Windows Analysis Report
SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe
Analysis ID:	1527907
MD5:	152109865fa6bf8a6bbfb266c8178322
SHA1:	5c8d539cd1ef911c94688aa89412b1565e61653e
SHA256:	c2a503bd56357a5f9426b4c6e8835771af786d2de7cb6d4f55b0926832988ca2
Tags:	exe
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://home.americanexpress.com/home/mt_personal_cm.shtml?source=widgetmenu
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://home.americanexpress.com/home/mt_personal_cm.shtml?source=widgetmenuhttp://travel.americanexp
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://travel.americanexpress.com/travel/personal/?referrer=widget
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.americanexpress.com/amexlabs/redirect/redirect1.html
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.clamav.net
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.klipfolio.com/phplib/scripts/tools/mailtofriend.php
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.klipfolio.com/phplib/scripts/tools/mailtofriend.php?==?
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.membershiprewards.com/HomePage.aspx?=widget
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.serence.com/site.php?page=dnld_kf
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.serence.com/site.php?page=dnld_kfdialogs/klip
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www201.americanexpress.com/apply/Fmacfservlet?csi=0/22000/b/2/0958142007/094075531290/20/n&fr
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: https://www.americanexpress.com/homepage/open_cm.shtml?referrer=widget

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0046804C	0_2_0046804C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004200F7	0_2_004200F7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0043E34D	0_2_0043E34D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0044433A	0_2_0044433A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0042C3A7	0_2_0042C3A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004423B9	0_2_004423B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00490434	0_2_00490434
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004765D8	0_2_004765D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00466817	0_2_00466817
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00470828	0_2_00470828
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00506895	0_2_00506895
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0043E885	0_2_0043E885
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00440955	0_2_00440955
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00404A93	0_2_00404A93
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0046AC52	0_2_0046AC52
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00434E74	0_2_00434E74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0040EFDB	0_2_0040EFDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004FEFE2	0_2_004FEFE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004451F7	0_2_004451F7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00479193	0_2_00479193
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0040D213	0_2_0040D213
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0041745E	0_2_0041745E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0044F4C8	0_2_0044F4C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004034E2	0_2_004034E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004B348E	0_2_004B348E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00495655	0_2_00495655
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0040B675	0_2_0040B675
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004D9608	0_2_004D9608
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004D76CB	0_2_004D76CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00475736	0_2_00475736
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004417EC	0_2_004417EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0040189F	0_2_0040189F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00471965	0_2_00471965
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0044998F	0_2_0044998F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00489A1E	0_2_00489A1E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00443AE7	0_2_00443AE7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0043FA85	0_2_0043FA85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00403BCC	0_2_00403BCC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0044BC95	0_2_0044BC95
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00439E19	0_2_00439E19
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00495EBE	0_2_00495EBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0049FF3A	0_2_0049FF3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004B1FFB	0_2_004B1FFB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00475FB3	0_2_00475FB3

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 232

PE file does not import any functions

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.winEXE@3/9@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6160

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\be68b3b1-3d5f-45dd-8e7f-d4c3cc47c6bf

Jump to behavior

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

ReversingLabs: Detection: 13%

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: " /LOAD "%1"
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: /LOAD
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: klips/images/loading icon/
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: " /LOAD "%1"
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: /LOAD
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: MD5::update: Can't update a finalized digest!MD5::finalize: Already finalized this digest!MD5::raw_digest: Can't get digest if you haven't finalized the digest!%02xMD5::hex_digest: Can't get digest if you haven't S_WND_300DSS_WND_300RICHED20.DLLcommdlg_FindReplaceHKEY_CURRENT_USER\Software\Classes\Klip File\shell\open\command" /LOAD "%1""\languages\.lang\skins\.ksk.kliRootDirKlipFolio.exe /LOADBroadcastSystemMessageBroadcastSystemMessageAuser32.dll/UNINSTALL</visible><visible></layout><layout></configure><configure></cch><cch></cctw><cctw></ccsw><ccsw></ccfw><ccfw></collapsetoolbar><collapsetoolbar></screeny><screeny></screenx><screenx></id><id>toolbars/ftbar/images/mini alt drag thumb/toolbars/ftbar/images/mini drag thumb/toolbars/ftbar/images/mini horizontal splitter/toolbars/ftbar/images/mini shine layer/toolbars/ftbar/images/mini menu button/toolbars/ftbar/images/mini size button/toolbars/ftbar/images/alt drag thumb/toolbars/ftbar/images/drag thumb/toolbars/ftbar/images/vertical splitter/toolbars/ftbar/images/horizontal splitter/toolbars/ftbar/images/half splitter left/toolbars/ftbar/images/half splitter right/toolbars/ftbar/images/shine layer/toolbars/ftbar/images/dragbar logo/toolbars/ftbar/images/connect button/toolbars/ftbar/images/disconnect button/toolbars/ftbar/images/startup button/toolbars/ftbar/images/help button/toolbars/ftbar/images/feed button/toolbars/ftbar/images/home button/toolbars/ftbar/images/menu button/toolbars/ftbar/images/refresh animation/toolbars/ftbar/images/minimize button/toolbars/ftbar/images/size button/
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: klips/images/loading icon/
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: The property 'WindowsgetClipboardURLgetInstallDirectorygetMachineTUIDgetAvailableKBytesgetCPUUsagequeryWMIlaunchDefaultBrowserlaunchDefaultMailClientTCPStatisticsoutsegsinsegsnumconnsTCPTablegetProcessIdgetStategetRemotePortgetLocalPortgetRemoteAddrgetLocalAddrWindowsPlatformIPHelpergetProcessNamerunCommandMIMEunquoteTextdecodeDateconvertTextcharsetToCodepagedecodeHeadernewDocumentEnginesMIMEXMLRPCTCPPlatformHTTPKlipFoodFileDeleteditemexpireDeletedItemsclearrestoreexpiryDynPrefvalue</link><note></note><extra></extra></item></klipfood>]]></title><link>><title><![CDATA[ iid="<klipfood><itempubdatetextItemsDeletedswapsortinsertprocessAutoRemovefindItemByIIDclearItemscancelPurgepurgepurgeItemsdelItemaddItemremoveduplicatessavehistoryautoremovecustomalertscanalertonDeletestatusvisiblebannericonvisiblestatusAltaltBiconAltaltABiconAappdirdatadirlangversionlanguagestartuptimefirstruncodepagebuildversionKlipKlipScript - alertdestroyTimercreateTimerdelaytracealertrequestRefreshbase64decodebase64encodeungarblegarbleconvertToTextcollapseWhitespaceprocessEntitiesstripTagsmd5digestKlipFolioPrefsSetupItemsEnginesKlipsearchvisiblesearchtextsearchwatermarkusedefaultprogressmessagesprogressmessagealertingkfbuildkfversionItem</link><note></note></item></klipfood></title><link>><title>ItemhasDatasetDatagetDataCountgetDatarecentdashboardcanvisitcandeletecanpurgenoteextraiidvisitedItemPropertiestabonCloseonUpgradeSetupinsertTabrenameTabdelTabremoveTabaddTabonOpenfalsetruePrefsDynPrefrefreshratefirstinstalllastrefreshuniqueiddefaultlinkautoclearalertsrefreshgranularitytitlecontentsourceloadingnodataclearCachedelPrefsetPrefgetPref - dialogs/klip setup/images/default banner/....skinDefault Skinbundles/skins/*.kskdialogs/app upgrade/images/upgrade not found icon/dialogs/app upgrade/images/upgrade found icon/dialogs/app upgrade/images/banner/dialogs/app upgrade/images/busy animation/http://www.serence.com/site.php?page=dnld_kfdialogs/klip upgrade/images/upgrade not found icon/dialogs/klip upgrade/images/caution icon/dialogs/klip upgrade/images/banner/klips/images/loading icon/upgrade=trueOK]}}},ia:,a:{h:",{h:"},k:[,r:,c:",k:,l:",d:,u:1",i:,a:{h:"data={r:{t:
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: default.langinternal/default.langx-iscii-tex-iscii-tax-iscii-pax-iscii-orx-iscii-max-iscii-kax-iscii-gux-iscii-dex-iscii-bex-iscii-aswindows-1258johabwindows-1254latin3l3iso-ir-109iso_8859-3:1988iso_8859-3csisoiso-8859-3x-ebcdic-turkishcp1026x-mac-turkishiso-ir-148iso_8859-9:1989iso_8859-9latin5ibm857tis-620iso-8859-11dos-874windows-874x-ebcdic-thaix-mac-koreancsiso2022kriso-2022-krksc5601ksc_5601ks_c_5601-1989ks_c_5601_1987ks_c_5601koreaniso-ir-149cseuckreuc-krcsksc56011987ks_c_5601-1987x-ebcdic-koreanextendedx-ebcdic-koreanandkoreanextendedx-sjisshift-jiscsshiftjisshift_jis_iso-2022-jpcsiso2022jp_iso-2022-jp$sioiso-2022-jpx-ms-cp932ms_kanjicswindows31jx-mac-japanesex-euc-jpx-eucextended_unix_code_packed_format_for_japanesecseucpkdfmtjapaneseeuc-jpx-ebcdic-japanesekatakanax-ebcdic-japaneseanduscanadax-ebcdic-japaneseandjapaneselatinx-ebcdic-japaneseandkanax-ebcdic-hebrewiso_8859-8-iwindows-1255x-mac-hebrewvisualiso-ir-138iso_8859-8:1988iso_8859-8hebrewcsisolatinhebrewlogicaliso-8859-8-idos-862ibm869windows-1253x-mac-greekibm737iso-ir-126iso_8859-7:1987iso_8859-7greek8greekelot_928ecma-118csisolatingreekx-ebcdic-denmarknorway-eurox-ebcdic-denmarknorway x-ebcdic-greekx-ebcdic-greekmodernx-ebcdic-cyrillicserbianbulgarianx-ebcdic-cyrillicrussianx-mac-cyrillicx-cp1251windows-1251l5cyrillicibm866cp866csisolatincyrilliccsisolatin5iso-ir-144iso_8859-5:198iso_8859-5koi8-rukoi8-ukoi8rkoi8koicskoi8rx-ebcdic-traditionalchinesex-mac-chinesetradx-chinese-etenx-chinese-cnsx-x-big5csbig5cn-big5big5x-ebcdic-simplifiedchinesex-mac-chinesesimphz-gb-2312iso-ir-58gbkgb2312-80gb231280gb_2312-80csiso58gb231280csgb231280csgb2312cn-gbchinesegb2312x-euc-cneuc-cncp870x-cp1250windows-1250x-mac-celatin2l2csisolatin2cp852ibm852iso8859-2iso-ir-101iso_8859-2:1987iso_8859-2windows-1257latin4l4iso-ir-110iso_8859-4:1988iso_8859-4csisolatin4cp500ibm775iso-8859-4x-ebcdic-arabiccp1256windows-1256x-mac-arabiciso-ir-127iso_8859-6:1987iso_8859-6ecma-114csisolatinarabicdos-720asmo-708arabicus-asciilatin1utf-32beutf-32utf16utf-16pstpdtmstmdtcstedtcdtestututcgmt\backupbundles/legal/LICENSE.txtinstaller/images/license/ERRORInstallerDialoginstaller/images/prefs finder/installer/images/overview/installer/images/banner/installer/images/overview2/installer/images/ok icon/installer/images/error icon/Please specify a directory for installationInput RequestConfirmation RequestAre you sure you want to install into

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe "C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 232
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 232

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Section loaded: apphelp.dll

Jump to behavior

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static file information: File size 1474560 > 1048576

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x114000

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0047F563 push eax; ret		0_2_0047F564
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0047F532 push 3B000001h; ret		0_2_0047F537

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Code function: 0_2_004FE46E EntryPoint,LdrInitializeThunk,

0_2_004FE46E

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Binary or memory string: Or\PUnable to start, code C0442Unable to start, code C0441Serence Technology CoreHeapSetInformationKernel32.dllBUTTONBUTTONonClickFolioNZFolioTTMZFolioTMZtooltips_class32COMBOBOXCOMBOBOXonChangeS_WND_STATICSTATICSysListView32SysListView32onSelectionChangeonDblClickonEndEditonStateChangeSCROLLBARCourier NewRichEdit20WonFocusonBlurmsctls_trackbar32ToolWindow32TrayNotifyWndShell_TrayWndFolioSysTabControl32SysTabControl32EDITEDITcomponentNg

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_e725c4998f2ba627acb67b53dd0cceda535ad98_4776a078_87f0d626-6d6e-4be0-b621-260d8459f5a4\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	D961BE2A09BFB11025D8F976D59236D6	5CC688C3B9D4B0A46862A014CD524536BA80AEAC	1AF3434A2EE474BD28E6875A5BEC728A4B1F1740D1294E6FB81AFDF810BCFC6A
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_f97a154eca4d9e66511a6419fa11876b2554a68_4776a078_d0e779fb-6d15-4014-8ef4-9ecf278ccc60\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	4533BFCC58CBEF5168B9D20B95F8ED1A	2ABB8AC7488E05915633729AA750C66E77ACA193	EE228B3FFCFF65984A740C69A33DE474FEC1E66520D4F0D1EDABF4AC804FC863
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A26.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Oct 7 09:37:02 2024, 0x1205a4 type	806D9FD50A2122E5FA3949645A59CC60	64FC6617313A2E8753773FA76921926F558A5A90	CA9C416AEBBD65A34B242A128A41FE0763C6573078B4CA53C46FE1D4C4C85F95
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A65.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	9186330D2A39F17E76B970118C8F0D01	D22175F7717BC6636B62E8183255187F42075D39	07922594821E52D8A515B94E603CA16E27ED390A9358230816F38F7021E7B220
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A85.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	7F39F8E3877BDA8E4315FA277F4A9DFE	96F375C5F311AA58B855CA2CA6A25AB5A4D785ED	AC113FAA2162CA4017AE59AA95C1D8BE5F184762DBD5734D80BD06170AED78C8
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E00.tmp.dmp	Mini DuMP crash report, 14 streams, Mon Oct 7 09:37:27 2024, 0x1205a4 type	1F1A3AA9F3D251846908FC66300D5FCA	6B3D6A2959A5DD2769009C121167779634127188	0DC45C73EB95E6670595BA316016E2337BC463BB4A49F666065824DA538E3680
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E30.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	D867BC62A6B1BA516A5033EAE0B8AAC9	5620CBA06E67E05610F1A638C93669F72C4D37F9	B6B139DA8ABB5522A018BCD3237AD373A4450B49444C5C23A32C1BAF0F2A1397
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E50.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	8DC05C77CA91ED69E5F9ECB9FB4E4FEA	0EF81B8B9BD4D88AF0F8C3FF6C0584BE93968A8E	AFA42488CA5ACF19A0C8C9154422221DB0CA3FE716FEF0E8E3D66F9A68E30F55
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	817AD0BF49DEA2B2316FA7682546ABC3	1CF2FCEBEBADC033D728DC165468C291EC518335	7F3A970DFE5DF6B90FFFCCB8BCA23CBAF0029B963FFE8516A6DC821FB7EDE973

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://home.americanexpress.com/home/mt_personal_cm.shtml?source=widgetmenu
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://home.americanexpress.com/home/mt_personal_cm.shtml?source=widgetmenuhttp://travel.americanexp
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://travel.americanexpress.com/travel/personal/?referrer=widget
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.americanexpress.com/amexlabs/redirect/redirect1.html
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.clamav.net
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.klipfolio.com/phplib/scripts/tools/mailtofriend.php
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.klipfolio.com/phplib/scripts/tools/mailtofriend.php?==?
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.membershiprewards.com/HomePage.aspx?=widget
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.serence.com/site.php?page=dnld_kf
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.serence.com/site.php?page=dnld_kfdialogs/klip
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www201.americanexpress.com/apply/Fmacfservlet?csi=0/22000/b/2/0958142007/094075531290/20/n&fr
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: https://www.americanexpress.com/homepage/open_cm.shtml?referrer=widget

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0046804C	0_2_0046804C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004200F7	0_2_004200F7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0043E34D	0_2_0043E34D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0044433A	0_2_0044433A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0042C3A7	0_2_0042C3A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004423B9	0_2_004423B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00490434	0_2_00490434
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004765D8	0_2_004765D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00466817	0_2_00466817
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00470828	0_2_00470828
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00506895	0_2_00506895
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0043E885	0_2_0043E885
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00440955	0_2_00440955
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00404A93	0_2_00404A93
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0046AC52	0_2_0046AC52
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00434E74	0_2_00434E74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0040EFDB	0_2_0040EFDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004FEFE2	0_2_004FEFE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004451F7	0_2_004451F7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00479193	0_2_00479193
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0040D213	0_2_0040D213
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0041745E	0_2_0041745E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0044F4C8	0_2_0044F4C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004034E2	0_2_004034E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004B348E	0_2_004B348E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00495655	0_2_00495655
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0040B675	0_2_0040B675
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004D9608	0_2_004D9608
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004D76CB	0_2_004D76CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00475736	0_2_00475736
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004417EC	0_2_004417EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0040189F	0_2_0040189F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00471965	0_2_00471965
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0044998F	0_2_0044998F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00489A1E	0_2_00489A1E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00443AE7	0_2_00443AE7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0043FA85	0_2_0043FA85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00403BCC	0_2_00403BCC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0044BC95	0_2_0044BC95
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00439E19	0_2_00439E19
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00495EBE	0_2_00495EBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0049FF3A	0_2_0049FF3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004B1FFB	0_2_004B1FFB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00475FB3	0_2_00475FB3

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 232

PE file does not import any functions

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.winEXE@3/9@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6160

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\be68b3b1-3d5f-45dd-8e7f-d4c3cc47c6bf

Jump to behavior

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

ReversingLabs: Detection: 13%

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: " /LOAD "%1"
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: /LOAD
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: klips/images/loading icon/
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: " /LOAD "%1"
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: /LOAD
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: MD5::update: Can't update a finalized digest!MD5::finalize: Already finalized this digest!MD5::raw_digest: Can't get digest if you haven't finalized the digest!%02xMD5::hex_digest: Can't get digest if you haven't S_WND_300DSS_WND_300RICHED20.DLLcommdlg_FindReplaceHKEY_CURRENT_USER\Software\Classes\Klip File\shell\open\command" /LOAD "%1""\languages\.lang\skins\.ksk.kliRootDirKlipFolio.exe /LOADBroadcastSystemMessageBroadcastSystemMessageAuser32.dll/UNINSTALL</visible><visible></layout><layout></configure><configure></cch><cch></cctw><cctw></ccsw><ccsw></ccfw><ccfw></collapsetoolbar><collapsetoolbar></screeny><screeny></screenx><screenx></id><id>toolbars/ftbar/images/mini alt drag thumb/toolbars/ftbar/images/mini drag thumb/toolbars/ftbar/images/mini horizontal splitter/toolbars/ftbar/images/mini shine layer/toolbars/ftbar/images/mini menu button/toolbars/ftbar/images/mini size button/toolbars/ftbar/images/alt drag thumb/toolbars/ftbar/images/drag thumb/toolbars/ftbar/images/vertical splitter/toolbars/ftbar/images/horizontal splitter/toolbars/ftbar/images/half splitter left/toolbars/ftbar/images/half splitter right/toolbars/ftbar/images/shine layer/toolbars/ftbar/images/dragbar logo/toolbars/ftbar/images/connect button/toolbars/ftbar/images/disconnect button/toolbars/ftbar/images/startup button/toolbars/ftbar/images/help button/toolbars/ftbar/images/feed button/toolbars/ftbar/images/home button/toolbars/ftbar/images/menu button/toolbars/ftbar/images/refresh animation/toolbars/ftbar/images/minimize button/toolbars/ftbar/images/size button/
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: klips/images/loading icon/
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: The property 'WindowsgetClipboardURLgetInstallDirectorygetMachineTUIDgetAvailableKBytesgetCPUUsagequeryWMIlaunchDefaultBrowserlaunchDefaultMailClientTCPStatisticsoutsegsinsegsnumconnsTCPTablegetProcessIdgetStategetRemotePortgetLocalPortgetRemoteAddrgetLocalAddrWindowsPlatformIPHelpergetProcessNamerunCommandMIMEunquoteTextdecodeDateconvertTextcharsetToCodepagedecodeHeadernewDocumentEnginesMIMEXMLRPCTCPPlatformHTTPKlipFoodFileDeleteditemexpireDeletedItemsclearrestoreexpiryDynPrefvalue</link><note></note><extra></extra></item></klipfood>]]></title><link>><title><![CDATA[ iid="<klipfood><itempubdatetextItemsDeletedswapsortinsertprocessAutoRemovefindItemByIIDclearItemscancelPurgepurgepurgeItemsdelItemaddItemremoveduplicatessavehistoryautoremovecustomalertscanalertonDeletestatusvisiblebannericonvisiblestatusAltaltBiconAltaltABiconAappdirdatadirlangversionlanguagestartuptimefirstruncodepagebuildversionKlipKlipScript - alertdestroyTimercreateTimerdelaytracealertrequestRefreshbase64decodebase64encodeungarblegarbleconvertToTextcollapseWhitespaceprocessEntitiesstripTagsmd5digestKlipFolioPrefsSetupItemsEnginesKlipsearchvisiblesearchtextsearchwatermarkusedefaultprogressmessagesprogressmessagealertingkfbuildkfversionItem</link><note></note></item></klipfood></title><link>><title>ItemhasDatasetDatagetDataCountgetDatarecentdashboardcanvisitcandeletecanpurgenoteextraiidvisitedItemPropertiestabonCloseonUpgradeSetupinsertTabrenameTabdelTabremoveTabaddTabonOpenfalsetruePrefsDynPrefrefreshratefirstinstalllastrefreshuniqueiddefaultlinkautoclearalertsrefreshgranularitytitlecontentsourceloadingnodataclearCachedelPrefsetPrefgetPref - dialogs/klip setup/images/default banner/....skinDefault Skinbundles/skins/*.kskdialogs/app upgrade/images/upgrade not found icon/dialogs/app upgrade/images/upgrade found icon/dialogs/app upgrade/images/banner/dialogs/app upgrade/images/busy animation/http://www.serence.com/site.php?page=dnld_kfdialogs/klip upgrade/images/upgrade not found icon/dialogs/klip upgrade/images/caution icon/dialogs/klip upgrade/images/banner/klips/images/loading icon/upgrade=trueOK]}}},ia:,a:{h:",{h:"},k:[,r:,c:",k:,l:",d:,u:1",i:,a:{h:"data={r:{t:
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: default.langinternal/default.langx-iscii-tex-iscii-tax-iscii-pax-iscii-orx-iscii-max-iscii-kax-iscii-gux-iscii-dex-iscii-bex-iscii-aswindows-1258johabwindows-1254latin3l3iso-ir-109iso_8859-3:1988iso_8859-3csisoiso-8859-3x-ebcdic-turkishcp1026x-mac-turkishiso-ir-148iso_8859-9:1989iso_8859-9latin5ibm857tis-620iso-8859-11dos-874windows-874x-ebcdic-thaix-mac-koreancsiso2022kriso-2022-krksc5601ksc_5601ks_c_5601-1989ks_c_5601_1987ks_c_5601koreaniso-ir-149cseuckreuc-krcsksc56011987ks_c_5601-1987x-ebcdic-koreanextendedx-ebcdic-koreanandkoreanextendedx-sjisshift-jiscsshiftjisshift_jis_iso-2022-jpcsiso2022jp_iso-2022-jp$sioiso-2022-jpx-ms-cp932ms_kanjicswindows31jx-mac-japanesex-euc-jpx-eucextended_unix_code_packed_format_for_japanesecseucpkdfmtjapaneseeuc-jpx-ebcdic-japanesekatakanax-ebcdic-japaneseanduscanadax-ebcdic-japaneseandjapaneselatinx-ebcdic-japaneseandkanax-ebcdic-hebrewiso_8859-8-iwindows-1255x-mac-hebrewvisualiso-ir-138iso_8859-8:1988iso_8859-8hebrewcsisolatinhebrewlogicaliso-8859-8-idos-862ibm869windows-1253x-mac-greekibm737iso-ir-126iso_8859-7:1987iso_8859-7greek8greekelot_928ecma-118csisolatingreekx-ebcdic-denmarknorway-eurox-ebcdic-denmarknorway x-ebcdic-greekx-ebcdic-greekmodernx-ebcdic-cyrillicserbianbulgarianx-ebcdic-cyrillicrussianx-mac-cyrillicx-cp1251windows-1251l5cyrillicibm866cp866csisolatincyrilliccsisolatin5iso-ir-144iso_8859-5:198iso_8859-5koi8-rukoi8-ukoi8rkoi8koicskoi8rx-ebcdic-traditionalchinesex-mac-chinesetradx-chinese-etenx-chinese-cnsx-x-big5csbig5cn-big5big5x-ebcdic-simplifiedchinesex-mac-chinesesimphz-gb-2312iso-ir-58gbkgb2312-80gb231280gb_2312-80csiso58gb231280csgb231280csgb2312cn-gbchinesegb2312x-euc-cneuc-cncp870x-cp1250windows-1250x-mac-celatin2l2csisolatin2cp852ibm852iso8859-2iso-ir-101iso_8859-2:1987iso_8859-2windows-1257latin4l4iso-ir-110iso_8859-4:1988iso_8859-4csisolatin4cp500ibm775iso-8859-4x-ebcdic-arabiccp1256windows-1256x-mac-arabiciso-ir-127iso_8859-6:1987iso_8859-6ecma-114csisolatinarabicdos-720asmo-708arabicus-asciilatin1utf-32beutf-32utf16utf-16pstpdtmstmdtcstedtcdtestututcgmt\backupbundles/legal/LICENSE.txtinstaller/images/license/ERRORInstallerDialoginstaller/images/prefs finder/installer/images/overview/installer/images/banner/installer/images/overview2/installer/images/ok icon/installer/images/error icon/Please specify a directory for installationInput RequestConfirmation RequestAre you sure you want to install into

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe "C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 232
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 232

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Section loaded: apphelp.dll

Jump to behavior

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static file information: File size 1474560 > 1048576

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x114000

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0047F563 push eax; ret		0_2_0047F564
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0047F532 push 3B000001h; ret		0_2_0047F537

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Code function: 0_2_004FE46E EntryPoint,LdrInitializeThunk,

0_2_004FE46E

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Binary or memory string: Or\PUnable to start, code C0442Unable to start, code C0441Serence Technology CoreHeapSetInformationKernel32.dllBUTTONBUTTONonClickFolioNZFolioTTMZFolioTMZtooltips_class32COMBOBOXCOMBOBOXonChangeS_WND_STATICSTATICSysListView32SysListView32onSelectionChangeonDblClickonEndEditonStateChangeSCROLLBARCourier NewRichEdit20WonFocusonBlurmsctls_trackbar32ToolWindow32TrayNotifyWndShell_TrayWndFolioSysTabControl32SysTabControl32EDITEDITcomponentNg

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

ID:	1527907
Product:	CloudBasic
Start time:	11:36:09
Start date:	07.10.2024
Sample:	SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	152109865fa6bf8a6bbfb266c8178322
SHA1:	5c8d539cd1ef911c94688aa89412b1565e61653e
SHA256:	c2a503bd56357a5f9426b4c6e8835771af786d2de7cb6d4f55b0926832988ca2
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe