IOC Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe

loading gif

Files

File Path
Type
Category
Malicious
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_48cced91bc9651528f28e10ed8c46c3e066aea3_dbc789e8_68eb9979-82cb-4667-8c46-c0a3e780565c\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_5825ec9a25b42d7b9f7c995f519949422ca889_dbc789e8_e1c6df5a-5fb4-418e-b55b-1e776ced8792\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER33FE.tmp.dmp
Mini DuMP crash report, 14 streams, Tue May 28 04:42:33 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER345D.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER348C.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5B1.tmp.dmp
Mini DuMP crash report, 14 streams, Tue May 28 04:43:06 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5E1.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB601.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe
"C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.7650.2603.exe"
 malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 232

URLs

Name
IP
Malicious
http://www.clamav.net
unknown
http://upx.sf.net
unknown
http://ssjj.4399.com/
unknown

Registry

Path
Value
Malicious
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
ProgramId
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
FileId
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
LowerCaseLongPath
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
LongPathHash
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
Name
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
OriginalFileName
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
Publisher
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
Version
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
BinFileVersion
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
BinaryType
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
ProductName
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
ProductVersion
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
LinkDate
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
BinProductVersion
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
AppxPackageFullName
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
AppxPackageRelativeId
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
Size
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
Language
\REGISTRY\A\{5b165c5b-1694-c3af-ff1a-1459770bbed1}\Root\InventoryApplicationFile\securiteinfo.com|37bd77c66a0f79b2
Usn
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
0018000DDABBE6B3
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
ClockTimeSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
TickCount
There are 15 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
670000
heap
page read and write
401000
unkown
page execute read
830000
heap
page read and write
477000
unkown
page readonly
1F0000
heap
page read and write
19D000
stack
page read and write
4BF000
unkown
page readonly
4A1000
unkown
page write copy
4BF000
unkown
page readonly
5B0000
heap
page read and write
493000
unkown
page write copy
400000
unkown
page readonly
83E000
heap
page read and write
401000
unkown
page execute read
400000
unkown
page readonly
9D000
stack
page read and write
4A1000
unkown
page write copy
83A000
heap
page read and write
493000
unkown
page write copy
477000
unkown
page readonly
There are 10 hidden memdumps, click here to show them.