Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe
Analysis ID:	1522417
MD5:	6b16f73f9a8fd4d554d3eed009eb55fc
SHA1:	4ab50f8300074848f09cb5acd4378d1b6f2c8c53
SHA256:	2f2fb3aab2893d1710edf02e45773065264f80542247b4fb510b3fa2c6191e38
Tags:	exe
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe (PID: 6824 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe" MD5: 6B16F73F9A8FD4D554D3EED009EB55FC)

WerFault.exe (PID: 5592 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5856 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 252 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]		0_2_0044622C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 4x nop then mov eax, ecx		0_2_00446921

Source: SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	String found in binary or memory: http://jm.2014soft.com/
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	String found in binary or memory: http://www.clamav.net

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 0_2_00434110	0_2_00434110
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 0_2_0040E1F0	0_2_0040E1F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 0_2_0041A2D0	0_2_0041A2D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 0_2_00426339	0_2_00426339
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 0_2_004103A0	0_2_004103A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 0_2_004426C0	0_2_004426C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 0_2_004187B0	0_2_004187B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 0_2_00420980	0_2_00420980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 0_2_00456F45	0_2_00456F45
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 0_2_0045D06D	0_2_0045D06D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 0_2_00443160	0_2_00443160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 0_2_00453216	0_2_00453216
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 0_2_0044BA00	0_2_0044BA00

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 232

Source: SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.winEXE@3/9@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6824

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b26c810d-83f9-47e9-9bc0-79183ce109ba

Jump to behavior

Source: SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 232
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 252

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

Section loaded: apphelp.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 0_2_0044C7E4 push eax; ret		0_2_0044C802
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	Code function: 0_2_0044AF20 push eax; ret		0_2_0044AF4E

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

Code function: 0_2_00449969 EntryPoint,LdrInitializeThunk,

0_2_00449969

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	37%	ReversingLabs
SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	100%	Avira	HEUR/AGEN.1341547
SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.clamav.net	SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	false		unknown
http://upx.sf.net	Amcache.hve.3.dr	false	URL Reputation: safe	unknown
http://jm.2014soft.com/	SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522417
Start date and time:	2024-09-30 01:39:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe
Detection:	MAL
Classification:	mal64.winEXE@3/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.189.173.21
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

Simulations

Behavior and APIs

Time	Type	Description
19:40:26	API Interceptor	2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_482475ec343ea7ad9fce808eb1697756ce9747b_ee73a472_a6f9afa2-afb1-471a-8e2b-f7746878757e\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6849780040117757
Encrypted:	false
SSDEEP:	192:23EyNUdc7RJB50BU/xiJjEzuiFPZ24IO81NP:20ye6dJsBU/QjEzuiFPY4IO8X
MD5:	B8A205A591B3AFEEF475DDEE8E5A0987
SHA1:	E03C8B9B27CF89F3273E24ABFBB38D2C2B2B7CC2
SHA-256:	E10DDD5DEEBC93B5C12A8BD8E48DF5C5736DE8F22067DE208A1DDC634722B5B0
SHA-512:	956C98748D07DEA3E78B293111F31A34A92F15653EE29555FE8ED1B302076CE410FF9673E41E6C8C91A2809458559DF5097D55FA71512C10834F266770D273CA
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.2.6.8.0.8.2.4.6.7.9.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.1.2.6.8.0.8.5.7.4.9.1.4.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.f.9.a.f.a.2.-.a.f.b.1.-.4.7.1.a.-.8.e.2.b.-.f.7.7.4.6.8.7.8.7.5.7.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.e.f.b.e.d.c.4.-.b.6.9.e.-.4.0.d.0.-.b.7.2.2.-.0.8.5.0.d.0.2.7.b.d.7.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...T.r.o.j.a.n...P.S.E...6.B.J.Q.T.B...3.7.6.1...1.3.5.0.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.a.8.-.0.0.0.1.-.0.0.1.4.-.b.5.5.2.-.b.b.e.a.c.8.1.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.5.0.b.1.a.8.c.e.f.f.7.a.f.9.8.9.7.f.4.0.7.1.c.d.f.d.8.1.7.c.9.0.0.0.0.f.f.f.f.!.0.0.0.0.4.a.b.5.0.f.8.3.0.0.0.7.4.8.4.8.f.0.9.c.b.5.a.c.d.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_bcad985de84d8f997758f4eb9988ebf9b2471a_ee73a472_85a9483e-fdd7-4356-a2d0-b5b3da962fe3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6844980283948603
Encrypted:	false
SSDEEP:	192:mMUdc7RjBI0drD0riJjEzuiFPZ24IO81NP:A6djVdrD0ejEzuiFPY4IO8X
MD5:	DC2D6D15E1756DCCD0D5F810E036F0CF
SHA1:	032A6502F157B1C355DF6A559075970208CCAC21
SHA-256:	C82C3BD37BF32C668EDD80B350168ADBECC3CE935A97F23121F3E03527F63EEC
SHA-512:	9652E2BD8758676747AB32B28074D33818869A33008DAD4DAA180A0207D04809D3EC96235DFF401A009D2DC7D649823C276B015F4E8F013D2C5875DD44202875
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.2.6.8.2.6.2.8.1.0.2.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.1.2.6.8.2.6.6.0.9.1.4.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.a.9.4.8.3.e.-.f.d.d.7.-.4.3.5.6.-.a.2.d.0.-.b.5.b.3.d.a.9.6.2.f.e.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.7.5.a.2.e.5.e.-.4.e.0.d.-.4.6.5.8.-.a.a.5.3.-.5.4.2.4.f.3.1.7.1.a.8.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...T.r.o.j.a.n...P.S.E...6.B.J.Q.T.B...3.7.6.1...1.3.5.0.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.a.8.-.0.0.0.1.-.0.0.1.4.-.b.5.5.2.-.b.b.e.a.c.8.1.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.5.0.b.1.a.8.c.e.f.f.7.a.f.9.8.9.7.f.4.0.7.1.c.d.f.d.8.1.7.c.9.0.0.0.0.f.f.f.f.!.0.0.0.0.4.a.b.5.0.f.8.3.0.0.0.7.4.8.4.8.f.0.9.c.b.5.a.c.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6751.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Sep 29 23:40:08 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18710
Entropy (8bit):	1.971548018050897
Encrypted:	false
SSDEEP:	96:5j8ZZ06o+kQvKGs3Di7nTsIDNQDM7KwCWIkWItoI4LhMeBaTn42sB:SRqqqDOTjDNQlfLhMeMts
MD5:	100CB72ED77AC65A2A29C4235B24B620
SHA1:	4FE8BCDFE9E84A85380E9A3A94F0DBA628142904
SHA-256:	BD1BD05E0B6AA4ADDF6B0C21EA980DBCBB7B709347710B81A8EC336B8E36BCE4
SHA-512:	ABFD352FCC4AF3930A053ACD12D62CDDBDF5CEB123FA011A6F57A4D31A11B59730E32DF635CB73DC651727FE97BB0BEEDECAEDD6ECF438B677674E442F7AE986
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......X..f............4...............<.......d...............T.......8...........T...............~?......................................................................................................eJ......L.......GenuineIntel............T...........W..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6791.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8484
Entropy (8bit):	3.7102229648939993
Encrypted:	false
SSDEEP:	192:R6l7wVeJEs36Sqq6Y99SU9Wgmf/acvpr+89bJwsf0tjm:R6lXJv6a6Y3SU9WgmfF1JDf9
MD5:	DF7F00F4648EF57BCF2F700A6E9338F5
SHA1:	A95FB62607630964E3B61616010776ACCEB8ECC4
SHA-256:	4E41701A0C4B71C554945BAA019A70442355F49918C85EEE56057A34DDE0A7B6
SHA-512:	B6D7CB37A73988030488D2050F5ACA21C04A2623E487EEE6B3BBB7D8B3095A132D670BFDCA17A206A4CA871B6D62074E97787BFA399448802215B7BB33327AB8
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER67B1.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4824
Entropy (8bit):	4.6089358553423425
Encrypted:	false
SSDEEP:	48:cvIwWl8zsgJg77aI97MvDWpW8VYxE6eYm8M4JYnTqFpj+q8bPDj+1d0+g0Ed:uIjfmI7mq7VIE6XJYnqoqd0+g0Ed
MD5:	E37BF83607B6BE8A6059BA84458198E1
SHA1:	941CF6ED4D272DE703492EA09B8C17C2DC34B482
SHA-256:	B9F6C13FFF3C7DBE5347E278000384E8F8682AFD12FF5D03D0A40DB77998E7F7
SHA-512:	286400DD1ECA8DB44594803453006D9E2993FB8DC5263400ABB7E196231DA3F84BA9445725C9DC926F76C9A869AC6EE1554410EA63FDCD7A4938DE1E9FD7CB94
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="522162" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERADC0.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Sep 29 23:40:26 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18578
Entropy (8bit):	1.9269236622814268
Encrypted:	false
SSDEEP:	96:5x8NZbK6o+kQEWmQlDi7nJ7WYOViCDKBXwCWIkWI5oIQ8VEjOJW:wbfqdWHlDOYLViCGJTPOJW
MD5:	D8F6CA00C62F6688347F306430952861
SHA1:	43E7D9197BD9BE56B020C5F611E361BE10AE6B3A
SHA-256:	E2AA1F15A6C39942028BB1724D9CA1C47FDD1A8C38C8ADA7AED6A8A089F43C68
SHA-512:	412E3C34A8A5BA50C73A7361985975BBFF9E68692AC7F4B0628745AB070198A9E0A71C284A679D9E4ECCBD8264F0612B5C2F7C27EB8DFAEB46AE12690316CA3F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......j..f............4...............<.......T...............T.......8...........T...........H...J?......................................................................................................eJ......L.......GenuineIntel............T...........W..f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERADF0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8496
Entropy (8bit):	3.706647950983605
Encrypted:	false
SSDEEP:	192:R6l7wVeJEsT6vODh6Y9kSU9Cggmf/a/ljpDv89bVwsfOHm:R6lXJr6WDh6Y+SU9CggmfilmVDff
MD5:	113F339AD8CB2743D225F66E54A92574
SHA1:	BBE6D60567B94D77E360AD1604C982AB227BE2CF
SHA-256:	8D15F960F56BD2BC75EA1EA55C5373CE2186201E514F143BB1D483148927C209
SHA-512:	9B2A593F20A8DF19E50F16D245C0EEC50F26032B74A769E7C1DF95A81396F6F0867CDE43A956ED943F53817E5CAEC6CEDF8660E58FED3453E1310A61B4900320
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.2.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE30.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4828
Entropy (8bit):	4.607512943238012
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPJg77aI97MvDWpW8VYxyYm8M4JYnT4MOqFC+q8b1KMOzj+1d0+g0Ed:uIjfxI7mq7VI7JYnv+ojpd0+g0Ed
MD5:	3E2200BCB0AECABA070487614C5BC991
SHA1:	626B06DB95460ED23B51B488A0114DF24DFB5AFB
SHA-256:	17FF882E2B33606F141C8188937AE2314CB5CFF1BEC80D4A8A0189F58D7CDAAD
SHA-512:	5574F7ABA21D4E8FFB6598374C6F59191C3EC58A2067A932D3185F8BF82308DE37396280C8C4BD4C62D5D86AD50B6A106F721E313C3DC4C0AC338C6CFCC02201
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="522163" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465721670853696
Encrypted:	false
SSDEEP:	6144:IIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNpdwBCswSb0:dXD94+WlLZMM6YFH/+0
MD5:	A57A98BD403F7011BE7058CDF42D4431
SHA1:	0D829327F8BC5CCA5C296AEF65C4B19251F7C11D
SHA-256:	16FBC662D4C5727AFFF9CB60C4E02EDD5A7DDFC27FB6F102ACA19B6C69F7C37E
SHA-512:	6AA59D11E1E91F742293B781724F701BA16E1DA1A98BA346C188FC2D8FEEC359DAD7EF5ACEFABF8A84F1C8E3D24A2483E3988B6283E5AB907835422E448B63CF
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....................................................................................................................................................................................................................................................................................................................................................0..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.021234508396024
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe
File size:	847'872 bytes
MD5:	6b16f73f9a8fd4d554d3eed009eb55fc
SHA1:	4ab50f8300074848f09cb5acd4378d1b6f2c8c53
SHA256:	2f2fb3aab2893d1710edf02e45773065264f80542247b4fb510b3fa2c6191e38
SHA512:	6b48c52b11b8f6c07e788a0afaf75d3cf012430b8fbecc44927bebc9a8b34fb54b6f2b567e45d520fd467d1f6934d98c2516ccc592e859a97fd40a4c5bf64e35
SSDEEP:	12288:SC1KWwZ5qdJlBwu9rVyVeV2LcEdbFGWbcr:SdZwd3YeVFEqW
TLSH:	E2058D23F1D2D0E7D356A6B04C5767365A2A9DA60B34DBF352A9FF2F49330807D2A211
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM............................i......

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x449969
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00488260h
push 0044BBDCh
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0046A184h]
xor edx, edx
mov dl, ah
mov dword ptr [004C77DCh], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [004C77D8h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [004C77D4h], ecx
shr eax, 10h
mov dword ptr [004C77D0h], eax
push 00000001h
call 00007FD494B74ED8h
pop ecx
test eax, eax
jne 00007FD4A0D74ACAh
push 0000001Ch
call 00007FD433614ED8h
pop ecx
call 00007FD451B54ED8h
test eax, eax
jne 00007FD4A0D74ACAh
push 00000010h
call 00007FD433614ED8h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007FD495B34ED8h
call dword ptr [0046A2D4h]
mov dword ptr [004C8FE4h], eax
call 00007FD463B24ED8h
mov dword ptr [004C7798h], eax
call 00007FD516B04ED8h
call 00007FD45DAF4ED8h
call 00007FD4949D4ED8h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0046A22Ch]
call 00007FD505AF4ED8h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007FD4A0D74AC8h
movzx eax, word ptr [ebp+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8f350	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc9000	0x5d3c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6a000	0x6ec	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x69000	0x69000	caf9e952fad0870ecc5267a9efc3ccff	False	0.5143461681547619	data	6.63080876952141	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6a000	0x28000	0x28000	775fa2e3dd02089843e97c3503f0d4f7	False	0.197027587890625	data	3.0505255417452157	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x92000	0x37000	0x37000	495ac8963be40e423d09ff7651f497f4	False	0.08782404119318182	data	1.6770096535499606	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc9000	0x6000	0x6000	006e7185845e6fbcae1ba15f8c579686	False	0.21329752604166666	data	3.475537587005392	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exePID: 6824, Parent PID: 2580

General

Target ID:	0
Start time:	19:40:07
Start date:	29/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe"
Imagebase:	0x400000
File size:	847'872 bytes
MD5 hash:	6B16F73F9A8FD4D554D3EED009EB55FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5592, Parent PID: 6824

General

Target ID:	3
Start time:	19:40:08
Start date:	29/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 232
Imagebase:	0xb90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5856, Parent PID: 6824

General

Target ID:	8
Start time:	19:40:26
Start date:	29/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 252
Imagebase:	0xb90000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exePID: 6824, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	40%
Total number of Nodes:	5
Total number of Limit Nodes:	0

Executed Functions

Function 00449969 Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0044998F

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1a8b55977ad9f34cd7a3dcbfc3abaab1a029bf330dfef813f3be7f242a2dcabf
Instruction ID: c3a92b10b366937a75ec76ee07ea2781ee44729c831a57d37660c6ba1b178185
Opcode Fuzzy Hash: 1a8b55977ad9f34cd7a3dcbfc3abaab1a029bf330dfef813f3be7f242a2dcabf
Instruction Fuzzy Hash: 8021E6B19407059FEB049FB5DC05A6E77A8EF14730F10072AE435E63E0DB7859808B55

Function 0044BBDC Relevance: 1.6, APIs: 1, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(?,000000FF), ref: 0044BC83

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e90246d167c9d2e00c7ce4e6c4044f5af099ed21b16b2d28708fcd2ae298a55a
Instruction ID: a1e9e71eafc35b65f72da0937b9539ff3ca47d8e5769548c5a58481757b47dc9
Opcode Fuzzy Hash: e90246d167c9d2e00c7ce4e6c4044f5af099ed21b16b2d28708fcd2ae298a55a
Instruction Fuzzy Hash: C021C872500209EBDB10EF1CD8C4AAAB764FF04360F45469AED158B385EB35F965CBE0

Non-executed Functions

Function 00456F45 Relevance: 26.7, Strings: 21, Instructions: 417COMMON

Download Yara Rule

Strings

9, xrefs: 004571C6
-, xrefs: 0045701C
0, xrefs: 004570E6
e, xrefs: 0045703D
0, xrefs: 004571E4
+, xrefs: 0045713A
1, xrefs: 0045718A
9, xrefs: 00457192
0, xrefs: 00457021
9, xrefs: 00456FB4
E, xrefs: 0045702F
9, xrefs: 0045705A
9, xrefs: 004571D6
c, xrefs: 00457034
C, xrefs: 00457026
-, xrefs: 00457143
0, xrefs: 004571B3
1, xrefs: 004571BD
9, xrefs: 00457006
+, xrefs: 00457017
0, xrefs: 0045706F

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: fe94ca2154370c0bca64455820a8e9b8bcdc17abaac871e0e17e7dccfb58c948
Instruction ID: b9184aa5da7386a1d01b5e96e445bddbaef4664b85954b60624a597c486a24cb
Opcode Fuzzy Hash: fe94ca2154370c0bca64455820a8e9b8bcdc17abaac871e0e17e7dccfb58c948
Instruction Fuzzy Hash: 7DE10531D596099EEB248F64E8057AE7BB1BB10322F640277EC11D72D3C77C898ACB59

Function 00420980 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

d, xrefs: 00420BC4
MTrk, xrefs: 00420AFC

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: MTrk$d
API String ID: 0-4044675371
Opcode ID: 4a5675cb58ae38e50f8ab9f4882087e3c7e62f39db1a373f8e05a90b879b9123
Instruction ID: 0fd9abd85245a758319a09af7a9897aec820e9577d763f50d17dd5f2f6d2b305
Opcode Fuzzy Hash: 4a5675cb58ae38e50f8ab9f4882087e3c7e62f39db1a373f8e05a90b879b9123
Instruction Fuzzy Hash: 6391D5717043058FD718CF29D88056BB7E2EFD8314B548A3EE45ACB782DA38E945C755

Function 00426339 Relevance: 2.7, Strings: 1, Instructions: 1493COMMON

Download Yara Rule

Strings

":F, xrefs: 0042655E, 004265FC, 0042669C, 004275AC

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ":F
API String ID: 0-2124312896
Opcode ID: 632e177ee9f2f84572b76cc2e9ba29f7ebaf79ca4559191d5dcfbef98e839ab3
Instruction ID: ec12d9ab20f5eeb41153e0eb91f05258b91a1f899e27beaac0c1af3aae0d21e2
Opcode Fuzzy Hash: 632e177ee9f2f84572b76cc2e9ba29f7ebaf79ca4559191d5dcfbef98e839ab3
Instruction Fuzzy Hash: 4ED23B712083819FD324CF69D894EAFB7E9AFC4714F004E1DE5AA83290DB74A945CB67

Function 0040E1F0 Relevance: 2.2, Strings: 1, Instructions: 979COMMON

Download Yara Rule

Strings

d, xrefs: 0040E203

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: d861b962d9bd0d77554385265aea4ac75cf497550313bfbcb03a599129396b45
Instruction ID: b7f55d3e2b9fbedfc658106eb698ba68a578bd60384b1e3915e611d0a29d608b
Opcode Fuzzy Hash: d861b962d9bd0d77554385265aea4ac75cf497550313bfbcb03a599129396b45
Instruction Fuzzy Hash: 20729E716043419BD320DF66CC80B6FB7E9AF84720F044A2DE965A73D0EB74E855CBA6

Function 00434110 Relevance: .9, Instructions: 903COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a15e97704ab8f1cc60bb438dde0b78c178e62902f829072e16b8f2c24be9017
Instruction ID: 7695a78e3c1be5b686d18a4be4bfb554878a0faae0f61916b882b2c0b03daff7
Opcode Fuzzy Hash: 7a15e97704ab8f1cc60bb438dde0b78c178e62902f829072e16b8f2c24be9017
Instruction Fuzzy Hash: FB62CA767447095BD308CE9ECC9159EF3E3ABC8314F488A3CE965C3346EEB4E90A8655

Function 0041A2D0 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a126663e9b6be714a397060fdbaf2b5342bb925073cff7780b0e68c70fcacd
Instruction ID: 7e45b4d5436b96e100e177682b31fc4fc6a905ca2ddfda689e1123ae7fe5f977
Opcode Fuzzy Hash: 67a126663e9b6be714a397060fdbaf2b5342bb925073cff7780b0e68c70fcacd
Instruction Fuzzy Hash: 86426F71E052159BCB14CFA8C880AEEB7B1AF48330F14476AD535A73D0E738AD95CB96

Function 0045D06D Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43cf18f0fe75ac7c4c12eec7e90cd4af822490a968394ceab6ed8cc5f7c60d7
Instruction ID: f109cac614db654c31d4465d13f8e3b323951e5758c7bfa633caed63e0d682dc
Opcode Fuzzy Hash: b43cf18f0fe75ac7c4c12eec7e90cd4af822490a968394ceab6ed8cc5f7c60d7
Instruction Fuzzy Hash: 51E18F71A00219ABDB24CF68CC84ABE37A9EF04335F108716F835DA2D1DB39DA05DB65

Function 004187B0 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d5dc581255df05f8b3c81f424d0f709f1572fd295664c1ba8e569d49b9e883
Instruction ID: bc393e40425f2db82c7e171eb891419c4c88bc3c29203622f148ac4a3bc862c8
Opcode Fuzzy Hash: e5d5dc581255df05f8b3c81f424d0f709f1572fd295664c1ba8e569d49b9e883
Instruction Fuzzy Hash: 17C1D0B26086814FD725CF09C0613FBBBE2AF81750F98895FE4D147391DB389989C74A

Function 004103A0 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78c138a4a5c25d1d8dfa320f1f225f90bc2a848eab83e855d4ab212b00e6e495
Instruction ID: da85df2dbf3c0a23bb34352bc0f2e195686d5ccff9155eedc9eaa62bcb9b66bc
Opcode Fuzzy Hash: 78c138a4a5c25d1d8dfa320f1f225f90bc2a848eab83e855d4ab212b00e6e495
Instruction Fuzzy Hash: E0B16D702007029BD724CF69C8C4BEBB7A5BF84324F044A2DE56A97291DBB4B9C5CB59

Function 00453216 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f57dd47f9fd71e327457e981826fab80807efbe6ec485a72b954e4e40bd3035
Instruction ID: b07fed23ac61161c9cbbabb73c103e4baa7deb4f61285335f82102867312cde9
Opcode Fuzzy Hash: 8f57dd47f9fd71e327457e981826fab80807efbe6ec485a72b954e4e40bd3035
Instruction Fuzzy Hash: AAB18D75A0020ADFDB15CF04C5D0AA9BBA1BF49356F14C19EDC1A4B382C735EE4ACB90

Function 00443160 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277302692238751f6b0d7d6ea96793e26851527a7968fcf434e3654650fd6bf8
Instruction ID: 065ed1ecc3f60a77d0750ba352ad08e9cb301bf38dbb3d21ee8f4ffc8d3b34b0
Opcode Fuzzy Hash: 277302692238751f6b0d7d6ea96793e26851527a7968fcf434e3654650fd6bf8
Instruction Fuzzy Hash: 0CA10775A087418FD318CF29C49085AFBF2BFC8714F198A6EE99987325E770E945CB42

Function 004426C0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction ID: dc043f7e18024d91ae930dad968b177db4dd48afb250ae0a63ab084f17ef6542
Opcode Fuzzy Hash: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction Fuzzy Hash: B581F83954A7819FC715CF29C0D04A6FFE2BF9E204F5C999DE9C50B316C231A91ACB92

Function 0044BA00 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction ID: f436cea6800d6779895442c6ada3325b5ab18c9d928c5d1d5aead31df7c25148
Opcode Fuzzy Hash: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction Fuzzy Hash: 07115CA720004287F704CE6ED4B03B7E3D5EBC632076DD27BD082AF794D72ADA459588

Function 00446921 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8389bbe62859e0af8520e3521b66cad60b213a629ec7e700e972c8356e4232bb
Instruction ID: afb212fae34036be8637558e900d6a9174b170c5936ca575909dd66e9f78f6bd
Opcode Fuzzy Hash: 8389bbe62859e0af8520e3521b66cad60b213a629ec7e700e972c8356e4232bb
Instruction Fuzzy Hash: 8AD067B1E052058FD7088F58D859859BBF0EB06320715D5EEE01A9B332C778C4018B4C

Function 0044622C Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1934479312.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1934421555.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.0000000000473000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934580347.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934636394.000000000049F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1934676042.00000000004C9000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c13b32b0c9c4caf908716171f6eada17d8b4c25b2c165c0d46f50fb4850bdd4e
Instruction ID: 038643b9452e222d026db683072c46919bd44b57e747216e1aea2920a006d26e
Opcode Fuzzy Hash: c13b32b0c9c4caf908716171f6eada17d8b4c25b2c165c0d46f50fb4850bdd4e
Instruction Fuzzy Hash: CDC012349002019A4208CF208454D3BFBA0ABFA321F119A1EA062A36E0CA70C8A0C60E

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_482475ec343ea7ad9fce808eb1697756ce9747b_ee73a472_a6f9afa2-afb1-471a-8e2b-f7746878757e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_bcad985de84d8f997758f4eb9988ebf9b2471a_ee73a472_85a9483e-fdd7-4356-a2d0-b5b3da962fe3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6751.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6791.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER67B1.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERADC0.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERADF0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE30.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exePID: 6824, Parent PID: 2580

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

Function 00449969 Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Function 0044BBDC Relevance: 1.6, APIs: 1, Instructions: 73
libraryCOMMON