Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe
Analysis ID:	1448259
MD5:	75ac22830dfa12de136a6e72d60f6da5
SHA1:	0da8473ec742c8d0ac5e5962b302d02fa071639c
SHA256:	dbf007522a76553be4cdc3ccfa581cbfe1efdc28fa1985da662dc1c18ac813bf
Tags:	exe
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe (PID: 3224 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe" MD5: 75AC22830DFA12DE136A6E72D60F6DA5)

WerFault.exe (PID: 3472 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6452 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	ReversingLabs: Detection: 36%
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Virustotal: Detection: 33%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.9% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 4x nop then push esi	1_2_0040F261
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 4x nop then mov eax, 0047F710h	1_2_00403821
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 4x nop then push FFFFFFFFh	1_2_00409E31

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	String found in binary or memory: http://ssjj.4399.com/
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	String found in binary or memory: http://www.clamav.net

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 1_2_0043C380	1_2_0043C380
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 1_2_004564C0	1_2_004564C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 1_2_00466916	1_2_00466916
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 1_2_00410910	1_2_00410910
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 1_2_0042C9C0	1_2_0042C9C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 1_2_00412AC0	1_2_00412AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 1_2_0042EAD0	1_2_0042EAD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 1_2_00460DB3	1_2_00460DB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 1_2_00426F30	1_2_00426F30
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 1_2_00445000	1_2_00445000
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 1_2_0045B3F6	1_2_0045B3F6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 1_2_0041B640	1_2_0041B640
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 1_2_00445AA0	1_2_00445AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 1_2_00413F90	1_2_00413F90

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 232

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe

Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.winEXE@3/9@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3224

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\bee6db1d-5bcb-40f7-89f4-90eaf5d72a27

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	ReversingLabs: Detection: 36%
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Virustotal: Detection: 33%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 232
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 232

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe

Section loaded: apphelp.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 1_2_00456EA4 push eax; ret		1_2_00456EC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	Code function: 1_2_00455180 push eax; ret		1_2_004551AE

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe

Code function: 1_2_00454BC0 EntryPoint,LdrInitializeThunk,

1_2_00454BC0

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	37%	ReversingLabs
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	34%	Virustotal		Browse
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	100%	Avira	TR/Crypt.XPACK.Gen
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.clamav.net	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://ssjj.4399.com/	0%	Avira URL Cloud	safe
http://ssjj.4399.com/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.clamav.net	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
http://ssjj.4399.com/	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1448259
Start date and time:	2024-05-28 06:41:42 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe
Detection:	MAL
Classification:	mal64.winEXE@3/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 13.89.179.12
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_48cced91bc9651528f28e10ed8c46c3e066aea3_dbc789e8_68eb9979-82cb-4667-8c46-c0a3e780565c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6838474785831741
Encrypted:	false
SSDEEP:	96:5IFXA2+eXXs2ohMyohR7JfSQXIDcQwc6ccEfcw3a6w++HbHg6ZAX/d5FMT2SlPkk:CnZXnh0uY1+jEzuiFKZ24IO8bY
MD5:	703C6A47CF64CD6FA4C4386BCD15FEE1
SHA1:	9E84C13B41768DF45532317993CB8A67ACB32487
SHA-256:	AD409111FA68195CB233D129B1EDFA024C9B3AB7B8287A54AB04CFBC74D497DF
SHA-512:	8FC17467E6BF56C7EE52D0C145C7F92AE373276CC8142562FA0B9509B47C8633B12EA9BFD9C9BF517C938BE866607B729617028092C216DB7648E87382D18936
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.3.4.4.9.8.6.6.6.9.0.2.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.3.4.4.9.8.6.8.5.6.5.1.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.8.e.b.9.9.7.9.-.8.2.c.b.-.4.6.6.7.-.8.c.4.6.-.c.0.a.3.e.7.8.0.5.6.5.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.b.2.a.1.1.5.5.-.6.d.b.0.-.4.1.0.8.-.9.1.b.3.-.5.8.9.f.e.b.1.a.a.a.0.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.3.2...X.p.a.c.k...E...g.e.n...E.l.d.o.r.a.d.o...7.6.5.0...2.6.0.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.9.8.-.0.0.0.1.-.0.0.1.5.-.1.6.3.7.-.8.c.7.4.b.9.b.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.b.4.5.0.9.7.8.5.1.4.7.5.5.b.0.d.b.6.6.7.8.b.d.8.6.4.7.c.6.e.4.0.0.0.0.f.f.f.f.!.0.0.0.0.0.d.a.8.4.7.3.e.c.7.4.2.c.8.d.0.a.c.5.e.5.9.6.2.b.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_5825ec9a25b42d7b9f7c995f519949422ca889_dbc789e8_e1c6df5a-5fb4-418e-b55b-1e776ced8792\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.683620367905049
Encrypted:	false
SSDEEP:	96:QLFcFIA2+eXBs2ohMyoI7Jf7QXIDcQvc6QcEVcw3cE/jw++HbHg6ZAX/d5FMT2SP:CBZB/0BU/ojEzuiFKZ24IO8bY
MD5:	7AB770A4B7DA606F9F433DA1CA48C88A
SHA1:	EDEC78D69E9904EFDB5AE0599EE733D3BD026E57
SHA-256:	C69A61DF7E7F71B40B5094617D612FC3E7B89B21E65D73C7AA782316DD6488F9
SHA-512:	929234E6673AD147B38ECAF89220827F950A380E04ACB974D38BBFAD0AE683BDB2E6F7B64FC77CBCB99B083F103BDFA797CC387E6333B2AC2B2BB040006AA1E4
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.1.3.4.4.9.5.3.4.6.1.3.7.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.1.3.4.4.9.5.3.7.2.7.0.0.1.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.1.c.6.d.f.5.a.-.5.f.b.4.-.4.1.8.e.-.b.5.5.b.-.1.e.7.7.6.c.e.d.8.7.9.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.3.a.b.7.7.4.f.-.3.f.f.3.-.4.4.d.a.-.9.c.3.0.-.3.a.b.c.a.7.9.d.5.f.0.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.3.2...X.p.a.c.k...E...g.e.n...E.l.d.o.r.a.d.o...7.6.5.0...2.6.0.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.9.8.-.0.0.0.1.-.0.0.1.5.-.1.6.3.7.-.8.c.7.4.b.9.b.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.b.4.5.0.9.7.8.5.1.4.7.5.5.b.0.d.b.6.6.7.8.b.d.8.6.4.7.c.6.e.4.0.0.0.0.f.f.f.f.!.0.0.0.0.0.d.a.8.4.7.3.e.c.7.4.2.c.8.d.0.a.c.5.e.5.9.6.2.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER33FE.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue May 28 04:42:33 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18710
Entropy (8bit):	1.965572949861769
Encrypted:	false
SSDEEP:	96:5p8eyhsHslQHALQ2Vi7nFAVxxrKVkjS68LWx4Wq5MEInB4JHrJojQWI8WIVwI4Oi:EPNxVOK0MxpmOhBeKwas
MD5:	E0EC7A0792B4F6A5EA2E86D9D6EB732D
SHA1:	7AC93B87ABA264BCDB09D5C5BBD8CD10F5DAF623
SHA-256:	22C81A96C1184FF38696FED130188DA9D7F57D43A64C12E4666EBB0C7CB3069F
SHA-512:	623214AE28B221EB7CCEECBB028829630CD5ED4A1346DE64F3E65CA8677A5E91C26224CD3C0B87324ACF016E6123549F92F2BF6F58AB7C7D3B5CF5EDAD0F7085
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........`Uf............4...............<.......d...............T.......8...........T...............~?......................................................................................................eJ......L.......GenuineIntel............T............`Uf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER345D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8482
Entropy (8bit):	3.7046121963118006
Encrypted:	false
SSDEEP:	192:R6l7wVeJcX6+96Y2DcmSUJBjgmfmgwprT89bb8sf9Jm:R6lXJk686YASU7gmfVhbPfa
MD5:	267D556128B49B579FEB655B427EDEB9
SHA1:	189E9E3032FEF4AADCAD12753DAE5D31795CDD6E
SHA-256:	10EEC4CFF051938B40B033903515A85E6CAEE562B023DEC664DA478093E595A5
SHA-512:	27985C854C50AB8B7E2139A1B79126490548923D2948E92519337888443AFFD277C5F2111790AEDC0C03A2F5F6935A4F3A0B3AE4A084B4E76409C1C35A0F8B40
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER348C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4824
Entropy (8bit):	4.577801982021506
Encrypted:	false
SSDEEP:	48:cvIwWl8zsuJg77aI9/8WpW8VYbYm8M4J+GFY+q8ttHt+3td:uIjfkI7517VTJMeHt+3td
MD5:	4FFB8DDD4FDE55EFBBD4ED8A19C67750
SHA1:	12B8E5BFF54108B0094E69909B60259DC64BAC35
SHA-256:	B7DD38F4AC167620C540203CB301F4D40FC4134BEDB86A2404631B72D5EF8B4C
SHA-512:	777DE0BD53C27779190C932CC27D3B0F9B6CA89BBC8AD455C0E2E1D29ED38987BBD9B5A1A4657762C3FFFC448D1E244A1D12C39EE0D18EAADFD0756A17ED741B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="342465" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5B1.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue May 28 04:43:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18578
Entropy (8bit):	1.9337112023576521
Encrypted:	false
SSDEEP:	96:5W8Sy7bsHslQ+CTxoTviVi7nXvmRB4JHxEduQWI8WIxwIwR9CNOJF:LZbN/JLOOeR+ZijCNOJF
MD5:	484D33A0AA7F6A1741C9C3563F12DE6D
SHA1:	AC8424447DA4F172BB3191D3770EA695CE7A4611
SHA-256:	E1C134A54B1E817006244F099279DDCE0EC0008F0B3F4751884D185F60A3CCD7
SHA-512:	33C4E1E50074012FC470C664BB9E4A52B9AF23BD043DC160EAC3AF3535E49A5969488883D617F8383BB2298876AB81AA140EADAA1140E367943DBA00DC79CD7B
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........`Uf............4...............<.......T...............T.......8...........T...........H...J?......................................................................................................eJ......L.......GenuineIntel............T............`Uf.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5E1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8494
Entropy (8bit):	3.7023600627369944
Encrypted:	false
SSDEEP:	192:R6l7wVeJc66ap86Y2DUSU98CgmfmqRLpDv89b08sfjcm:R6lXJZ6ap86YZSU9xgmfVRe0Pf9
MD5:	2D6AC70FACA4B2BBEFC898531FE2338B
SHA1:	2DA21336921D94E044808CD43480BEBB62816B6F
SHA-256:	6671FBDA1588EE2CC78AA4417088086047C2F1B8435134C61F18FCC90427D5F1
SHA-512:	D77B6C5A7A03EDE6EDA6643BFCC049B6547612C71312D98A0BF3B4330CFEBD2C6F0283C45C1571594181094B66828D59F85E5D5F031183A8E0A3FE0F3A98C9BC
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.2.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB601.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4828
Entropy (8bit):	4.577519849873364
Encrypted:	false
SSDEEP:	48:cvIwWl8zsuJg77aI9/8WpW8VY1Ym8M4J++lOqFbS+q8INzOpHt+3td:uIjfkI7517V9J5liVpuHt+3td
MD5:	96C2674557A9701BCB3953F21825911E
SHA1:	625E157C572DD5BF1A746D53B50D4CF582E95AD7
SHA-256:	50D17351260FD5CFA230943A79DEBDB160968787C8AE9D37121D0B213E13CD9E
SHA-512:	564FA7DDBEB8676B8B7229F9B28CB53D130C42419EE0FB6D1542F68B04ECBFB3A915764C3E71BDF2FE4990F8637F60354C75C86F08517D2D2D033E3E1A8F8BF4
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="342465" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.468857562067776
Encrypted:	false
SSDEEP:	6144:bzZfpi6ceLPx9skLmb0fXZWSP3aJG8nAgeiJRMMhA2zX4WABluuN+jDH5S:XZHtXZWOKnMM6bFpoj4
MD5:	2D5416F819B44CAA6CF5E3F047A7F9AB
SHA1:	0135A0905994482EBCE216ECA73D9A48D93B711F
SHA-256:	90DCB35C3AC14948120B47D2B57E71A9AAFB516FA0A9D65EBE4C918FC999BB0E
SHA-512:	C0ABA0452B33B48FB997B39CE8175F4E0E72ADB52B08E2F3023A7B8031DF1B6BC4B72E8550F7AA811B5D2D629870EA8B257A9CB69FEAA0E9FD1083AEC190627C
Malicious:	false
Reputation:	low
Preview:	regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...t..................................................................................................................................................................................................................................................................................................................................................@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.169326627405311
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe
File size:	917'504 bytes
MD5:	75ac22830dfa12de136a6e72d60f6da5
SHA1:	0da8473ec742c8d0ac5e5962b302d02fa071639c
SHA256:	dbf007522a76553be4cdc3ccfa581cbfe1efdc28fa1985da662dc1c18ac813bf
SHA512:	cadde1434a1f89c0a0df32f4a111ef4206818d6e34c13344dfc9e64a5689a9fbfff468ecc41523bc2b153f8d3d9fa60640a0bdb043e51156968660e6028295d4
SSDEEP:	12288:V/eNfUVIwGAU7wVcv7P+sUJIBz4n3p2FT:deN8GlxGcv4mdT
TLSH:	EC159E03B2E200F5C675167149BA6775D9FA8A0707809EC76124DEED99222F2FD3B42F
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM.................`...`.......K.....

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x454bc0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00486A90h
push 00459574h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [004771A0h]
xor edx, edx
mov dl, ah
mov dword ptr [004BD054h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [004BD050h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [004BD04Ch], ecx
shr eax, 10h
mov dword ptr [004BD048h], eax
push 00000001h
call 00007F4224EDB6C2h
pop ecx
test eax, eax
jne 00007F421968B1AAh
push 0000001Ch
call 00007F4202A4B6C2h
pop ecx
call 00007F41E1EAB6C2h
test eax, eax
jne 00007F421968B1AAh
push 00000010h
call 00007F4202A4B6C2h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F4225E9B6C2h
call dword ptr [0047722Ch]
mov dword ptr [004BE764h], eax
call 00007F41F3E7B6C2h
mov dword ptr [004BD02Ch], eax
call 00007F41A6E5B6C2h
call 00007F41EDE4B6C2h
call 00007F4203C6B6C2h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [004772C4h]
call 00007F4295E4B6C2h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F421968B1A8h
movzx eax, word ptr [ebp+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x901e8	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbf000	0x1d218	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x77000	0x73c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x76000	0x76000	ba0621c1507c74886c1ed59229b72e8f	False	0.510086318193856	data	6.635848792047047	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x77000	0x1c000	0x1c000	ad652ccc047f9ebb3f7b8ffdf9b66ff5	False	0.36789376395089285	data	4.5720489809039275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x93000	0x2c000	0x2c000	5ea58fc2896f84b52a209ac65a838ebf	False	0.11517888849431818	data	2.195165897174152	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xbf000	0x1e000	0x1e000	7da2f404432482e62857b4c8d9efac80	False	0.0445068359375	data	0.8994073644324309	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exePID: 3224, Parent PID: 4004

General

Target ID:	1
Start time:	00:42:33
Start date:	28/05/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe"
Imagebase:	0x400000
File size:	917'504 bytes
MD5 hash:	75AC22830DFA12DE136A6E72D60F6DA5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 3472, Parent PID: 3224

General

Target ID:	4
Start time:	00:42:33
Start date:	28/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 232
Imagebase:	0xe60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6452, Parent PID: 3224

General

Target ID:	7
Start time:	00:43:06
Start date:	28/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 232
Imagebase:	0xe60000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exePID: 3224, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	40%
Total number of Nodes:	5
Total number of Limit Nodes:	0

Executed Functions

Function 00454BC0 Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00454BE6

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4208ee21b2cd6bd2cdab5fb1746ff2bbb3c813ba3817cf062ceb3ad0db7845c
Instruction ID: 2daacd3ea9cc82d202a5e9b17e0cb5da7c8b46ac85700961d1b809c52c5f80c5
Opcode Fuzzy Hash: d4208ee21b2cd6bd2cdab5fb1746ff2bbb3c813ba3817cf062ceb3ad0db7845c
Instruction Fuzzy Hash: B721D7B1C00705AFDB19AFB9DD44A6D7B78EF44734F10072AE9369A2E1EB344481CB58

Function 00459574 Relevance: 1.6, APIs: 1, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(?,000000FF), ref: 0045961B

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dfcfb12b66831443d2a6ef88fc85b29170d1cd21e53e96d64955fb825694133
Instruction ID: c7f90b311d8f54c413273516955c4ec37dd7fc098bf5af686b99e8505f75e34c
Opcode Fuzzy Hash: 4dfcfb12b66831443d2a6ef88fc85b29170d1cd21e53e96d64955fb825694133
Instruction Fuzzy Hash: 8321B876500208EBCB10DF58D8849AAB764FB04331F444796ED299B2C5E735FD68CBE4

Non-executed Functions

Function 00460DB3 Relevance: 26.7, Strings: 21, Instructions: 417COMMON

Download Yara Rule

Strings

9, xrefs: 00460EC8
9, xrefs: 00461044
0, xrefs: 00460F54
c, xrefs: 00460EA2
0, xrefs: 00461052
E, xrefs: 00460E9D
0, xrefs: 00460EDD
9, xrefs: 00461034
-, xrefs: 00460E8A
e, xrefs: 00460EAB
9, xrefs: 00460E22
0, xrefs: 00460E8F
1, xrefs: 0046102B
9, xrefs: 00460E74
1, xrefs: 00460FF8
-, xrefs: 00460FB1
+, xrefs: 00460E85
+, xrefs: 00460FA8
C, xrefs: 00460E94
0, xrefs: 00461021
9, xrefs: 00461000

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: d74666d3c9efc04b6f84dd9ea13b004bb54651c9f674426348ffe1de358c6e86
Instruction ID: 4f0067a519e0ec34594b51a1288ebefc247e6e7c1e0f742e0fca1df16ce79d0a
Opcode Fuzzy Hash: d74666d3c9efc04b6f84dd9ea13b004bb54651c9f674426348ffe1de358c6e86
Instruction Fuzzy Hash: 3CE1FF30E54259CEEF258FA8C8517FE7BB1AB05310F2C4567D511E62E1E3BD8982CB0A

Function 0041B640 Relevance: 10.2, Strings: 7, Instructions: 1494COMMON

Download Yara Rule

Strings

<>H, xrefs: 0041CC8A
<>H, xrefs: 0041CB38
<>H, xrefs: 0041BC33
$]H, xrefs: 0041BAED, 0041BAF6
?H, xrefs: 0041B9AC
?H, xrefs: 0041B86E
?H, xrefs: 0041C892

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $]H$<>H$<>H$<>H$?H$?H$?H
API String ID: 0-1617291701
Opcode ID: ba2162572df835ea1805067853cda7bb5ec48e45a0b3d4bc4b02fc6e6c2e29fd
Instruction ID: 83ab0f5888ed9d41b01170cfb343d224517b3639419b753ec5179373e2afcae5
Opcode Fuzzy Hash: ba2162572df835ea1805067853cda7bb5ec48e45a0b3d4bc4b02fc6e6c2e29fd
Instruction Fuzzy Hash: 6BD23B712083819FD324DF65C894BAFB7E9BBC8724F004A1DE5AA832D0DB74A945CB56

Function 00413F90 Relevance: 5.9, Strings: 4, Instructions: 859COMMON

Download Yara Rule

Strings

J, xrefs: 00414A55
J, xrefs: 0041495F, 00414966
J, xrefs: 004143CB
J, xrefs: 0041404E

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: J$J$J$J
API String ID: 0-1698453488
Opcode ID: e205a9b44688d8cd7a537a9ad95f944caa93dac413e994192d9bafb3135410c4
Instruction ID: b19424131ce9d05c6962b14c3f8e7439dad69048999d0ce853928aa5bf9429cf
Opcode Fuzzy Hash: e205a9b44688d8cd7a537a9ad95f944caa93dac413e994192d9bafb3135410c4
Instruction Fuzzy Hash: A062E1716083419FC724CF28C880BAFB3E5AFD5724F144A2DE9A997390DB34E985CB56

Function 0042EAD0 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

MTrk, xrefs: 0042EC4C
d, xrefs: 0042ED14

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: MTrk$d
API String ID: 0-4044675371
Opcode ID: a2a054a7ebe48ef30d5902e019f1f85a492a7fd82f04d70045efc9c9b73569bb
Instruction ID: 85eb63b7e9245656e57c2d15272333a400ad7a4f0086def339a2132df0b39674
Opcode Fuzzy Hash: a2a054a7ebe48ef30d5902e019f1f85a492a7fd82f04d70045efc9c9b73569bb
Instruction Fuzzy Hash: 6591D6717007068FD718CF6AD88096AB7E2EFC8310B54CA3EE85ACB395E638E945C755

Function 00410910 Relevance: 2.2, Strings: 1, Instructions: 979COMMON

Download Yara Rule

Strings

d, xrefs: 00410923

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: ebb8ebf1e1b4fb6d068b593a37ba51f0db38d3ac96994cde2ba1e2784e202c7a
Instruction ID: 1b9d98413d309d2af1993c84aef8160b6a9dc8a0769ce69974574f9a97c3266e
Opcode Fuzzy Hash: ebb8ebf1e1b4fb6d068b593a37ba51f0db38d3ac96994cde2ba1e2784e202c7a
Instruction Fuzzy Hash: D5729E716083419BD320CF69C880FAFB7E9AF84750F144A1DF95997390DB78E885CBA6

Function 0043C380 Relevance: .9, Instructions: 903COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881d3c90ad19964c6da6918df0e0e4337caa5aa913176148f8f193681d2f0b1f
Instruction ID: 401a2bc83a3d1c7753feff7f1c64ee50fc8feda0bba8a46f7a09fd3d440bf62a
Opcode Fuzzy Hash: 881d3c90ad19964c6da6918df0e0e4337caa5aa913176148f8f193681d2f0b1f
Instruction Fuzzy Hash: E552CA767447095BD308CE9ACC915AEF3D3ABC8304F498A3CEA55C3346EEB4ED0A8655

Function 0042C9C0 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 938d80d8b54b135d4e608de18079c18a12625a2d39b282f4150f3af0fed60567
Instruction ID: 647bf99cabd20ee3dd142e8fe68b6dcc6aa062d2a6b8cac71cdf1b2f00de983d
Opcode Fuzzy Hash: 938d80d8b54b135d4e608de18079c18a12625a2d39b282f4150f3af0fed60567
Instruction Fuzzy Hash: 98428D71E002159BCB14CFA8D880BAEB7B1BF48320F64476AD526EB3D0D739AD45CB95

Function 00466916 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3652247bd8c089d465103b37f6c71d4e673ca5fd6b23de3ab75ea273d4758b
Instruction ID: a5171145d4d0c14ae2868fcd9fe5f72e0c6ffc9d55c0e03dc652366204a68cdc
Opcode Fuzzy Hash: ec3652247bd8c089d465103b37f6c71d4e673ca5fd6b23de3ab75ea273d4758b
Instruction Fuzzy Hash: 86E17F71600215EBDB14CF69CC80ABE77A9EF04324F11871AF825EA2D1EB39DD01DB66

Function 00426F30 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99cb89fda6165a91d89de042f4f32b5802e53ddeaa0e1d06d8a5c815f8850774
Instruction ID: 07640699356893c036b0e292d7923b663acb81a9f2cf74550cb6d6ab223d23c8
Opcode Fuzzy Hash: 99cb89fda6165a91d89de042f4f32b5802e53ddeaa0e1d06d8a5c815f8850774
Instruction Fuzzy Hash: CCC1DE327087A18FD725CE08E0A07BBB7E2AF85740FD8895EE4C147391D7389959CB5A

Function 00412AC0 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8c59826f0aa6793433a0a2ea6f0edcbe67a0aff29169d072763532ccf22a90
Instruction ID: 1b57b48730751c4d205168c5151a2a38ec6583c6fb7c9dfd9968cd9d2af1133c
Opcode Fuzzy Hash: be8c59826f0aa6793433a0a2ea6f0edcbe67a0aff29169d072763532ccf22a90
Instruction Fuzzy Hash: 37B19A702047029BD724CF68DAC4BEBB7A8BF44350F50493EE56AC7290DBB4B995CB58

Function 0045B3F6 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa99aa563c029306d8bbefdb7aea60221dedf96ace79e2493b49ddded837fa64
Instruction ID: 6e2ec0d292ed487ff07458606a07207b931f5b4cf61c41281038bb4377145422
Opcode Fuzzy Hash: fa99aa563c029306d8bbefdb7aea60221dedf96ace79e2493b49ddded837fa64
Instruction Fuzzy Hash: 64B18D7190020ADFDB29CF04C5D0AA9BBA1FF58319F14C19EDC1A5B382D735EA46CB90

Function 00445AA0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68853668c0020cde0d41761faae5e99550ce6fa2b469f1f965815903281a6b94
Instruction ID: 29fe3306885e124c6924233103d763f952642e1a79a7b7e0a66f9f92acba8600
Opcode Fuzzy Hash: 68853668c0020cde0d41761faae5e99550ce6fa2b469f1f965815903281a6b94
Instruction Fuzzy Hash: B9A11775A08B418FC714CF29C49095AFBF2BFC8704F198A6DE99987325E770E945CB82

Function 00445000 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction ID: 11f985d0b326e77262c0fed86dd1cdf550424ee7ad27dcba48431f4cfd1456ea
Opcode Fuzzy Hash: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction Fuzzy Hash: ED81F93954A7819FC711CF29C0D0466FBE2BF9E204F5C999DEAD50B317C231A919CB92

Function 00409E31 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62e10d28df652fffa35174066add9a18acbb1dbc3157d9ee18f2d331356a2205
Instruction ID: 90796334df70f9d4a3199f77e68f79eddcb3078e918d584e7c08e6dd6f89400a
Opcode Fuzzy Hash: 62e10d28df652fffa35174066add9a18acbb1dbc3157d9ee18f2d331356a2205
Instruction Fuzzy Hash: 78317E706047419FC224CF19CC95E6BB7E9EBC5720F004A2EF566972D0DB78DC068B56

Function 004564C0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction ID: d25f3c36420a9306b6b842a5a03a3aa63a1a77b5d980288a68d8dd2c4ee25559
Opcode Fuzzy Hash: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction Fuzzy Hash: D41126B328005963DA148E2DF4B42B7A395EBC53277EF427BD8814B34EF629D90D8908

Function 0040F261 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5a7a192ea1baba909fd767c167d91ca2d6a6c2146060ca64fd7eba864752d2
Instruction ID: ad883080b561ecf9d1ec073b03f608411ed6c1d269142b75715eccceb1f6efa0
Opcode Fuzzy Hash: 4a5a7a192ea1baba909fd767c167d91ca2d6a6c2146060ca64fd7eba864752d2
Instruction Fuzzy Hash: FFD0A761D4633202D234591C14017DBE2944FA3330F145B3EEC20623D5DAAEC98D82CA

Function 00403821 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2778039831.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2777950340.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778113722.0000000000477000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.0000000000493000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778168888.00000000004A1000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2778375186.00000000004BF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43cd8f153b196f601910adeee352194921c0fe94c730b598654d692a19276fc8
Instruction ID: 3e20b2bc253920d433ce058d555ceeb2db23e194916f40fa23d15b074c929bf3
Opcode Fuzzy Hash: 43cd8f153b196f601910adeee352194921c0fe94c730b598654d692a19276fc8
Instruction Fuzzy Hash: 58B01200C4140A0362109C2464018F182A0D283521FC0BA601804B3120C48EC90D008C

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_48cced91bc9651528f28e10ed8c46c3e066aea3_dbc789e8_68eb9979-82cb-4667-8c46-c0a3e780565c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_5825ec9a25b42d7b9f7c995f519949422ca889_dbc789e8_e1c6df5a-5fb4-418e-b55b-1e776ced8792\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER33FE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER345D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER348C.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5B1.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5E1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB601.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exePID: 3224, Parent PID: 4004

Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe

Function 00454BC0 Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Function 00459574 Relevance: 1.6, APIs: 1, Instructions: 73
libraryCOMMON