsYuitXPkd70BU/YjEzuiFCZ24IO87mI:zBuit/kdIBU/YjEzuiFCY4IO87mI
MD5:	C26DC39B2E11C6E7289C3CE5E855973F
SHA1:	AD7F095B4116B2A5A74262983575203431484FBE
SHA-256:	107C71C389577A6D81A18E172757335FF7EC6E6A35A898116838778EC0A5A4D5
SHA-512:	3F3A2E0F225F0E31A7C896D4F55E5B6D6D931B06119FF5AA1F511E978D206DCDE7F6BD31F057F614F8E5FB74B04D60D53B7B679A2A0885EB35BD5747A33701F2
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.9.8.9.3.1.4.6.8.0.8.5.8.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.9.8.9.3.1.4.7.3.2.4.2.2.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.0.0.c.f.c.d.-.0.e.4.4.-.4.d.c.7.-.8.0.f.9.-.6.6.8.0.4.c.9.3.0.e.c.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.5.1.9.1.7.2.-.9.8.d.9.-.4.7.8.4.-.9.8.3.c.-.6.1.3.d.6.3.e.d.4.3.0.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.3.2...X.p.a.c.k...E...g.e.n...E.l.d.o.r.a.d.o...1.6.6.5.0...3.0.2.2.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.a.8.-.0.0.0.1.-.0.0.1.5.-.d.a.5.f.-.3.2.2.2.9.2.4.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.4.b.4.7.0.d.7.5.8.5.6.b.b.e.4.d.c.1.0.5.4.1.8.e.c.a.1.6.a.2.7.0.0.0.0.f.f.f.f.!.0.0.0.0.1.4.2.c.0.a.9.5.2.b.8.2.b.f.a.2.4.5.6.2.4.c.a.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_84a58ccd12b2f316f290191695a7e7bac560e8_7dd17308_cf6470ba-3503-45bb-826c-3c93af6d0242\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6811386731911215
Encrypted:	false
SSDEEP:	96:TmlLALC+BT5s2shMy2m7MXfBQXIDcQnc6rCcEhcw3rX8a+HbHg6ZAX/d5FMT2SlP:cPk5o056rIjEzuiFCZ24IO87
MD5:	AC4CE3A06F564C283B83316F085C0B5C
SHA1:	37C1596D1B5EE9622A309C295BFA5A70F51B3772
SHA-256:	9F00E0B76E61ED7B113509091E161B49FD2B149069F1E44B7E99E2471173894C
SHA-512:	C54A430941520AF845EBC30004428CB964386913A5BC4095FC421EA3373E611AE883C6D4FD007A489BF01F059CF4B45A65818166FF0097BC9A36B9BE751BAB73
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.9.8.9.3.1.4.5.7.1.9.3.4.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.6.4.7.0.b.a.-.3.5.0.3.-.4.5.b.b.-.8.2.6.c.-.3.c.9.3.a.f.6.d.0.2.4.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.6.7.d.c.1.4.0.-.0.7.2.b.-.4.d.a.5.-.a.2.4.5.-.2.3.0.1.b.a.8.9.6.b.c.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.3.2...X.p.a.c.k...E...g.e.n...E.l.d.o.r.a.d.o...1.6.6.5.0...3.0.2.2.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.a.8.-.0.0.0.1.-.0.0.1.5.-.d.a.5.f.-.3.2.2.2.9.2.4.8.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.4.b.4.7.0.d.7.5.8.5.6.b.b.e.4.d.c.1.0.5.4.1.8.e.c.a.1.6.a.2.7.0.0.0.0.f.f.f.f.!.0.0.0.0.1.4.2.c.0.a.9.5.2.b.8.2.b.f.a.2.4.5.6.2.4.c.a.9.d.d.c.b.0.0.9.f.9.d.f.e.6.b.3.7.!.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.3.2...X.p.a.c.k...E...g.e.n...E.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AA4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Jan 16 15:39:05 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	20024
Entropy (8bit):	2.067108924031573
Encrypted:	false
SSDEEP:	96:5i8dE3DgXavjRGhORVxi7nOyTpJVsbWuis/1i9d0GsrKVkjS68LWx4Wq/WIXwWI1:3jXapRrOxcbWuis/1i97al2IFT
MD5:	46A78D561E6AE93D5FA822CCD24238C5
SHA1:	C97F0A36805D0950BC44098985B15DD64BD54C4B
SHA-256:	077F303F6A7FA7D88460A491F94ABA899994D66081A5B082F90805CFB4AD51A5
SHA-512:	382281E8CAE5385C50454B4BBE5A0A45D24D3B50A35DB59D53D76036B259F0B3B5587BF8A6A33DD247DD02F201FA448A8044FF1DE1C20195C784473CB86BA887
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........e............4...............<.......d...............T.......8...........T...........8....D......................................................................................................eJ......L.......GenuineIntel............T..............e.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B9F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8546
Entropy (8bit):	3.703289801133111
Encrypted:	false
SSDEEP:	192:R6l7wVeJZP6q6Y2D7SUv+gmfirNYpBM89bIlsfO4m:R6lXJB6q6YWSUv+gmfQOI+fo
MD5:	F66CB8D01326086392E53E830372DA97
SHA1:	FE5A7D2EB516432B0645F5B4950D528FE3B83C60
SHA-256:	A5E3C7EB889EE180B29157A251509813A2AF9E93CC484601F9FA14660FD10A38
SHA-512:	E4647D24FCAD4690135A3C33180244B19406C9B724AA70F88FCB0B825AE55851AEA4DA4C1BC81B0A9E944BF590B643222E290414D099E369D5BBD0D07016AB04
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2BFE.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4884
Entropy (8bit):	4.579120133851487
Encrypted:	false
SSDEEP:	48:cvIwWl8zsMJg77aI9mBWpW8VY4Ym8M4J2cUFT+q8gZjwLS/+ricQd:uIjfKI7QQ7VMJen5+rifd
MD5:	39E2CB131F624CCB72BB10B30EE96B27
SHA1:	49F8B21C648E2AB69D7113942E2210C0F6C501B2
SHA-256:	7749452EF5DF8A96126FB3A57EFC11E7AF9D03ADD66562B54335FDFE28662B9F
SHA-512:	B23DE9A3B78CDCD8856FCCCB99F22120E02CA9B9A41AAA1574F15AA9F9E6E79453929D5FA985C0F2C219EAFC95E0B9F8586A084D9377F5A27D8AF2C6BE39EDF8
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="151601" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2EDA.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Jan 16 15:39:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18876
Entropy (8bit):	1.9768171889562738
Encrypted:	false
SSDEEP:	96:5d8cE3DBavjRG1JLJiimVxi7nL32wI3Kq5rKVkjS68LWx4Wq/WIXbWIpI4Ru1XYx:o9agJ2OD2wvqORgYx
MD5:	8CCCFC5F9D3072A9F53F5D4493A2AE02
SHA1:	21B43B36FB79E61AF6191F2AEFDDA3FF4B094A70
SHA-256:	759087C2FF20D3CE60E45E17BCC1559D834179FF65E6AC889C7A73B0B4256B1C
SHA-512:	FECD33DEAD0D3A5DE98928D02F7A1FB365BCED82E244FCEC1FB1F54FC7AECBAB317DE9746A81022223A8D3B70A562C4D052160A17B6188D6E7883148F382A680
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........e............4...............<.......T...............T.......8...........T...........`...\?......................................................................................................eJ......L.......GenuineIntel............T..............e.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F77.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8502
Entropy (8bit):	3.706340706435091
Encrypted:	false
SSDEEP:	192:R6l7wVeJZp6ZI6Y2DtSUtGgmfigKpr/89blblsfJJfjm:R6lXJX626YwSUtGgmfZ/lb+fJR6
MD5:	3CDEE7457228CCBDEFAD1DB01362C2C4
SHA1:	33BAEB0B5AAE03360160B9EF432684629BAFC41D
SHA-256:	8399487B0E5F4203529DC5591C272C0072C40BFAD5ABB835EC5E32302A39E7FC
SHA-512:	5D4A61FAC6D6E3353CDB20EDF0A3BBFB3F24754281CB1CDDCC21D807AC23A773A3B1024490DA16AE6C8037A53039DE53E804659B0D5AF531F68906081BF17E81
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FF5.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4838
Entropy (8bit):	4.585520604422462
Encrypted:	false
SSDEEP:	48:cvIwWl8zsMJg77aI9mBWpW8VYMPYm8M4J2GFIo+q8TpwLS/+ricQd:uIjfKI7QQ7VdSJsoY5+rifd
MD5:	7BF7DBCF993FE95AEF6B9256645B8ACF
SHA1:	CF94D75693AD516593376E41534D9D27193794F0
SHA-256:	619169D2589EC872EE48CEF5AD37E39788722C206536644D2A4D65CAB05DFD28
SHA-512:	924978B9EAED9BC13B62A4627FF9882B6F435E4215967EF732C327359D55A90B3A6454FBB826B247EDF6CA11303E0215EFDDFBE6AE84AD3D65E8C79D01EAB378
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="151601" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468831293640004
Encrypted:	false
SSDEEP:	6144:RzZfpi6ceLPx9skLmb0fyZWSP3aJG8nAgeiJRMMhA2zX4WABluuNNjDH5S:JZHtyZWOKnMM6bFp3j4
MD5:	23E046A2322A8F10441D4DE8842FA013
SHA1:	5974AA9051E0DFA53672FF8FB5E7B352ED4EA542
SHA-256:	E2409E2CFC20F9D7D85B2A6AA58672E0E07FCFC11C2F6DE4A05A3616BDEA8933
SHA-512:	BB43F5782D96DC66E895C8C0FB180C6FB9B62642CA8139735205461AA236DF5A8EE77F77EB15BFB4C39765BBF4F2D254B52ACA43779763BA3839B615F58ED33D
Malicious:	false
Reputation:	low
Preview:	regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.0M#.H................................................................................................................................................................................................................................................................................................................................................Z.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.175056214293028
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe
File size:	1'650'688 bytes
MD5:	a24c39a4dae35fb546dc63577d2f47d9
SHA1:	142c0a952b82bfa245624ca9ddcb009f9dfe6b37
SHA256:	e332591b9548f44f65ccf2c9aa10ffb499b178da68fce43ef7344fb6039dfc0e
SHA512:	bc48345a1499bdba4df44a14121f415b4bb8fd4a662579efefd1d37c94b8c84d140a4b01ad1021bf658683478218ff743fc7ebd568ae5aec42368eeccc153ec2
SSDEEP:	12288:eGxOQXyKinCnrdQPcxrszdzQ3Zj+v5VbHBYzyiYN/RHyp/m0XeOHSV:L9XyKinCnxQPcxgh0u5VLCztQ0nJHS
TLSH:	E975E820EFCEDAAEE21B78F5403996BAE1169D050173C462EA7EF415D2F69B7EC0110D
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM.................B..........C......

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x401243
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:	0x416da0, 0x419f37, 0x419f04
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
sub esp, 1Ch
mov dword ptr [esp], 00000001h
call dword ptr [004DA4D0h]
call 00007F5FC500CD6Dh
sub esp, 1Ch
mov dword ptr [esp], 00000002h
call dword ptr [004DA4D0h]
call 00007F5FC500CD58h
mov eax, dword ptr [004DA500h]
jmp eax
mov eax, dword ptr [004DA4E8h]
jmp eax
nop
push ebp
mov ebp, esp
sub esp, 18h
mov dword ptr [esp], 004AD000h
call 00007F602530D1CDh
mov edx, 0041D8F4h
test eax, eax
push ecx
je 00007F5FC500CFD6h
mov dword ptr [esp+04h], 004AD013h
mov dword ptr [esp], eax
call 00007F602D30D1CDh
push edx
push edx
mov edx, eax
test edx, edx
je 00007F5FC500CFD3h
mov dword ptr [esp+04h], 004D8008h
mov dword ptr [esp], 004BB0B0h
call edx
cmp dword ptr [004AC338h], 00000000h
je 00007F5FC500CFF9h
mov dword ptr [esp], 004AD029h
call 00007F602530D1CDh
mov edx, 00000000h
test eax, eax
push ecx
je 00007F5FC500CFD6h
mov dword ptr [esp+04h], 004AD037h
mov dword ptr [esp], eax
call 00007F602D30D1CDh
push edx
push edx
mov edx, eax
test edx, edx
je 00007F5FC500CFCBh
mov dword ptr [esp], 004AC338h
call edx
leave
ret
push ebp
mov ebp, esp
sub esp, 18h
mov dword ptr [eax+eax], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xda000	0x130c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xde000	0xb48d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xdd000	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xda378	0x2d8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa5000	0xa5000	False	0.33851207386363635	data	6.24133584397204	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa6000	0x7000	0x7000	False	0.008823939732142858	data	0.07872097248613387	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xad000	0xe000	0xe000	False	0.314208984375	data	5.3388284362954685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.eh_fram	0xbb000	0x1d000	0x1d000	False	0.31349339978448276	data	4.990322715347352	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0xd8000	0x2000	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xda000	0x2000	0x2000	False	0.0557861328125	data	1.576309936142775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0xdc000	0x1000	0x1000	False	0.010009765625	data	0.027884544061866304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xdd000	0x1000	0x1000	False	0.010986328125	data	0.03693529194703582	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xde000	0xb5000	0xb5000	False	0.07668983080110497	data	3.1989133361345385	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

• SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe
• conhost.exe
• WerFault.exe
• WerFault.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe
• conhost.exe
• WerFault.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe
• conhost.exe
• WerFault.exe
• WerFault.exe

Click to jump to process

Target ID:	1
Start time:	16:39:03
Start date:	16/01/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe
Imagebase:	0x400000
File size:	1'650'688 bytes
MD5 hash:	A24C39A4DAE35FB546DC63577D2F47D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:39:03
Start date:	16/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:39:05
Start date:	16/01/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 248
Imagebase:	0x540000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:39:06
Start date:	16/01/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 252
Imagebase:	0x540000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	2
Total number of Limit Nodes:	0

Show Legend

Hide Nodes/Edges

Executed Functions

Function 00401243 Relevance: 1.5, APIs: 1, Instructions: 10
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0040124D

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c1a534dc4b301a3f5e607471db0e9d475ee2cf0617c26ba3f63878f63dfc55e6
Instruction ID: f4c15ae516943dbf22a128e6d18d98c6ea5108dbedd46da072d27eaba8f8d084
Opcode Fuzzy Hash: c1a534dc4b301a3f5e607471db0e9d475ee2cf0617c26ba3f63878f63dfc55e6
Instruction Fuzzy Hash: 56D0C9700051409BC3003F28D80E3187BB0BB40389F00053EF4C1875A6D7B804A08B5F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0048D3BA Relevance: 146.7, Strings: 112, Instructions: 6660COMMON

Download Yara Rule

Strings

spam_status, xrefs: 00491D8E
Toate cele 3 incercari au fost eronate, redirectul se va inchide in 5 secunde ! , xrefs: 00491296
[XHLDS], xrefs: 0048E463, 00490EB5, 00498E5C
auxall2, xrefs: 0049208C
, xrefs: 0048F2A0
AUTOSTART detectat, redirectul va porni cu setarile anterioare !, xrefs: 004958AA
Nu pot verifica disponibilitatea serviciului. Redirectul se va opri in 10 secunde !, xrefs: 0048DC26, 0048F99D
Folositi comanda 'verifica' pentru status conectabilitate, xrefs: 0048D7DF
Fisierul ', xrefs: 0048E488, 00490EDA
Folositi comanda 'build' pentru a afla release-ul redirectului, xrefs: 0048D82A
drops, xrefs: 0049BCA6
/user.cfg, xrefs: 0048D4DF
Folositi comanda 'portstats' pentru statistici port-uri, xrefs: 0048D875
gametype, xrefs: 0048F258
[curenta: , xrefs: 0048DD59
%s%s%s%c%d%s%d%d, xrefs: 0048EEFD
secunde !, xrefs: 00490A39, 00491ED1
max, xrefs: 0048E808
%s.%d.%s, xrefs: 0048EFD8, 0048F686, 0048FD0D, 00491FF2, 00496052
xhlds-aux.exe mqaDTpOO7wg5 , xrefs: 00495B8B
firewall, xrefs: 00491D5F
Codul de client introdus nu este valid !, xrefs: 00495F6B
local, xrefs: 0049BC78
protocol, xrefs: 0048E893
flood_time, xrefs: 004991A5
Datele preluate sunt incomplete(i1), va rugam sa ne semnalati acest lucru pe FORUM !, xrefs: 0049002D, 0049675C
flood_status, xrefs: 00497735
[XHLDS], xrefs: 0048D6DF, 0048D72A, 0048D775, 0048D7C0, 0048D80B, 0048D856, 0048D8A1, 004926F2, 00495A1F, 004967E5
/gamenames.cfg, xrefs: 0048D684
c:\users\clauu\desktop\force_red\xhlds fake\xhlds fake\compilator\mingw\bin\../lib/gcc/i686-pc-mingw32/4.6.1/../../../../include/boost/thread/win32/shared_mutex.hpp, xrefs: 00492A39, 00494A1D, 0049714D
Varianta curenta nu permite lansarea mai multor instante simultan, redirectul se va inchide in 10 secunde !, xrefs: 004922A5
Incerc adaugarea exceptiei in WINDOWS FIREWALL, va rugam asteptati.., xrefs: 00496804
redirect.., xrefs: 004926BE
/hostnames.cfg, xrefs: 0048DCC9, 0049036A, 004903FF
, xrefs: 004954C9
XHLDS, xrefs: 00492249
Sistemul de operare ce urmeaza a fi emulat nu este valid !, xrefs: 00496459
Un administrator a suspendat serviciul. Redirectul se va opri in , xrefs: 00490A85, 00491F1D
spam_action, xrefs: 00491E92
kick, xrefs: 0048EA72, 0048EACD, 0049018B, 004901EC
ban, xrefs: 0049016F, 004901D0
OS:, xrefs: 0048F112
' nu este valid / este incomplet, redirectul se va inchide in 10 secunde !, xrefs: 0048E4B4
lanip, xrefs: 0049BBF6
6lan, xrefs: 00490DE9
Fisierul 'user.cfg' nu a putut fi deschis pentru scriere !, xrefs: 00495475
[*] , xrefs: 00495456
Folositi comanda 'stats' pentru statistici redirect, xrefs: 0048D794
Dupa fiecare optiune introdusa executati tasta 'ENTER', xrefs: 0048D6FE
IP:, xrefs: 0048F190
PORT:, xrefs: 0048F0D0
detail::win32::ReleaseSemaphore(semaphores[unlock_sem],old_state.shared_waiting + (old_state.exclusive_waiting?1:0),0)!=0, xrefs: 00497155
[XHLDS] , xrefs: 0048DC07, 0048DD16, 0048DDEB, 0048ED5A, 0048F171, 0048F3FC, 0048F4CD, 0048F97E, 0048F9DC, 0048FA7E, 0048FB30, 0048FC48, 0048FEC6, 00490A66, 004910DF, 00491277, 00491AE0, 00491CC0, 00491EFE, 00492286, 0049588B, 00495958, 00495E38, 00495E83, 00495F4C, 00495F97, 0049643A, 0049648B, 0049654C, 004968AB, 004968F6, 004969B7, 00497966, 004979B1, 00497A68
/maps.cfg, xrefs: 0048D65F, 004903DA, 004907BB
Introdu parola [total: 3, ramase: , xrefs: 00491108
Nu exista, xrefs: 00490CD0
Nu am putut atasa nici un PORT. Consola se va inchide in 10 secunde !, xrefs: 00498E7B
Folositi comanda 'stop' pentru a opri redirecturile, xrefs: 0048D749
IP-ul introdus nu este valid pt varianta aferenta [v.N/A] !, xrefs: 00497985
basic_string::substr, xrefs: 00490F45
REGION:, xrefs: 0048F135
flood_conn, xrefs: 004978C2
[XHLDS] , xrefs: 0048F080, 0049000E, 004902B3, 00491555, 004962BF, 0049673D
client, xrefs: 0049247C
[v.FREE-intern/extern], xrefs: 004914CE
autocontrol, xrefs: 0048E837
! Eroare getcwd.., xrefs: 0048F2DC
secunda !, xrefs: 00490AEC, 0049779A
' nu a fost gasit, redirectul se va inchide in 10 secunde !, xrefs: 00490F06
I, xrefs: 00497145
timed_lock(::boost::detail::get_system_time_sentinel()), xrefs: 00494A25
] : , xrefs: 00491138
redirecturi.., xrefs: 004926B4
secure, xrefs: 0048E8C1
CLIENT:, xrefs: 0048F0F2
logs, xrefs: 00490D58
D, xrefs: 00495B1A
spam_conn, xrefs: 00491DD9
tweak, xrefs: 00490CF6
Pornesc , xrefs: 00492711
dinamic, xrefs: 0048E865
Incerc initializarea procesului de PORT FORWARD, va rugam asteptati.., xrefs: 00495A3E
min, xrefs: 0048E7EE
+ 6 LAN [27015-27020], xrefs: 00495DB6
BUILD : , xrefs: 0048DE0A
[v.N/A-intern/extern], xrefs: 004914AE
VERSIUNE : v, xrefs: 0048DD35
Doriti inregistrarea in SETTI [da/nu] ? : , xrefs: 00495977
N/A, xrefs: 0048DCF6
[v.FULL-orice IP], xrefs: 0048F060
autostart, xrefs: 0048F2AE
P/H, xrefs: 00498BAB
update, xrefs: 00490C9D
Anumite setari pot fi modificate direct, detalii in 'settings.cfg', xrefs: 0048D8C0
flood_action, xrefs: 00499DAB
wait_res<2, xrefs: 00492A41
portforward, xrefs: 00499E2C
spord-sdlhx, xrefs: 0048E982
Port-ul introdus nu este valid !, xrefs: 0049656B
LAN IP : , xrefs: 004902D2
auxall11, xrefs: 0048F7A1, 0049615E
NUME:, xrefs: 0048F0AC
WAN IP : , xrefs: 0048ED7F
Numele introdus nu este valid !, xrefs: 00495E57
vector::_M_range_check, xrefs: 00490268
mod, xrefs: 0048F2ED
Utilizatorul curent de sistem nu dispune de permisiunile minime necesare(R-W), redirectul se va opri in 10 secunde !, xrefs: 0049157A
XHLDS - AUX, xrefs: 00495B81
/settings.cfg, xrefs: 0048D4BA
XHLDS %s, xrefs: 0048D3E3
/players.cfg, xrefs: 0048D6A9
Datele preluate sunt incomplete(i2), va rugam sa ne semnalati acest lucru pe FORUM !, xrefs: 004962DE

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: [XHLDS]$[XHLDS] $ $ $ + 6 LAN [27015-27020]$ Anumite setari pot fi modificate direct, detalii in 'settings.cfg'$ CLIENT:$ Dupa fiecare optiune introdusa executati tasta 'ENTER'$ Fisierul '$ Folositi comanda 'build' pentru a afla release-ul redirectului$ Folositi comanda 'portstats' pentru statistici port-uri$ Folositi comanda 'stats' pentru statistici redirect$ Folositi comanda 'stop' pentru a opri redirecturile$ Folositi comanda 'verifica' pentru status conectabilitate$ Incerc adaugarea exceptiei in WINDOWS FIREWALL, va rugam asteptati..$ Incerc initializarea procesului de PORT FORWARD, va rugam asteptati..$ Nu am putut atasa nici un PORT. Consola se va inchide in 10 secunde !$ OS:$ PORT:$ Pornesc $ REGION:$ [curenta: $ [v.FREE-intern/extern]$ [v.FULL-orice IP]$ [v.N/A-intern/extern]$ redirect..$ redirecturi..$ secunda !$ secunde !$! Eroare getcwd..$%s%s%s%c%d%s%d%d$%s.%d.%s$' nu a fost gasit, redirectul se va inchide in 10 secunde !$' nu este valid / este incomplet, redirectul se va inchide in 10 secunde !$/gamenames.cfg$/hostnames.cfg$/maps.cfg$/players.cfg$/settings.cfg$/user.cfg$6lan$AUTOSTART detectat, redirectul va porni cu setarile anterioare !$BUILD : $Codul de client introdus nu este valid !$D$Datele preluate sunt incomplete(i1), va rugam sa ne semnalati acest lucru pe FORUM !$Datele preluate sunt incomplete(i2), va rugam sa ne semnalati acest lucru pe FORUM !$Doriti inregistrarea in SETTI [da/nu] ? : $Fisierul 'user.cfg' nu a putut fi deschis pentru scriere !$I$IP-ul introdus nu este valid pt varianta aferenta [v.N/A] !$IP:$Introdu parola [total: 3, ramase: $LAN IP : $N/A$NUME:$Nu exista$Nu pot verifica disponibilitatea serviciului. Redirectul se va opri in 10 secunde !$Numele introdus nu este valid !$P/H$Port-ul introdus nu este valid !$Sistemul de operare ce urmeaza a fi emulat nu este valid !$Toate cele 3 incercari au fost eronate, redirectul se va inchide in 5 secunde ! $Un administrator a suspendat serviciul. Redirectul se va opri in $Utilizatorul curent de sistem nu dispune de permisiunile minime necesare(R-W), redirectul se va opri in 10 secunde !$VERSIUNE : v$Varianta curenta nu permite lansarea mai multor instante simultan, redirectul se va inchide in 10 secunde !$WAN IP : $XHLDS$XHLDS %s$XHLDS - AUX$[*] $[XHLDS]$[XHLDS] $] : $autocontrol$autostart$auxall11$auxall2$ban$basic_string::substr$c:\users\clauu\desktop\force_red\xhlds fake\xhlds fake\compilator\mingw\bin\../lib/gcc/i686-pc-mingw32/4.6.1/../../../../include/boost/thread/win32/shared_mutex.hpp$client$detail::win32::ReleaseSemaphore(semaphores[unlock_sem],old_state.shared_waiting + (old_state.exclusive_waiting?1:0),0)!=0$dinamic$drops$firewall$flood_action$flood_conn$flood_status$flood_time$gametype$kick$lanip$local$logs$max$min$mod$portforward$protocol$secure$spam_action$spam_conn$spam_status$spord-sdlhx$timed_lock(::boost::detail::get_system_time_sentinel())$tweak$update$vector::_M_range_check$wait_res<2$xhlds-aux.exe mqaDTpOO7wg5
API String ID: 0-4051830362
Opcode ID: 3d6810b49465658850b5f65a3c975f62313b8141188bd6f9403d438e2a099544
Instruction ID: c2e55a6091c96fcbbfc05b23daa7157fdcd1fa3e4b33ed0e59bd3cfbc9f2116c
Opcode Fuzzy Hash: 3d6810b49465658850b5f65a3c975f62313b8141188bd6f9403d438e2a099544
Instruction Fuzzy Hash: 7FF32CB49097548FCB10EF24C9846ADBBF0FF44314F018AAED49897391DB789A89CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00412263 Relevance: 17.9, Strings: 14, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

145C, xrefs: 0041287A
475}, xrefs: 004128BC
-4c5, xrefs: 00412882
BC75, xrefs: 004128A3
05-3, xrefs: 0041289B
-onc, xrefs: 004128C4
e-B0, xrefs: 00412893
e-fl, xrefs: 004128D5
Loca, xrefs: 00412851
0E2-, xrefs: 00412872
l\{C, xrefs: 00412859
3F42, xrefs: 004128B4
ag, xrefs: 004128DD
1573, xrefs: 00412861

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: -4c5$-onc$05-3$0E2-$145C$1573$3F42$475}$BC75$Loca$ag$e-B0$e-fl$l\{C
API String ID: 0-1864032947
Opcode ID: 0933c060c30ae3a9647ec8d027522ce644190953802481b104354ce56b74997f
Instruction ID: b3a33ed78b9865275f725f947867a22df4a71c8c78f085540911551c6b042ffb
Opcode Fuzzy Hash: 0933c060c30ae3a9647ec8d027522ce644190953802481b104354ce56b74997f
Instruction Fuzzy Hash: 26024BB690E3818FC3019F69894435EBFE1AFE5204F08895EF4D08A396D674C698DB57

Uniqueness

Uniqueness Score: -1.00%

Function 00410E3C Relevance: 11.2, Strings: 8, Instructions: 1179COMMON

Download Yara Rule

Strings

NON-STEAM), xrefs: 004114EC
Statistici PORT-uri:, xrefs: 00410E4F
STEAM, , xrefs: 004114CC
PORT , xrefs: 00411447
redirectionati, xrefs: 00411243
redirectionat, xrefs: 0041123B
momentan nu exista., xrefs: 00411FAC
- , xrefs: 00411471

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: - $ NON-STEAM)$ STEAM, $ momentan nu exista.$ redirectionat$ redirectionati$PORT $Statistici PORT-uri:
API String ID: 0-4271528825
Opcode ID: 922a22bbd5b81ead7a4bcec57f7fb23adbf2e42492e19bab89d828e6c86b1c26
Instruction ID: 08b7043032979d739312bc86f90c2ac774dec431e03406535bf4c70b9cc10684
Opcode Fuzzy Hash: 922a22bbd5b81ead7a4bcec57f7fb23adbf2e42492e19bab89d828e6c86b1c26
Instruction Fuzzy Hash: 59B29B715083458FC714DF29C0846AEFBE1BF84304F058A6EE5D98B365E778E989CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00428A42 Relevance: 10.7, Strings: 8, Instructions: 707COMMON

Download Yara Rule

Strings

c:\users\clauu\desktop\force_red\xhlds fake\xhlds fake\compilator\mingw\bin\../lib/gcc/i686-pc-mingw32/4.6.1/../../../../include/boost/thread/win32/shared_mutex.hpp, xrefs: 00428BF6, 00428C51, 0042907E
res==0, xrefs: 00429086
Day of month is not valid for year, xrefs: 004295AF
I, xrefs: 00428BEE
detail::win32::ReleaseSemaphore(upgrade_sem,1,0)!=0, xrefs: 00428C59
gfff, xrefs: 00428FAA
detail::win32::ReleaseSemaphore(semaphores[unlock_sem],old_state.shared_waiting + (old_state.exclusive_waiting?1:0),0)!=0, xrefs: 00428BFE
could not convert calendar time to UTC time, xrefs: 0042956C

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Day of month is not valid for year$I$c:\users\clauu\desktop\force_red\xhlds fake\xhlds fake\compilator\mingw\bin\../lib/gcc/i686-pc-mingw32/4.6.1/../../../../include/boost/thread/win32/shared_mutex.hpp$could not convert calendar time to UTC time$detail::win32::ReleaseSemaphore(semaphores[unlock_sem],old_state.shared_waiting + (old_state.exclusive_waiting?1:0),0)!=0$detail::win32::ReleaseSemaphore(upgrade_sem,1,0)!=0$gfff$res==0
API String ID: 0-1877638004
Opcode ID: 20cd3b385e6924d104d5168c2cf9181a32c8ce55f0d6b51f7eef65148f11029a
Instruction ID: b060665730a31ee13e5a49c3a0efab4a95496e13c46d363b5b7f57af9f53591b
Opcode Fuzzy Hash: 20cd3b385e6924d104d5168c2cf9181a32c8ce55f0d6b51f7eef65148f11029a
Instruction Fuzzy Hash: B042F671B183218BD314DF29D88026BBBD1AFD4320F548A2EE8A4873D5D778DC49CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00414979 Relevance: 8.9, Strings: 6, Instructions: 1359COMMON

Download Yara Rule

Strings

gfff, xrefs: 00414C3A
could not convert calendar time to UTC time, xrefs: 00415D8E, 00415E1C, 00415EAD
gfff, xrefs: 00414F63
P, xrefs: 00415056
Day of month is not valid for year, xrefs: 004150DF, 00415D41, 00415E60
gfff, xrefs: 004156CA

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Day of month is not valid for year$P$could not convert calendar time to UTC time$gfff$gfff$gfff
API String ID: 0-2455318665
Opcode ID: b3da7810fc44c38092c6dca1a1d20f88e405522fba4f9d060f4ff90569f38e63
Instruction ID: e08b787dd1ee7055e253a1d30bf760fe1467d6e4765eb3f7057e3bc59d0aa9ba
Opcode Fuzzy Hash: b3da7810fc44c38092c6dca1a1d20f88e405522fba4f9d060f4ff90569f38e63
Instruction Fuzzy Hash: 55B291716087418BD764DF29C88039BB7E1BFC4334F548B2EE5A5873D4EB7898858B46

Uniqueness

Uniqueness Score: -1.00%

Function 00413DB8 Relevance: 7.0, Strings: 5, Instructions: 762COMMON

Download Yara Rule

Strings

<, xrefs: 00414889
gfff, xrefs: 00414234
`v, xrefs: 004146F3
gfff, xrefs: 00413FC8
gfff, xrefs: 004144B4

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: <$gfff$gfff$gfff$`v
API String ID: 0-1575193370
Opcode ID: ebc3f38c4fb46494dfd253a7e234ebdb740dd3d1e7e740dc177d618cbaeb5430
Instruction ID: e1d0763ea0e6db740cbed74cea136789d31bad080773cc849d5437778684d6c9
Opcode Fuzzy Hash: ebc3f38c4fb46494dfd253a7e234ebdb740dd3d1e7e740dc177d618cbaeb5430
Instruction Fuzzy Hash: 4B52F472A043158BC714CF2DD80139BBBE5ABC4324F158A2EE5A8DB3E4E379D945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040E679 Relevance: 6.7, Strings: 5, Instructions: 414COMMON

Download Yara Rule

Strings

lRK, xrefs: 0040E767
PkG, xrefs: 0040E832, 0040E92A
TRK, xrefs: 0040E81E, 0040E985
[XHLDS] , xrefs: 0040E6AB
,RK, xrefs: 0040E818, 0040E97F

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ,RK$PkG$TRK$[XHLDS] $lRK
API String ID: 0-1718671664
Opcode ID: 5cffa956d1f7015942b2cdd7c910ffd8727b809604ce94957602beca802e28db
Instruction ID: ffc10e1cf3077121bcae960be686e9ed8f7c14224d7426e7ce8c889d102258a8
Opcode Fuzzy Hash: 5cffa956d1f7015942b2cdd7c910ffd8727b809604ce94957602beca802e28db
Instruction Fuzzy Hash: 9B1202745083858FD724DF29C0847AAFBE0BF89308F448E6EE4E997290E7799549CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE59 Relevance: 6.7, Strings: 5, Instructions: 412COMMON

Download Yara Rule

Strings

lRK, xrefs: 0040DF47
PkG, xrefs: 0040E012, 0040E10A
TRK, xrefs: 0040DFFE, 0040E165
[XHLDS] , xrefs: 0040DE8B
,RK, xrefs: 0040DFF8, 0040E15F

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ,RK$PkG$TRK$[XHLDS] $lRK
API String ID: 0-1718671664
Opcode ID: 64b9e5d36ef10c2664074667bd24126d6a42cbb2798917b390e52ce1cc510570
Instruction ID: bf52d99e7444a08135aafa62459e454e4554617a8aa49a5e677087bb23d64cb4
Opcode Fuzzy Hash: 64b9e5d36ef10c2664074667bd24126d6a42cbb2798917b390e52ce1cc510570
Instruction Fuzzy Hash: 5612F2745083858FD754DF29C08469EFBE1BF89308F048E6EE4E99B290E7789649CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0041FEAC Relevance: 6.4, Strings: 4, Instructions: 1419COMMON

Download Yara Rule

Strings

inity, xrefs: 0042038F
, xrefs: 0042106B
P, xrefs: 00421507
5, xrefs: 004204FE

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $5$P$inity
API String ID: 0-1737018110
Opcode ID: 13543b10637228aff6982c26b47d17bf265ea6807d04ec0c59928f8d52978b86
Instruction ID: 73c27ae663d21f99e7b921829f9698b580185864b7f389b146a8239336e75c3a
Opcode Fuzzy Hash: 13543b10637228aff6982c26b47d17bf265ea6807d04ec0c59928f8d52978b86
Instruction Fuzzy Hash: 23D24570608391CFE720DF29D484B5AFBE1BBC4314F958A2EE499873A1D7789885CF46

Uniqueness

Uniqueness Score: -1.00%

Function 004160B7 Relevance: 5.8, Strings: 4, Instructions: 821COMMON

Download Yara Rule

Strings

gfff, xrefs: 00416714
could not convert calendar time to UTC time, xrefs: 00416CCC, 00416D47
gfff, xrefs: 00416297
Day of month is not valid for year, xrefs: 004163CB, 004168CB

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Day of month is not valid for year$could not convert calendar time to UTC time$gfff$gfff
API String ID: 0-1708079696
Opcode ID: 94ca5545899bfdf99369689c1f58f3cc84f941c7a1f1e9e5325ace95bc1f62f6
Instruction ID: b3d19067ef34ea3c46fabad51b835cec2e80e52bf5c189bac421accaad2a9cde
Opcode Fuzzy Hash: 94ca5545899bfdf99369689c1f58f3cc84f941c7a1f1e9e5325ace95bc1f62f6
Instruction Fuzzy Hash: 2562C471A083118BD714DF29C8902ABB7E1EFC4320F558B2EE9A5873E5D778D885CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00464440 Relevance: 5.4, Strings: 4, Instructions: 421COMMON

Download Yara Rule

Strings

basic_filebuf::underflow invalid byte sequence in file, xrefs: 00464870
basic_filebuf::underflow incomplete character in file, xrefs: 00464696
basic_filebuf::underflow codecvt::max_length() is not valid, xrefs: 00464A05
basic_filebuf::underflow error reading the file, xrefs: 00464825

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: basic_filebuf::underflow codecvt::max_length() is not valid$basic_filebuf::underflow error reading the file$basic_filebuf::underflow incomplete character in file$basic_filebuf::underflow invalid byte sequence in file
API String ID: 0-2144588626
Opcode ID: 1fdea474844ec546014106bfb4eb2a7323e0528f42ee12c9cd715907732e53a5
Instruction ID: a0b80be6ede349a427e3f8462e88e4953b456e722d25fd4f5e6e4e0565e2c507
Opcode Fuzzy Hash: 1fdea474844ec546014106bfb4eb2a7323e0528f42ee12c9cd715907732e53a5
Instruction Fuzzy Hash: BC023C759083408FCB14DF29C48461ABBE1BFC9324F158A9EEC989B395E738D945CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0043963D Relevance: 4.3, Strings: 3, Instructions: 510COMMON

Download Yara Rule

Strings

@)G, xrefs: 00439DD6
, xrefs: 00439B7C
@, xrefs: 00439694

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $@$@)G
API String ID: 0-1697318906
Opcode ID: a450f179b47142ce68a0cf28129c66b44025a267fa5e6aaf6a615678af7c7367
Instruction ID: 7de807072bf2bb52a3e382f327e3d06e1c00b6c63df5aa8d2e26ef9f6a614dce
Opcode Fuzzy Hash: a450f179b47142ce68a0cf28129c66b44025a267fa5e6aaf6a615678af7c7367
Instruction Fuzzy Hash: 502226705083408FD724CF29C48475AFBE1AF8A324F489A5EE5E98B3D1D7B9D885CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00439ECD Relevance: 4.2, Strings: 3, Instructions: 494COMMON

Download Yara Rule

Strings

@)G, xrefs: 0043A59B
0, xrefs: 0043A545
0, xrefs: 00439F81

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0$0$@)G
API String ID: 0-4213668859
Opcode ID: 886cf4ea8de5c86c8921cfacaae331b072604b39e33e9c124dc4762f1826c9ce
Instruction ID: 0d83ce72fc0cbe4d234eacbe3b0db4f0687e1298a1223ec9e0d8e0ac6f91852c
Opcode Fuzzy Hash: 886cf4ea8de5c86c8921cfacaae331b072604b39e33e9c124dc4762f1826c9ce
Instruction Fuzzy Hash: 522218705497808ED7219F29C48472EBBE1AB89328F089B4EE4F54B3E1D379D985CB47

Uniqueness

Uniqueness Score: -1.00%

Function 0044BE2A Relevance: 4.1, Strings: 3, Instructions: 369COMMON

Download Yara Rule

Strings

, xrefs: 0044C6BB
@ZG, xrefs: 0044C86C
-, xrefs: 0044C81B

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $-$@ZG
API String ID: 0-10198579
Opcode ID: 9c246cca5a8514e7be673a1e83eaa66a6f01ec41e3ac8419a119d75dd978bf71
Instruction ID: ebc9698dadfe9f197413c269632a115ced4cde5615e06ee2a99e917dec3f0646
Opcode Fuzzy Hash: 9c246cca5a8514e7be673a1e83eaa66a6f01ec41e3ac8419a119d75dd978bf71
Instruction Fuzzy Hash: 490245706093858FE750CF25C484B5BFBE1BF85324F058A5EE4A88B3A1D779D849CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00447770 Relevance: 2.8, Strings: 2, Instructions: 305COMMON

Download Yara Rule

Strings

gfff, xrefs: 0044789E
*, xrefs: 00447860

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: *$gfff
API String ID: 0-1583971923
Opcode ID: 9dafca650adceb2d86efa389c23f8c0b42561c16e1e986981fc2336f7881c058
Instruction ID: 342ae8d0bdf4f7eb807877a2fa97a8d9e8607422f9c0cc4fbbce87b5c79d6194
Opcode Fuzzy Hash: 9dafca650adceb2d86efa389c23f8c0b42561c16e1e986981fc2336f7881c058
Instruction Fuzzy Hash: E1D13674608341CFD720DF29C484A5AFBE1FF89354F118A6EE8998B361D735E885CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0042C888 Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

Day of month is not valid for year, xrefs: 0042CB99
gfff, xrefs: 0042CA66

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Day of month is not valid for year$gfff
API String ID: 0-3387681001
Opcode ID: 0ccd0620065bea8163eb49698b7c8d82b83f388afcbce440116aa3215278d4dc
Instruction ID: b3ff760ae3fdbd170f1d86319c76ea58174d35f8fcb71c4d96e98f2661260ecc
Opcode Fuzzy Hash: 0ccd0620065bea8163eb49698b7c8d82b83f388afcbce440116aa3215278d4dc
Instruction Fuzzy Hash: CFA1E371B043214BC718DF2DD89026EB6D2AFC4724F848B2FE5A59B3D1E77899498782

Uniqueness

Uniqueness Score: -1.00%

Function 004215BC Relevance: 2.3, Strings: 1, Instructions: 1071COMMON

Download Yara Rule

Strings

NaN, xrefs: 00421637

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: NaN
API String ID: 0-1757892521
Opcode ID: cfb7c46fbbebe6579671d36df157e5d67d2a10a51312ad99878c0e74672fb7b2
Instruction ID: acc0a1802df6d1e6999f0cc62f2fdb6cb86abdb35e47e3502e232735eb2b31a9
Opcode Fuzzy Hash: cfb7c46fbbebe6579671d36df157e5d67d2a10a51312ad99878c0e74672fb7b2
Instruction Fuzzy Hash: 85A257B1A08351DFD7109F29D58431ABBE0FB94354F908E1EE8D9873A1E379D885CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00402072 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

@, xrefs: 004020AA

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4a4b8f18898c40c766dfbe8c5e16751f5945723bba41c5e6045d7e4f1d565a2c
Instruction ID: 07e7523de202e95f8b2a001d7e840e0fecff15b43e60a3c7d6f879154b821be4
Opcode Fuzzy Hash: 4a4b8f18898c40c766dfbe8c5e16751f5945723bba41c5e6045d7e4f1d565a2c
Instruction Fuzzy Hash: 5222B07BB143184BC758DE599C111EAB3D3ABC8314F4E893DAD56E3306EA74AE0986C1

Uniqueness

Uniqueness Score: -1.00%

Function 00449B80 Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

%, xrefs: 00449D5A

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 82fa7ac463e5628d1715c36b0ab1bc6d92e061c5df9b870ae36ac08e3107869b
Instruction ID: 8a89350c94ca22dcdf08756e4bab8146afe13af39407e5f426f45f106c679108
Opcode Fuzzy Hash: 82fa7ac463e5628d1715c36b0ab1bc6d92e061c5df9b870ae36ac08e3107869b
Instruction Fuzzy Hash: 52C134B0508341CFD724DF2AC08066BFBE1AF85314F148A5EE8D98B391D738D989DB96

Uniqueness

Uniqueness Score: -1.00%

Function 0047A5B0 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

pB, xrefs: 0047A692

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: pB
API String ID: 0-3059159000
Opcode ID: 5c8111a34e7d65cd1a9a8adfc4c3fea70602aff8a0f2ad83eec32ccd36f48e70
Instruction ID: dfd2ac8993324b98fb52931fc474447fc9fc804f5189b0819dc40754a1a1a959
Opcode Fuzzy Hash: 5c8111a34e7d65cd1a9a8adfc4c3fea70602aff8a0f2ad83eec32ccd36f48e70
Instruction Fuzzy Hash: 00B16AB4605201CFCB14DF25C48466EBBE1FF81314F1ACA6ED8A88B355EB38E855CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00428C8C Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

gfff, xrefs: 00428FAA

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: 3417dd6ac722853c83c10b47dbe29af6ac556ddc251801f66e2ee9b9c10b3d4e
Instruction ID: f626ac2817cc99a9274d2f7bfab437f4607933e5c5a83cf93e263bea4d097c71
Opcode Fuzzy Hash: 3417dd6ac722853c83c10b47dbe29af6ac556ddc251801f66e2ee9b9c10b3d4e
Instruction Fuzzy Hash: 6E914672B143354BE718DF29D89036AB7D1EB84310F898A3EE9908B3D1E67CDC45CA45

Uniqueness

Uniqueness Score: -1.00%

Function 00451870 Relevance: 1.5, Strings: 1, Instructions: 226COMMON

Download Yara Rule

Strings

basic_string::_S_create, xrefs: 00451949, 00451A35, 00451AC0

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: basic_string::_S_create
API String ID: 0-3542665010
Opcode ID: 9b5d64dce64deeaf9b387a8b0354ab9b2b4687c02125c3ab332e2365222b2216
Instruction ID: 2922f817871ef88002225812466664c5a662a3efd9ff47ef9f2000aaa4ac7a94
Opcode Fuzzy Hash: 9b5d64dce64deeaf9b387a8b0354ab9b2b4687c02125c3ab332e2365222b2216
Instruction Fuzzy Hash: EE81B0729043018FC710DF28C18065EF7E1AF84361F558B6EDCA59B3A6E738E949CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00430FC0 Relevance: 1.4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

basic_string::compare, xrefs: 0043103E, 004310A0, 00431115, 004311B3

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: basic_string::compare
API String ID: 0-461983810
Opcode ID: fc9dc8b35b10e99ad36c87fe62cf59e49c4339c64b598f4195cd894c57a7e949
Instruction ID: f1984235d135743cb4e58fdaa820d712db99e38c2ac5eeac242e75360a767364
Opcode Fuzzy Hash: fc9dc8b35b10e99ad36c87fe62cf59e49c4339c64b598f4195cd894c57a7e949
Instruction Fuzzy Hash: 08611275A083518FC700EF29C58041EFBE1BFC8654F558A6EE8A8A3364D771ED858B86

Uniqueness

Uniqueness Score: -1.00%

Function 00432260 Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

basic_string::compare, xrefs: 004322D0, 00432342, 004323B3, 00432440

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: basic_string::compare
API String ID: 0-461983810
Opcode ID: 37610485981898d1e844b7c4354045cb49696811565dad306d701fabfe91ef6c
Instruction ID: 947342a2aafe92797e23cb50b9facba7ec0f7d8eda431f13c74efb62150ac2be
Opcode Fuzzy Hash: 37610485981898d1e844b7c4354045cb49696811565dad306d701fabfe91ef6c
Instruction Fuzzy Hash: 4C511875A043018FC704DE29C58041EFBE2FFDC660F998A6DE898A3315D774ED898B96

Uniqueness

Uniqueness Score: -1.00%

Function 00452A70 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

basic_string::resize, xrefs: 00452ABE, 00452B30

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: basic_string::resize
API String ID: 0-2356246151
Opcode ID: c6c9cb1187317f05ea734dde0a5e7ddb9bb67461d64dda25b09738ed10ce91ac
Instruction ID: fb24e1528ad9f7367751a9a1d963459aebbb6f162be94384a8a069aee63d0118
Opcode Fuzzy Hash: c6c9cb1187317f05ea734dde0a5e7ddb9bb67461d64dda25b09738ed10ce91ac
Instruction Fuzzy Hash: B621A8709083408BC718EF28C65011EB7E1BFC5721F94CB5EE8A8473E5E7799944CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 0045B490 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

basic_string::resize, xrefs: 0045B4DE, 0045B550

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: basic_string::resize
API String ID: 0-2356246151
Opcode ID: d12629f7f879229363272d6f0b7fa0ffd894573f593b9dc6120b64bd4ed604d7
Instruction ID: 6ca8c2036780ecba2428303f00663dea8c5dd7f944bccf2203cdbfd708ad26a7
Opcode Fuzzy Hash: d12629f7f879229363272d6f0b7fa0ffd894573f593b9dc6120b64bd4ed604d7
Instruction Fuzzy Hash: 56215370A09344ABC7189F29C59001EBBE1EBC5335F54CB9EE8B8873E1E73985448B56

Uniqueness

Uniqueness Score: -1.00%

Function 00482F60 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

basic_ios::clear, xrefs: 00482F88

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: basic_ios::clear
API String ID: 0-82543608
Opcode ID: 655dbec17b2899b638d53ee032c03a8dae12eb73b94ab8e5698336437fbb6ee9
Instruction ID: 88157261941042b17f206647203bbb4916cdc1054b69af7ae6845dc34334cd21
Opcode Fuzzy Hash: 655dbec17b2899b638d53ee032c03a8dae12eb73b94ab8e5698336437fbb6ee9
Instruction Fuzzy Hash: AE2198B08047018FC714BF25868076EBBF0BF44314F450E9EC9A60B3A2D779D949EB56

Uniqueness

Uniqueness Score: -1.00%

Function 00483920 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

basic_ios::clear, xrefs: 00483948

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: basic_ios::clear
API String ID: 0-82543608
Opcode ID: 3bd13eab07e8023010d45ac310060b90a14dda1e1cb0c54747322804e77b1c8f
Instruction ID: e22e9b8466c7429ea25a09798ac0a0640c15d168b829d2901c416a6275f2ef35
Opcode Fuzzy Hash: 3bd13eab07e8023010d45ac310060b90a14dda1e1cb0c54747322804e77b1c8f
Instruction Fuzzy Hash: 6F2139B08047018BC714EF29994076ABBE0BF50624F414F9EC8E65B3D2D378D685DB56

Uniqueness

Uniqueness Score: -1.00%

Function 00423370 Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b7e91d6ca42ba0f8fda36797222a1ab83af0f1772e3d190879c96352591a96
Instruction ID: 1d51defb8612e00745f8b1fd7dfd73cccc78da23e7ee254aaa97aa06124259a4
Opcode Fuzzy Hash: 64b7e91d6ca42ba0f8fda36797222a1ab83af0f1772e3d190879c96352591a96
Instruction Fuzzy Hash: 8212A2B06083658FD714DF29D48432BBBF1BB85315F944A6EE8958B381C37CDA85CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0041D2DC Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5f583f9015806c7ebce3ba6365dc531997ffd6f233ce86c42853bfeede9ddb
Instruction ID: c17845b0d0ad61af5fee01c2c5413faa749a8427f651390663617ae6d428c659
Opcode Fuzzy Hash: 6d5f583f9015806c7ebce3ba6365dc531997ffd6f233ce86c42853bfeede9ddb
Instruction Fuzzy Hash: 3DE130B0A087058FC714DF19C58055BB7E1BFC8324F548B2EE8A99B395D738E985CB86

Uniqueness

Uniqueness Score: -1.00%

Function 004676BE Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02afaf4a4db779f90ac7f725d7418445ff9e452e61a1054de236abbb95f5bfa0
Instruction ID: 8ca6b617d4fe351b98e3b31b6c9ef2ad92326724871a1dc681a6637bc5240ef2
Opcode Fuzzy Hash: 02afaf4a4db779f90ac7f725d7418445ff9e452e61a1054de236abbb95f5bfa0
Instruction Fuzzy Hash: EE319C746096028FD704DF38C4C4B6AB7E1BF45318F048A6AE5408F395E739EC85CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0048558A Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6752b5302f12f66bfd8174aa63953746efa45cdff3ff0f6c1a52abd55563427f
Instruction ID: 99251bb66793077e674d9b8790b6f250cce7fb34691cefe41d53b998f43452eb
Opcode Fuzzy Hash: 6752b5302f12f66bfd8174aa63953746efa45cdff3ff0f6c1a52abd55563427f
Instruction Fuzzy Hash: 343157B09087018FC701AF29C54425EFBF0BF84754F618D0EE9E8973A0E77998458F8A

Uniqueness

Uniqueness Score: -1.00%

Function 0044D94A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9dfa718c551e5edcdcdbe4f2be582d79496779ff7684ad4bb70259393678656
Instruction ID: 2dac2047104cbf9416b4aa05943fbbb22c893d66ae0886ee77a6f91b4340546d
Opcode Fuzzy Hash: c9dfa718c551e5edcdcdbe4f2be582d79496779ff7684ad4bb70259393678656
Instruction Fuzzy Hash: 0831DEB490E3419FD740DF68C08451EFBE0AF88760F119A2EF49893350E774D945CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0047A711 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c92d8ea0c9ae933228685b067ea6f73b8ba206c0bfe4e7d4bbe1ca67a3b391
Instruction ID: bc306856a29b30728fa49d260959e0c28d456c6bab93a658da4ed44144881306
Opcode Fuzzy Hash: 67c92d8ea0c9ae933228685b067ea6f73b8ba206c0bfe4e7d4bbe1ca67a3b391
Instruction Fuzzy Hash: BA316974605202CFCB14DF14C184A6FBBB1BF85714B1ACA6ED8889B315E735EC52CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004879EA Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92bbfd22fe37206ab0fc3f3753771f27ee718db92d6dcb1d4d984188acd5092
Instruction ID: 05a96efa30581f7bc7a6760783cecf138e0e3c28b708d380bf87f2799cc86475
Opcode Fuzzy Hash: d92bbfd22fe37206ab0fc3f3753771f27ee718db92d6dcb1d4d984188acd5092
Instruction Fuzzy Hash: 632119B49097508FC710EF28C48462EBBE0BF49720F454A8DE9E49B391D738D945CB97

Uniqueness

Uniqueness Score: -1.00%

Function 004685A2 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 659890fafeb3369c7d7afc1b26e3cc19b0e7072d2a6ac0f34b007917f5117ed0
Instruction ID: a619559841f8e33193ccd17066e6a04c683e3776551d9f046c06497e13d799b1
Opcode Fuzzy Hash: 659890fafeb3369c7d7afc1b26e3cc19b0e7072d2a6ac0f34b007917f5117ed0
Instruction Fuzzy Hash: E5219DB0A066018FC704DF68C8C466EF7E0BF46314F449A5DE5548F391EB39D899CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00462B12 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5f2b1d93cce161ddf071a0cdb62575a494c82e9838cd6edc5564dc61808390
Instruction ID: 62662423532cac2707c4d3c973ce319930fa941b60c9a13420f3d9ddbe8d76fb
Opcode Fuzzy Hash: ef5f2b1d93cce161ddf071a0cdb62575a494c82e9838cd6edc5564dc61808390
Instruction Fuzzy Hash: DA31BFB00097408BEB55AF18D0E836ABFE0BF45318F55568DCD840F28AD3BAC489CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 00464B22 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25678e7a272b1439cd9a7419b9ffb16fe6a9a19888ae8282fcadcbece2eec434
Instruction ID: 3340879376008063dd77cb4cf6c945d0b789fbb9f7c209f732d1f87b01215044
Opcode Fuzzy Hash: 25678e7a272b1439cd9a7419b9ffb16fe6a9a19888ae8282fcadcbece2eec434
Instruction Fuzzy Hash: 06318CB10097408BEB55AF18D4E83AA7FE4BF45318F555589CD840F38AD3BA8489CFD6

Uniqueness

Uniqueness Score: -1.00%

Function 0041A070 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc0ea80b53b50b080d86bf3f1e4b4d92de062770a6ad752f38ff15e44c9368d1
Instruction ID: 4fcd0dee7eae7fab4b582ee708301f02a8e919cc851c088c45882f3695b065a4
Opcode Fuzzy Hash: dc0ea80b53b50b080d86bf3f1e4b4d92de062770a6ad752f38ff15e44c9368d1
Instruction Fuzzy Hash: 2A1182701632018AF3BD4A2CDB49BE33E52A344714F24842EC809C07B9DB6D99E4C51D

Uniqueness

Uniqueness Score: -1.00%

Function 004685EF Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d89e76dee13e1615a758a2cf81ca6b21688840e042365e6d6140992676258549
Instruction ID: ffcf3a55bbb2ff26c16d20a6c4b447ef1076e2758a3933ee54ee68de311e9d73
Opcode Fuzzy Hash: d89e76dee13e1615a758a2cf81ca6b21688840e042365e6d6140992676258549
Instruction Fuzzy Hash: 5CF09070A063068FC710AF74C8C439EBBA0AF46324F406E1CD5501F381DB3DC4998766

Uniqueness

Uniqueness Score: -1.00%

Function 00464C42 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cb9bf0aa3de85b65d40f5ba6ecb7ad7bd755532eb08491e381b40414be224be
Instruction ID: 204e9b2b9eca7b6319ea6cc0b542e9d59654de98970515fb1618d6f9f81f0fec
Opcode Fuzzy Hash: 4cb9bf0aa3de85b65d40f5ba6ecb7ad7bd755532eb08491e381b40414be224be
Instruction Fuzzy Hash: 12F052B08087008BCB10BF70C8D44ACBBF4AE0A220F426E5DD9E44F380DB389482DB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00462C32 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a525e0965145416549a0cf65b609e36b0e1dddda565423b8eb896c3647273d
Instruction ID: d6688f2f2e404b6b6fe9a1a2cf0a1e57d3ebfd0d17bd78add276f8f268a9477a
Opcode Fuzzy Hash: 13a525e0965145416549a0cf65b609e36b0e1dddda565423b8eb896c3647273d
Instruction Fuzzy Hash: B0F0F8B04187009FC700BF75C8C04ACBBE4AE06220F426E6DD9D05B294DB38D586CB57

Uniqueness

Uniqueness Score: -1.00%

Function 00428460 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2140643202.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2140629577.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140714173.00000000004AB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140732770.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140766026.00000000004DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140785489.00000000004DB000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2140844816.00000000004DE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50a582741fcee28b3566eb907111bef3affe55665ab8e9c9dbdc055153a03aa8
Instruction ID: d5ea12b3983e968b7fbfdb640c8128b077af7cd407eb0293d54f300981b6999c
Opcode Fuzzy Hash: 50a582741fcee28b3566eb907111bef3affe55665ab8e9c9dbdc055153a03aa8
Instruction Fuzzy Hash: 91C04C308593409BC6106F68890545DB6F06A43230F016B15E471632F4DB70D844D51F

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_52c39fc5bcdf1aa069192af103fe48fd9a11519_7dd17308_f500cfcd-0e44-4dc7-80f9-66804c930ec0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_84a58ccd12b2f316f290191695a7e7bac560e8_7dd17308_cf6470ba-3503-45bb-826c-3c93af6d0242\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AA4.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B9F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2BFE.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2EDA.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F77.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FF5.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.16650.30228.exe