Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe
Analysis ID:	1448257
MD5:	a23f22d37955d5d1c131772127d7a858
SHA1:	5bdb82d8510b9086654aac443c586408600e99e2
SHA256:	fa4b977d79de2324078de8de4b98bf69dd64a36b100894961a307335dc364c3a
Tags:	exe
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Detected potential crypto function

Entry point lies outside standard sections

Found potential string decryption / allocating functions

One or more processes crash

PE file contains sections with non-standard names

PE file does not import any functions

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe" MD5: A23F22D37955D5D1C131772127D7A858)

WerFault.exe (PID: 7332 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7264 -s 232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7400 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7264 -s 236 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI

Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	String found in binary or memory: http://www.clamav.net

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Code function: 0_2_00415870	0_2_00415870
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Code function: 0_2_0040C8D0	0_2_0040C8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Code function: 0_2_004290F4	0_2_004290F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Code function: 0_2_00412140	0_2_00412140
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Code function: 0_2_0040B150	0_2_0040B150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Code function: 0_2_004221B0	0_2_004221B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Code function: 0_2_00401290	0_2_00401290
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Code function: 0_2_0040AE60	0_2_0040AE60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Code function: 0_2_00411EA0	0_2_00411EA0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Code function: String function: 00401CF0 appears 41 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Code function: String function: 00402470 appears 61 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Code function: String function: 00401D70 appears 40 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Code function: String function: 00401C70 appears 41 times

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7264 -s 232

Source: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe
Source: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe, 00000000.00000002.1930315806.000000000042E000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHackFans Unpacker.EXEH vs SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe
Source: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Binary or memory string: OriginalFilenameHackFans Unpacker.EXEH vs SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

Source: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI

Source: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

Static PE information: Section .clam01

Source: classification engine

Classification label: mal64.winEXE@3/9@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7264

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\da8f042e-6a60-4d6f-9d90-05b29701c27e

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7264 -s 232
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7264 -s 236

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

Section loaded: apphelp.dll

Jump to behavior

Source: initial sample

Static PE information: section where entry point is pointing to: .clam01

Source: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

Static PE information: section name: .clam01

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

Code function: 0_2_00429910 push ecx; ret

0_2_00429911

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

Process queried: DebugPort

Jump to behavior

Source: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Binary or memory string: \\.\ICEEXT\\.\FROGSICE\\.\SIWDEBUG\\.\BW2K\\.\VKEYPROD\\.\FILEVXD\\.\REGVXD\\.\FILEMON\\.\REGMON\\.\ICEDUMP\\.\SUPERBPM\\.\TRW2000\\.\TRW\\.\TRWDEBUG\\.\NTICED052\\.\NTICE7871\\.\NTICE.Shell_TrayWnd.OLLYDBG\\.\NTICE\\.\SICErbEXPLORER.EXEShell_TrayWndControlServiceGetLastErrorNtQueryInformationProcessGetCommandLineAOutputDebugStringAEnumWindowsZwQueryInformationProcessntdll.dll_lopenWriteFileGetSystemDirectoryALoadLibraryExAIsBadReadPtrlstrcmpSetFilePointerCreateMutexAGetVersionExASuspendThreadTerminateProcessCryptReleaseContextCryptDestroyKeyCryptDecryptSetWindowLongAGetWindowLongACryptDestroyHashCryptDeriveKeyCryptHashDataCryptCreateHashCryptAcquireContextAadvapi32.dllBlockInputSetPriorityClassGetPriorityClassGetCurrentProcessGetTopWindowFindWindowAGetForegroundWindowGetVersionGetTickCountWaitForInputIdleGetFileSizeProcess32NextProcess32FirstGetCurrentProcessIdCreateToolhelp32SnapshotCloseHandleReadFileGlobalAllocLocalFreeLocalAllocExitProcessGetModuleFileNameAuser32.dllMessageBoxAkernel32.dll bqo.dllya.dll%2xcompiler_infounpack = trueep_only = signature =
Source: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	Binary or memory string: \\.\NTICE.Shell_TrayWnd.OLLYDBG

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	34%	ReversingLabs
SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	100%	Avira	TR/Crypt.XPACK.Gen
SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.clamav.net	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.clamav.net	SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.3.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1448257
Start date and time:	2024-05-28 06:36:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe
Detection:	MAL
Classification:	mal64.winEXE@3/9@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe, PID 7264 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

Simulations

Behavior and APIs

Time	Type	Description
00:37:25	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_4b9cb99727f9bbacc691451aa4aa9d46a1a574c6_be40a158_efefa761-00f1-42de-8e4f-3b71277c0042\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6755287089891994
Encrypted:	false
SSDEEP:	96:vSLTLm+x8sGhMy87Mf15SZQXIDcQzc645cocE1cw345cx+HbHg6ZAX/d5FMT2SlG:4mA8B0tM/CjEzuiFTZ24IO8q
MD5:	0D3F902D44A23E3B9702FA422086BE35
SHA1:	3C5046DC491EC4DD1E3C7EC66955DAF7AB766882
SHA-256:	DE93925CC6AB9CEF5937022B01813CC179432A151EC18341663D65C964BE9764
SHA-512:	F448E594994F06291BFA9AB17DEC3B66C91512D7A6A1DD3DD1C7650DC4858256AD132EC66BEDB0A5495720D38AA8360F9ABE6EEB6388A86FBDE69C306AA742CA
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.3.4.4.6.2.8.2.4.8.2.8.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.f.e.f.a.7.6.1.-.0.0.f.1.-.4.2.d.e.-.8.e.4.f.-.3.b.7.1.2.7.7.c.0.0.4.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.0.9.5.c.4.e.-.6.c.f.9.-.4.7.7.c.-.a.8.d.9.-.2.7.3.8.1.b.5.8.1.5.8.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...C.l.i.c.k.3...2.6.9.7.6...2.0.1.3.2...6.4.0.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.6.0.-.0.0.0.1.-.0.0.1.4.-.f.6.4.4.-.a.6.b.2.b.8.b.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.6.f.2.d.0.3.9.0.0.7.e.3.5.6.5.e.5.9.8.a.6.0.9.9.3.7.6.d.4.f.b.0.0.0.0.f.f.f.f.!.0.0.0.0.5.b.d.b.8.2.d.8.5.1.0.b.9.0.8.6.6.5.4.a.a.c.4.4.3.c.5.8.6.4.0.8.6.0.0.e.9.9.e.2.!.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...C.l.i.c.k.3...2.6.9.7.6...2.0.1.3.2...6.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_8c6c5292c7ab6f2d59e3ef94e0d4e25040a8b3f_be40a158_7a2772ac-14cf-4825-bed5-7c1c3d199ce0\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6791561592592152
Encrypted:	false
SSDEEP:	96:hoFt0LTLm+xssGhMy87MXf1FQXIDcQvc6QcEVcw3cE/H+HbHg6ZAX/d5FMT2SlPd:KimAs20BU/AjEzuiF5Z24IO83
MD5:	5A6D0089F931E6346900FCF487D4433D
SHA1:	A98BF33385EBC6DFE8329BFEBE97106669D6BBF7
SHA-256:	D9BA54C8A81DEF212588B4E14DF99A0D0B3837CF0285C564A8CB712D8CAC1D88
SHA-512:	ADF365F7E041B27407421ABD5126904937103A7DCAC6210ECF9BBA28560D94AAEA7ED9BB12561A042360EB0D35E90281B111C17664325872EBC99962C9CAFA73
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.3.4.4.6.2.8.7.4.3.6.8.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.3.4.4.6.2.8.9.4.6.8.0.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.2.7.7.2.a.c.-.1.4.c.f.-.4.8.2.5.-.b.e.d.5.-.7.c.1.c.3.d.1.9.9.c.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.0.5.e.d.3.a.3.-.c.c.2.e.-.4.3.a.d.-.9.5.9.3.-.0.8.8.f.b.b.6.6.e.d.8.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...C.l.i.c.k.3...2.6.9.7.6...2.0.1.3.2...6.4.0.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.6.0.-.0.0.0.1.-.0.0.1.4.-.f.6.4.4.-.a.6.b.2.b.8.b.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.6.f.2.d.0.3.9.0.0.7.e.3.5.6.5.e.5.9.8.a.6.0.9.9.3.7.6.d.4.f.b.0.0.0.0.f.f.f.f.!.0.0.0.0.5.b.d.b.8.2.d.8.5.1.0.b.9.0.8.6.6.5.4.a.a.c.4.4.3.c.5.8.6.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C33.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue May 28 04:37:08 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18118
Entropy (8bit):	1.9334605846473993
Encrypted:	false
SSDEEP:	96:5N8T66QGh1Ki7nGE4jpQCuvH06SlEYjlwEWIkWIbNIQ6y2md2:8zAOGlpuvZSXE6y2md
MD5:	42E42EA7B02B93D7B92FA7E09AC1FDD9
SHA1:	7EF66657CA035B00B662DD97B4DB84E2F4CA6DE8
SHA-256:	EACFB8A61613D90D7CD66E2B74ACFD97FBAB306E745FA42C3E2AF5D02C2BC6CD
SHA-512:	B1ECCA994058F72DCD50D11D8DBBEF250EF7B4D1E5BAE887416F334984265E9BFC5124FACFA983E6A7A4E5C9F4770F095C64A4269E04B0D478CF35110EA6608D
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......t_Uf............4...............<.......d...............T.......8...........T...........p...V=......................................................................................................eJ......L.......GenuineIntel............T.......`...s_Uf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C73.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8570
Entropy (8bit):	3.695766426773282
Encrypted:	false
SSDEEP:	192:R6l7wVeJlP6c6Y9jSUegmf6MPUpNr89bhb1fNrm:R6lXJd6c6YZSUegmfVrhpf8
MD5:	C3AC71661F1F7777027E4777BC5375A2
SHA1:	E805AB097A1043112253480058E48B3C495B3F10
SHA-256:	A69588A3C852EA304EED380DA217F7F6328B52E30F6ED6B004CD7FEFED770894
SHA-512:	C471FF36628763AAF661A7EDCE35D12CC7B081F1CE9F466FD89F467AA74234B7D510AF79679499CD1F5C366AFD637D896C86526E4AA00614D9D3128B06513BDA
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C93.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4939
Entropy (8bit):	4.552744823671214
Encrypted:	false
SSDEEP:	48:cvIwWl8zs9Jg77aI9IfrWpW8VYMYm8M4Jqnun6lnLF4+q8vln6ln4/Lnz+Cnznd:uIjfXI7ay7VwJ6WouKNo4Lz+yznd
MD5:	4375F13597561114EF152D8496A3E2B1
SHA1:	BD5DD266267DDC0B94EDD927CBF87CBAD2E48809
SHA-256:	F21E5A17385F605AA273131B5B90B1039839CAE8DC195886123A13B834A993B9
SHA-512:	D92DE9C1D2F55437F3411823932CB2CFCEF6CC7215783AF37D57E288EEB5BEF7C1DD610182F9C9FE123A9E2A9EC036B9BC2DF7B346AF1F5A603BFC9DAC7595D7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="342459" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E27.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue May 28 04:37:08 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18842
Entropy (8bit):	1.9987357016070173
Encrypted:	false
SSDEEP:	96:5N8MT6QGh+RD/2i7nGE2paCuvnLo5BAtu1LjqqXzwEWIkWIBNIdnsPc:83VOG9ovnE5B2uZjLn0c
MD5:	D4FA025F701542CD2CEDF9BDA082BB73
SHA1:	D8BA9703035BB8848F4B59603C9609EFD6348844
SHA-256:	387F08BD719295BC62956B94145FE93DA69A8EA1161ADE84B5E62C153C96D493
SHA-512:	346F146E19B4A6A612826E872EDFD0D2AC2A50BDC3E3349BAABE46B042A9E921C58BBABAE5736356E34FD1C3711BCB044287CBFF60F8257652A085DC5E4A9A94
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......t_Uf............4...............<.......d...............T.......8...........T................@......................................................................................................eJ......L.......GenuineIntel............T.......`...s_Uf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E57.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8510
Entropy (8bit):	3.6996997625732844
Encrypted:	false
SSDEEP:	192:R6l7wVeJl46BIM6Y9nSUegmfhMjWprRC89bhbsfqrm:R6lXJK6BIM6YdSUegmfiw7hgf/
MD5:	54C7CC96657841CB41EE8E3EB0A7FC3C
SHA1:	70628E89DD25C1007BA40299877CA411246B3CCB
SHA-256:	9DA9AC8EC1BBD86A24EDD8ED9B16B2802750A817763E0AD0038EB2A00D9FC396
SHA-512:	3540C281878664F07798D24F29F5880F9A10F3CDFCFCE3CFA5A75235EFB0DCDD19A7BD37AD435E8BB61B1FE57B8FFC75597A863EA517683C7F1424F3DAE8EA84
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E77.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4838
Entropy (8bit):	4.5624515739883
Encrypted:	false
SSDEEP:	48:cvIwWl8zs9Jg77aI9IfrWpW8VY2Ym8M4Jqnun6lnAF25am+q85nknHt/Lnz+Cnzs:uIjfXI7ay7VSJ6WoLJqENLz+yzWd
MD5:	61EEFFB3527F30DC70BB3CDF48D2E49E
SHA1:	9B00DF3F45B24DC8D683915E1C7CE2BBD2AA1B50
SHA-256:	EAFC10B07E8AC4A4DA3C8DC479E8C33B3C6DCF73F0777490274609BB7A8B25A4
SHA-512:	CE88A67473F010D07F58B72C4528C85227090841313B2506066A9F5078300DAF3BA8716E8252AD0879AB676C01987694ACEB757AF82FD1D56465A10086516A2B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="342459" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465688812623906
Encrypted:	false
SSDEEP:	6144:MIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNWdwBCswSbS:xXD94+WlLZMM6YFHM+S
MD5:	B23F1E0ADD8BF4AD9D591E99357EF7BA
SHA1:	1E400C9523C77952BD86293263E9C60DBDEA7B75
SHA-256:	0064AA434C5E4D004961069F609A4B766CC76E557E388EC9B42D77BCFCFEEF1C
SHA-512:	0439BC334B030866D94CEF6172F1425EB6A44196F62576FCF154A24127C43295A9D767BCA0DA69EB48746B9971A7E4978EBE89D21B4EFB082C7FAACE71F403E3
Malicious:	false
Reputation:	low
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	4.754001735979296
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe
File size:	546'816 bytes
MD5:	a23f22d37955d5d1c131772127d7a858
SHA1:	5bdb82d8510b9086654aac443c586408600e99e2
SHA256:	fa4b977d79de2324078de8de4b98bf69dd64a36b100894961a307335dc364c3a
SHA512:	5b2e6789f90645cfd21e1f8d7878ba36451d98b5bc1e2c4846fbd1d0517e798cf2e27f3d92e268df1262635bf2a76a836bf73169a7fb975cb01a392764d2e486
SSDEEP:	3072:7XNOJoN9BJMTsLzmy2CIJPc41NB9KvDiaumHLs5qsQSYZH9H5R2L0IIfymWsTUld:7WsLzV0LIvWJUGqH7Dg4vSg4tpm
TLSH:	8FC43B206250D1B2ECE41370E062CAF67322BD68F479D69F69D5FD36B7FB2D1081A819
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM...................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x481000
Entrypoint Section:	.clam01
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push 00000088h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], al
add byte ptr [ecx], al
push eax
jbe 00007F6C8CD32CD2h
mov dword ptr [eax], 000C003Dh
test dword ptr [ebx], FFFF0000h
add byte ptr [eax], FFFFFFF4h
sbb bl, byte ptr [ecx-05h]
jl 00007F6C8CD32CB1h
jle 00007F6C8CD32D4Bh
jc 00007F6C8CD32CF9h
pushad
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax-51h], edx
add byte ptr [edi+0F001D00h], ah
add al, bh
add eax, dword ptr [eax]
add bh, bh
inc dword ptr [eax-0C7ECF00h]
pop eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dl, byte ptr [eax-22h]
add ah, bl
add byte ptr [eax], dl
add byte ptr [eax], cl
add bh, bh
inc dword ptr [eax]
add bh, bh
inc dword ptr [edx+00000000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
push eax
fiadd word ptr [eax]
les eax, fword ptr [eax]
str word ptr [eax]
add bh, bh
inc dword ptr [eax]
add bh, bh
inc dword ptr [edx+00260500h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
push eax
fiadd word ptr [eax]
into
add byte ptr [esi], cl
add byte ptr [edx], cl
add bh, bh
inc dword ptr [eax]
add bh, bh
inc dword ptr [edx+00260500h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.clam01	0x1000	0x855ca	0x855ca	473e0efe8b3ff9c9632ac5dcf2450504	False	0.25364027459954236	data	4.754508321971033	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exePID: 7264, Parent PID: 2580

General

Target ID:	0
Start time:	00:37:07
Start date:	28/05/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe"
Imagebase:	0x400000
File size:	546'816 bytes
MD5 hash:	A23F22D37955D5D1C131772127D7A858
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7332, Parent PID: 7264

General

Target ID:	3
Start time:	00:37:08
Start date:	28/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7264 -s 232
Imagebase:	0x270000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7400, Parent PID: 7264

General

Target ID:	5
Start time:	00:37:08
Start date:	28/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7264 -s 236
Imagebase:	0x270000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exePID: 7264, Parent PID: 2580COMMON

Non-executed Functions

Function 00401290 Relevance: 83.4, Strings: 66, Instructions: 934COMMON

Download Yara Rule

Strings

CryptHashData, xrefs: 004200DB
ZwQueryInformationProcess, xrefs: 004202CD
ExitProcess, xrefs: 0041FA91
SetFilePointer, xrefs: 0042020F
GetFileSize, xrefs: 0041FF7B
GetCurrentProcessId, xrefs: 0041FE68
GetWindowLongA, xrefs: 00420123
BlockInput, xrefs: 00420093
EnumWindows, xrefs: 004202E7
CryptDeriveKey, xrefs: 004200F2
OpenProcess, xrefs: 0041FFA7
CryptReleaseContext, xrefs: 00420182
GetTopWindow, xrefs: 00420034
MessageBoxA, xrefs: 0041F9CD
_lopen, xrefs: 0042029F
CryptDecrypt, xrefs: 00420151
FindWindowA, xrefs: 0042001D
ControlService, xrefs: 0042035D
CryptCreateHash, xrefs: 004200C4
user32.dll, xrefs: 0041FA0C, 0041FFB9, 00420001, 00420018, 0042002F, 0042008E, 0042011E, 00420135, 004202E2
GlobalFree, xrefs: 0041FC19
GetVersion, xrefs: 0041FFEF
CryptDestroyHash, xrefs: 0042010C
GetCurrentProcess, xrefs: 0042004E, 004202B6
GetModuleHandleA, xrefs: 0041F781
GetCommandLineA, xrefs: 00420315
LoadLibraryExA, xrefs: 00420257
IsBadReadPtr, xrefs: 00420240
WaitForInputIdle, xrefs: 0041FFBE
OutputDebugStringA, xrefs: 004202FE
kernel32.dll, xrefs: 0041F7C0, 0041F823, 0041F887, 0041F8E6, 0041F94B, 0041F9AA, 0041FA71, 0041FAD0, 0041FB33, 0041FB97, 0041FBF6, 0041FC5B, 0041FCBA, 0041FD1C, 0041FD81, 0041FDE0, 0041FE42, 0041FEA7, 0041FF06, 0041FF66, 0041FF6D, 0041FFA2, 0041FFD0, 0041FFEA, 00420049, 00420060, 00420077, 00420194, 004201AB, 004201C5, 004201DC, 004201F3, 0042020A, 00420224, 0042023B, 00420252, 00420269, 00420283, 0042029A, 004202F9, 00420310, 00420341
WriteFile, xrefs: 00420288
ReadFile, xrefs: 0041FD4C
GetLastError, xrefs: 00420346
CreateMutexA, xrefs: 004201E1
TerminateProcess, xrefs: 00420199
GetVersionExA, xrefs: 004201CA
lstrcmp, xrefs: 00420229
Process32Next, xrefs: 0041FF29
CryptDestroyKey, xrefs: 0042016B
VirtualProtect, xrefs: 0041F96E
VirtualAlloc, xrefs: 0041F8A7
SetWindowLongA, xrefs: 0042013A
Process32First, xrefs: 0041FEC7
GetProcAddress, xrefs: 0041F848
VirtualProtectEx, xrefs: 004201F8
advapi32.dll, xrefs: 004200A8, 004200BF, 004200D6, 004200ED, 00420107, 0042014C, 00420166, 0042017D, 00420358
GetForegroundWindow, xrefs: 00420006
LocalFree, xrefs: 0041FB58
CryptAcquireContextA, xrefs: 004200AD
IsDebuggerPresent, xrefs: 0041FC7E
SuspendThread, xrefs: 004201B0
ntdll.dll, xrefs: 004202B1, 004202C8, 00420327
LoadLibraryA, xrefs: 0041F7E3
NtQueryInformationProcess, xrefs: 0042032C
LocalAlloc, xrefs: 0041FAF3
GetTickCount, xrefs: 0041FFD5
GetModuleFileNameA, xrefs: 0041FA32
CreateToolhelp32Snapshot, xrefs: 0041FE03
GetSystemDirectoryA, xrefs: 0042026E
CreateFileA, xrefs: 0041FCDD
CloseHandle, xrefs: 0041FDA4
VirtualFree, xrefs: 0041F909
GlobalAlloc, xrefs: 0041FBB7
GetPriorityClass, xrefs: 00420065
SetPriorityClass, xrefs: 0042007C

Memory Dump Source

Source File: 00000000.00000002.1930315806.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1930294473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000480000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: BlockInput$CloseHandle$ControlService$CreateFileA$CreateMutexA$CreateToolhelp32Snapshot$CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptHashData$CryptReleaseContext$EnumWindows$ExitProcess$FindWindowA$GetCommandLineA$GetCurrentProcess$GetCurrentProcessId$GetFileSize$GetForegroundWindow$GetLastError$GetModuleFileNameA$GetModuleHandleA$GetPriorityClass$GetProcAddress$GetSystemDirectoryA$GetTickCount$GetTopWindow$GetVersion$GetVersionExA$GetWindowLongA$GlobalAlloc$GlobalFree$IsBadReadPtr$IsDebuggerPresent$LoadLibraryA$LoadLibraryExA$LocalAlloc$LocalFree$MessageBoxA$NtQueryInformationProcess$OpenProcess$OutputDebugStringA$Process32First$Process32Next$ReadFile$SetFilePointer$SetPriorityClass$SetWindowLongA$SuspendThread$TerminateProcess$VirtualAlloc$VirtualFree$VirtualProtect$VirtualProtectEx$WaitForInputIdle$WriteFile$ZwQueryInformationProcess$_lopen$advapi32.dll$kernel32.dll$lstrcmp$ntdll.dll$user32.dll
API String ID: 0-3651700886
Opcode ID: 1d604245d62b52b581f37020247840f578c53cf86be3f9a11d2a72e14d2b5b7c
Instruction ID: 2f120d527df101f2460aecaf35a06070952266b59d8146c6c8c10b88cd1b066d
Opcode Fuzzy Hash: 1d604245d62b52b581f37020247840f578c53cf86be3f9a11d2a72e14d2b5b7c
Instruction Fuzzy Hash: E452B472B80628579728D9757C53B6F2982B780764FE6432FB92A972D1CFFC5C06824C

Function 004221B0 Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

.linxer, xrefs: 0042241F

Memory Dump Source

Source File: 00000000.00000002.1930315806.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1930294473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000480000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: .linxer
API String ID: 0-3462427016
Opcode ID: 082402e73ce4e749158a806478eda5009ebe50fb7e6576ea93cc6186fc9e7432
Instruction ID: 9d4964ad62b1445a16262d3ad71398b0573a8b4ec54be08a52ae439daffe5039
Opcode Fuzzy Hash: 082402e73ce4e749158a806478eda5009ebe50fb7e6576ea93cc6186fc9e7432
Instruction Fuzzy Hash: E591AD717042159FC718CF2DD98092AB7E2BBC8314B998A6EE85AC7351DB70ED06CB85

Function 0040B150 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930315806.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1930294473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000480000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4002a809454d4ab92b84d19f027ca4281889dc09ecf99b645590fc1eabe86ca8
Instruction ID: dcdefdda1ece7fd746d3e5545527e11ef27376d065c4cae03e09a7dda256f9df
Opcode Fuzzy Hash: 4002a809454d4ab92b84d19f027ca4281889dc09ecf99b645590fc1eabe86ca8
Instruction Fuzzy Hash: E1A12A35A082C49ACB11CF79E8511EE7F60DF16324F4881BED895A7392D33A9586C7CE

Function 00415870 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930315806.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1930294473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000480000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358d55d71633fdc403d5f75fd80299e446dcf4bf96e4e23ea045e6fc8c9f47b4
Instruction ID: 6d7699c0e3d2f5131cb77f7b9da6b66d48fef4465c8cbe9ea1a7355207dc00a3
Opcode Fuzzy Hash: 358d55d71633fdc403d5f75fd80299e446dcf4bf96e4e23ea045e6fc8c9f47b4
Instruction Fuzzy Hash: 1AA1D06631C7C18AD7219B39BC502E23FE19F5731078945ADC0D6C32A3D769A882CB9D

Function 0040AE60 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930315806.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1930294473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000480000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b2202b30e434e16c4623af21f33b3362aec3bcbea695877b2634599dbd7430e
Instruction ID: c732be6bec8cb88d01e2311294bc023e81d894c201f2ce2cb037bc61893fb268
Opcode Fuzzy Hash: 2b2202b30e434e16c4623af21f33b3362aec3bcbea695877b2634599dbd7430e
Instruction Fuzzy Hash: B2915B75A082C49ACB11CF39E8001EA7F70DF5A324F4485BAD894A7383C33A9596C7DE

Function 00412140 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930315806.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1930294473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000480000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9274c9a565d7b59b0531f747dfc9b2a180631aeaa4ec38ec1929ffbe0e8c1cfe
Instruction ID: c377d0020d44ff0d515b6eba3cdc0f6930f0e591941823b91885d697764b21e2
Opcode Fuzzy Hash: 9274c9a565d7b59b0531f747dfc9b2a180631aeaa4ec38ec1929ffbe0e8c1cfe
Instruction Fuzzy Hash: DE81F835A08288AACF11CB74E5503EEBFB09F26314F4881DADC949B342D3BD99D5C799

Function 00411EA0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930315806.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1930294473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000480000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037f25076bd595055050af9a5be059755c16c339278d540f23161c13670280ae
Instruction ID: ee14fc7ee5fbc88d4553246d46de5a5aecacbb009571156d3de55613d23a6a8e
Opcode Fuzzy Hash: 037f25076bd595055050af9a5be059755c16c339278d540f23161c13670280ae
Instruction Fuzzy Hash: 6F81F935E082C89ACF11CB68E5103EEBFB09F2A324F4481DAD95497352C3BA95D5C799

Function 0040C8D0 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930315806.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1930294473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000480000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51d639f34a2b3fdf0a9257bae8f591ba114e876367a970df1d8c10da5de1875
Instruction ID: a003129531256e4cb73cf5c71a93c7e0313e5d4f532e48c6b2c0b79e2c86c987
Opcode Fuzzy Hash: b51d639f34a2b3fdf0a9257bae8f591ba114e876367a970df1d8c10da5de1875
Instruction Fuzzy Hash: 9831E3A161C58184D7348B3DBC602B27F92DB473207584A7ED0E7D26D6C77AA443DB8D

Function 004290F4 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1930315806.0000000000426000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1930294473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000480000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c187d0f77886f30c6d0919a2cd04085318950b559bd4545eef3b118b9cfce2
Instruction ID: 3c1fd4bf450997b68f305cacf7f7f66c38255e8043ce2d0a2e3e91914962e49b
Opcode Fuzzy Hash: 79c187d0f77886f30c6d0919a2cd04085318950b559bd4545eef3b118b9cfce2
Instruction Fuzzy Hash: E531303144E7C28FD3130BB888251927FF0AF17214B2A48EBC4C2CF0B7D269186AD726

Function 0041E240 Relevance: 24.2, Strings: 19, Instructions: 494COMMON

Download Yara Rule

Strings

\\.\FILEMON, xrefs: 0041E50D
\\.\NTICED052, xrefs: 0041E370
\\.\SICE, xrefs: 0041E281
\\.\TRW, xrefs: 0041E3E6
\\.\BW2K, xrefs: 0041E5F9
\\.\FILEVXD, xrefs: 0041E583
\\.\VKEYPROD, xrefs: 0041E5BE
\\.\TRW2000, xrefs: 0041E421
\\.\TRWDEBUG, xrefs: 0041E3AB
\\.\SUPERBPM, xrefs: 0041E45C
\\.\NTICE.Shell_TrayWnd.OLLYDBG, xrefs: 0041E2FA
\\.\ICEEXT, xrefs: 0041E6A2
\\.\NTICE7871, xrefs: 0041E335
\\.\REGVXD, xrefs: 0041E548
\\.\SIWDEBUG, xrefs: 0041E634
\\.\REGMON, xrefs: 0041E4D2
\\.\ICEDUMP, xrefs: 0041E497
\\.\NTICE, xrefs: 0041E2BF
\\.\FROGSICE, xrefs: 0041E66B

Memory Dump Source

Source File: 00000000.00000002.1930315806.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1930294473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000480000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: \\.\BW2K$\\.\FILEMON$\\.\FILEVXD$\\.\FROGSICE$\\.\ICEDUMP$\\.\ICEEXT$\\.\NTICE$\\.\NTICE.Shell_TrayWnd.OLLYDBG$\\.\NTICE7871$\\.\NTICED052$\\.\REGMON$\\.\REGVXD$\\.\SICE$\\.\SIWDEBUG$\\.\SUPERBPM$\\.\TRW$\\.\TRW2000$\\.\TRWDEBUG$\\.\VKEYPROD
API String ID: 0-222153696
Opcode ID: 2e9c5d6f3cddd6b5ed47e3f329a22cd8ac7d3b7971b1c455234ec385e8e2bdee
Instruction ID: 156d78200e87ee4babac86774c7ffa12fbaf86db4f3d9ea3da13ce2bd4f7ad8e
Opcode Fuzzy Hash: 2e9c5d6f3cddd6b5ed47e3f329a22cd8ac7d3b7971b1c455234ec385e8e2bdee
Instruction Fuzzy Hash: 74E13F2DA582E95B97310E3618B15E36FDA0D3B2483DE95A6DDD58B311E10FDC8CD348

Function 004215C0 Relevance: 7.7, Strings: 6, Instructions: 206COMMON

Download Yara Rule

Strings

signature = , xrefs: 004216C7, 004216D8
Micorsoft Visual C++ 7.0 Method22, xrefs: 00421644
true, xrefs: 00421714
ep_only = , xrefs: 00421705
compiler_info, xrefs: 00421781
unpack = , xrefs: 0042172E, 0042173F

Memory Dump Source

Source File: 00000000.00000002.1930315806.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1930294473.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000426000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.000000000042E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1930315806.0000000000480000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Micorsoft Visual C++ 7.0 Method22$compiler_info$ep_only = $signature = $true$unpack =
API String ID: 0-472807323
Opcode ID: 05580218cad0748ad0098bbf4f041c29ce1b52652f2d0248d251696af7611380
Instruction ID: 72f136cd52e5ecb32860fd9deecbb462747985c2ad801bbbe59ee81b4f7d389b
Opcode Fuzzy Hash: 05580218cad0748ad0098bbf4f041c29ce1b52652f2d0248d251696af7611380
Instruction Fuzzy Hash: D151573170031167D7109675BC46F6B3698EFD0362F940A3AFD15C22E1EEBDDA0982AE

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_4b9cb99727f9bbacc691451aa4aa9d46a1a574c6_be40a158_efefa761-00f1-42de-8e4f-3b71277c0042\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_8c6c5292c7ab6f2d59e3ef94e0d4e25040a8b3f_be40a158_7a2772ac-14cf-4825-bed5-7c1c3d199ce0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C33.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C73.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C93.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E27.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E57.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E77.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exePID: 7264, Parent PID: 2580

Windows Analysis Report
SecuriteInfo.com.Trojan.Click3.26976.20132.6403.exe