IOC Report
SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe

loading gif

Files

File Path
Type
Category
Malicious
SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_482475ec343ea7ad9fce808eb1697756ce9747b_ee73a472_a6f9afa2-afb1-471a-8e2b-f7746878757e\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_bcad985de84d8f997758f4eb9988ebf9b2471a_ee73a472_85a9483e-fdd7-4356-a2d0-b5b3da962fe3\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6751.tmp.dmp
Mini DuMP crash report, 14 streams, Sun Sep 29 23:40:08 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6791.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER67B1.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERADC0.tmp.dmp
Mini DuMP crash report, 14 streams, Sun Sep 29 23:40:26 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERADF0.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE30.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe
"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.6BJQTB.3761.13503.exe"
 malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 252

URLs

Name
IP
Malicious
http://www.clamav.net
unknown
http://upx.sf.net
unknown
http://jm.2014soft.com/
unknown

Registry

Path
Value
Malicious
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
ProgramId
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
FileId
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
LowerCaseLongPath
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
LongPathHash
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
Name
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
OriginalFileName
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
Publisher
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
Version
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
BinFileVersion
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
BinaryType
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
ProductName
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
ProductVersion
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
LinkDate
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
BinProductVersion
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
AppxPackageFullName
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
AppxPackageRelativeId
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
Size
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
Language
\REGISTRY\A\{b64f7dc3-9bc1-8474-cf7d-8f261e72334f}\Root\InventoryApplicationFile\securiteinfo.com|9c130dc0078a0cd2
Usn
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
ClockTimeSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
TickCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
00188010997FEA57
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
There are 14 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
400000
unkown
page readonly
401000
unkown
page execute read
4C9000
unkown
page readonly
400000
unkown
page readonly
4C9000
unkown
page readonly
610000
heap
page read and write
473000
unkown
page readonly
9D000
stack
page read and write
49F000
unkown
page write copy
19D000
stack
page read and write
4D0000
heap
page read and write
492000
unkown
page write copy
401000
unkown
page execute read
4FA000
heap
page read and write
46A000
unkown
page readonly
473000
unkown
page readonly
46A000
unkown
page readonly
1F0000
heap
page read and write
49F000
unkown
page write copy
47E000
unkown
page readonly
492000
unkown
page write copy
4F0000
heap
page read and write
47E000
unkown
page readonly
4FE000
heap
page read and write
There are 14 hidden memdumps, click here to show them.