Click to jump to signature section
| Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
| Source: Amcache.hve.3.dr | String found in binary or memory: http://upx.sf.net |
| Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | String found in binary or memory: http://www.clamav.net |
| Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | String found in binary or memory: http://www.repairfile.com |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 232 |
| Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Static PE information: No import functions for PE file found |
| Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI |
| Source: classification engine | Classification label: mal48.winEXE@2/5@0/0 |
| Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4720 |
| Source: unknown | Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe" |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 232 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0043406C push 004340BEh; ret | 0_2_004340B6 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_004510EC push 00451118h; ret | 0_2_00451110 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_00407090 push ecx; mov dword ptr [esp], eax | 0_2_00407091 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_004211E0 push 0042120Ch; ret | 0_2_00421204 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_004071E8 push 00407214h; ret | 0_2_0040720C |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_004201F0 push 004202C0h; ret | 0_2_004202B8 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0045C1F8 push 0045C23Bh; ret | 0_2_0045C233 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0040E251 push ds; ret | 0_2_0040E252 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_00407259 push 00407544h; ret | 0_2_0040753C |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_00455264 push 00455290h; ret | 0_2_00455288 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0044D204 push 0044D230h; ret | 0_2_0044D228 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_00407220 push 0040724Ch; ret | 0_2_00407244 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0040E225 push ds; ret | 0_2_0040E24F |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0044F288 push 0044F2C7h; ret | 0_2_0044F2BF |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0045D344 push 0045D370h; ret | 0_2_0045D368 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_00436364 push 00436390h; ret | 0_2_00436388 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0045D37C push 0045D3A2h; ret | 0_2_0045D39A |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_004063C0 push 00406425h; ret | 0_2_0040641D |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0040E3E8 push 0040E435h; ret | 0_2_0040E42D |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_004593A8 push 004593D4h; ret | 0_2_004593CC |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0044A474 push 0044A4A0h; ret | 0_2_0044A498 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_00406428 push 00406517h; ret | 0_2_0040650F |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0043C4C8 push 0043C533h; ret | 0_2_0043C52B |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0044A4AC push 0044A4D8h; ret | 0_2_0044A4D0 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0042054C push 00420578h; ret | 0_2_00420570 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0040D55C push 0040D699h; ret | 0_2_0040D691 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_00407518 push 00407544h; ret | 0_2_0040753C |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0045C5C0 push 0045C5ECh; ret | 0_2_0045C5E4 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_00420640 push 0042066Ch; ret | 0_2_00420664 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0044B648 push 0044B67Bh; ret | 0_2_0044B673 |
| Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe | Code function: 0_2_0040665A push 00406688h; ret | 0_2_00406680 |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: Amcache.hve.3.dr | Binary or memory string: VMware |
| Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual USB Mouse |
| Source: Amcache.hve.3.dr | Binary or memory string: vmci.syshbin |
| Source: Amcache.hve.3.dr | Binary or memory string: VMware, Inc. |
| Source: Amcache.hve.3.dr | Binary or memory string: VMware20,1hbin@ |
| Source: Amcache.hve.3.dr | Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
| Source: Amcache.hve.3.dr | Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
| Source: Amcache.hve.3.dr | Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
| Source: Amcache.hve.3.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
| Source: Amcache.hve.3.dr | Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
| Source: Amcache.hve.3.dr | Binary or memory string: c:/windows/system32/drivers/vmci.sys |
| Source: Amcache.hve.3.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
| Source: Amcache.hve.3.dr | Binary or memory string: vmci.sys |
| Source: Amcache.hve.3.dr | Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0 |
| Source: Amcache.hve.3.dr | Binary or memory string: vmci.syshbin` |
| Source: Amcache.hve.3.dr | Binary or memory string: \driver\vmci,\driver\pci |
| Source: Amcache.hve.3.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
| Source: Amcache.hve.3.dr | Binary or memory string: VMware20,1 |
| Source: Amcache.hve.3.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
| Source: Amcache.hve.3.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
| Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
| Source: Amcache.hve.3.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
| Source: Amcache.hve.3.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
| Source: Amcache.hve.3.dr | Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver |
| Source: Amcache.hve.3.dr | Binary or memory string: VMware PCI VMCI Bus Device |
| Source: Amcache.hve.3.dr | Binary or memory string: VMware VMCI Bus Device |
| Source: Amcache.hve.3.dr | Binary or memory string: VMware Virtual RAM |
| Source: Amcache.hve.3.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
| Source: Amcache.hve.3.dr | Binary or memory string: vmci.inf_amd64_68ed49469341f563 |
| Source: Amcache.hve.3.dr | Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe |
| Source: Amcache.hve.3.dr | Binary or memory string: msmpeng.exe |
| Source: Amcache.hve.3.dr | Binary or memory string: c:\program files\windows defender\msmpeng.exe |
| Source: Amcache.hve.3.dr | Binary or memory string: MsMpEng.exe |
Edit tour
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.30005.24109.exe (PID: 4720 cmdline: 
WerFault.exe (PID: 2180 cmdline: 
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Key Decision
Richest Path
Thread / callback creation
Lower opacity -> Library Node