Edit tour

Windows Analysis Report
SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe
Analysis ID:	1527907
MD5:	152109865fa6bf8a6bbfb266c8178322
SHA1:	5c8d539cd1ef911c94688aa89412b1565e61653e
SHA256:	c2a503bd56357a5f9426b4c6e8835771af786d2de7cb6d4f55b0926832988ca2
Tags:	exe
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe (PID: 6160 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe" MD5: 152109865FA6BF8A6BBFB266C8178322)

WerFault.exe (PID: 3180 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5396 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://home.americanexpress.com/home/mt_personal_cm.shtml?source=widgetmenu
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://home.americanexpress.com/home/mt_personal_cm.shtml?source=widgetmenuhttp://travel.americanexp
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://travel.americanexpress.com/travel/personal/?referrer=widget
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.americanexpress.com/amexlabs/redirect/redirect1.html
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.clamav.net
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.klipfolio.com/phplib/scripts/tools/mailtofriend.php
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.klipfolio.com/phplib/scripts/tools/mailtofriend.php?==?
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.membershiprewards.com/HomePage.aspx?=widget
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.serence.com/site.php?page=dnld_kf
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www.serence.com/site.php?page=dnld_kfdialogs/klip
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: http://www201.americanexpress.com/apply/Fmacfservlet?csi=0/22000/b/2/0958142007/094075531290/20/n&fr
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: https://www.americanexpress.com/homepage/open_cm.shtml?referrer=widget

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0046804C	0_2_0046804C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004200F7	0_2_004200F7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0043E34D	0_2_0043E34D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0044433A	0_2_0044433A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0042C3A7	0_2_0042C3A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004423B9	0_2_004423B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00490434	0_2_00490434
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004765D8	0_2_004765D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00466817	0_2_00466817
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00470828	0_2_00470828
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00506895	0_2_00506895
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0043E885	0_2_0043E885
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00440955	0_2_00440955
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00404A93	0_2_00404A93
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0046AC52	0_2_0046AC52
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00434E74	0_2_00434E74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0040EFDB	0_2_0040EFDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004FEFE2	0_2_004FEFE2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004451F7	0_2_004451F7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00479193	0_2_00479193
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0040D213	0_2_0040D213
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0041745E	0_2_0041745E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0044F4C8	0_2_0044F4C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004034E2	0_2_004034E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004B348E	0_2_004B348E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00495655	0_2_00495655
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0040B675	0_2_0040B675
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004D9608	0_2_004D9608
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004D76CB	0_2_004D76CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00475736	0_2_00475736
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004417EC	0_2_004417EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0040189F	0_2_0040189F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00471965	0_2_00471965
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0044998F	0_2_0044998F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00489A1E	0_2_00489A1E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00443AE7	0_2_00443AE7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0043FA85	0_2_0043FA85
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00403BCC	0_2_00403BCC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0044BC95	0_2_0044BC95
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00439E19	0_2_00439E19
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00495EBE	0_2_00495EBE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0049FF3A	0_2_0049FF3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_004B1FFB	0_2_004B1FFB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_00475FB3	0_2_00475FB3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 232

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.winEXE@3/9@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6160

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\be68b3b1-3d5f-45dd-8e7f-d4c3cc47c6bf

Jump to behavior

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

ReversingLabs: Detection: 13%

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: " /LOAD "%1"
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: /LOAD
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: klips/images/loading icon/
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: " /LOAD "%1"
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: /LOAD
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: MD5::update: Can't update a finalized digest!MD5::finalize: Already finalized this digest!MD5::raw_digest: Can't get digest if you haven't finalized the digest!%02xMD5::hex_digest: Can't get digest if you haven't S_WND_300DSS_WND_300RICHED20.DLLcommdlg_FindReplaceHKEY_CURRENT_USER\Software\Classes\Klip File\shell\open\command" /LOAD "%1""\languages\.lang\skins\.ksk.kliRootDirKlipFolio.exe /LOADBroadcastSystemMessageBroadcastSystemMessageAuser32.dll/UNINSTALL</visible><visible></layout><layout></configure><configure></cch><cch></cctw><cctw></ccsw><ccsw></ccfw><ccfw></collapsetoolbar><collapsetoolbar></screeny><screeny></screenx><screenx></id><id>toolbars/ftbar/images/mini alt drag thumb/toolbars/ftbar/images/mini drag thumb/toolbars/ftbar/images/mini horizontal splitter/toolbars/ftbar/images/mini shine layer/toolbars/ftbar/images/mini menu button/toolbars/ftbar/images/mini size button/toolbars/ftbar/images/alt drag thumb/toolbars/ftbar/images/drag thumb/toolbars/ftbar/images/vertical splitter/toolbars/ftbar/images/horizontal splitter/toolbars/ftbar/images/half splitter left/toolbars/ftbar/images/half splitter right/toolbars/ftbar/images/shine layer/toolbars/ftbar/images/dragbar logo/toolbars/ftbar/images/connect button/toolbars/ftbar/images/disconnect button/toolbars/ftbar/images/startup button/toolbars/ftbar/images/help button/toolbars/ftbar/images/feed button/toolbars/ftbar/images/home button/toolbars/ftbar/images/menu button/toolbars/ftbar/images/refresh animation/toolbars/ftbar/images/minimize button/toolbars/ftbar/images/size button/
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: klips/images/loading icon/
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: The property 'WindowsgetClipboardURLgetInstallDirectorygetMachineTUIDgetAvailableKBytesgetCPUUsagequeryWMIlaunchDefaultBrowserlaunchDefaultMailClientTCPStatisticsoutsegsinsegsnumconnsTCPTablegetProcessIdgetStategetRemotePortgetLocalPortgetRemoteAddrgetLocalAddrWindowsPlatformIPHelpergetProcessNamerunCommandMIMEunquoteTextdecodeDateconvertTextcharsetToCodepagedecodeHeadernewDocumentEnginesMIMEXMLRPCTCPPlatformHTTPKlipFoodFileDeleteditemexpireDeletedItemsclearrestoreexpiryDynPrefvalue</link><note></note><extra></extra></item></klipfood>]]></title><link>><title><![CDATA[ iid="<klipfood><itempubdatetextItemsDeletedswapsortinsertprocessAutoRemovefindItemByIIDclearItemscancelPurgepurgepurgeItemsdelItemaddItemremoveduplicatessavehistoryautoremovecustomalertscanalertonDeletestatusvisiblebannericonvisiblestatusAltaltBiconAltaltABiconAappdirdatadirlangversionlanguagestartuptimefirstruncodepagebuildversionKlipKlipScript - alertdestroyTimercreateTimerdelaytracealertrequestRefreshbase64decodebase64encodeungarblegarbleconvertToTextcollapseWhitespaceprocessEntitiesstripTagsmd5digestKlipFolioPrefsSetupItemsEnginesKlipsearchvisiblesearchtextsearchwatermarkusedefaultprogressmessagesprogressmessagealertingkfbuildkfversionItem</link><note></note></item></klipfood></title><link>><title>ItemhasDatasetDatagetDataCountgetDatarecentdashboardcanvisitcandeletecanpurgenoteextraiidvisitedItemPropertiestabonCloseonUpgradeSetupinsertTabrenameTabdelTabremoveTabaddTabonOpenfalsetruePrefsDynPrefrefreshratefirstinstalllastrefreshuniqueiddefaultlinkautoclearalertsrefreshgranularitytitlecontentsourceloadingnodataclearCachedelPrefsetPrefgetPref - dialogs/klip setup/images/default banner/....skinDefault Skinbundles/skins/*.kskdialogs/app upgrade/images/upgrade not found icon/dialogs/app upgrade/images/upgrade found icon/dialogs/app upgrade/images/banner/dialogs/app upgrade/images/busy animation/http://www.serence.com/site.php?page=dnld_kfdialogs/klip upgrade/images/upgrade not found icon/dialogs/klip upgrade/images/caution icon/dialogs/klip upgrade/images/banner/klips/images/loading icon/upgrade=trueOK]}}},ia:,a:{h:",{h:"},k:[,r:,c:",k:,l:",d:,u:1",i:,a:{h:"data={r:{t:
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	String found in binary or memory: default.langinternal/default.langx-iscii-tex-iscii-tax-iscii-pax-iscii-orx-iscii-max-iscii-kax-iscii-gux-iscii-dex-iscii-bex-iscii-aswindows-1258johabwindows-1254latin3l3iso-ir-109iso_8859-3:1988iso_8859-3csisoiso-8859-3x-ebcdic-turkishcp1026x-mac-turkishiso-ir-148iso_8859-9:1989iso_8859-9latin5ibm857tis-620iso-8859-11dos-874windows-874x-ebcdic-thaix-mac-koreancsiso2022kriso-2022-krksc5601ksc_5601ks_c_5601-1989ks_c_5601_1987ks_c_5601koreaniso-ir-149cseuckreuc-krcsksc56011987ks_c_5601-1987x-ebcdic-koreanextendedx-ebcdic-koreanandkoreanextendedx-sjisshift-jiscsshiftjisshift_jis_iso-2022-jpcsiso2022jp_iso-2022-jp$sioiso-2022-jpx-ms-cp932ms_kanjicswindows31jx-mac-japanesex-euc-jpx-eucextended_unix_code_packed_format_for_japanesecseucpkdfmtjapaneseeuc-jpx-ebcdic-japanesekatakanax-ebcdic-japaneseanduscanadax-ebcdic-japaneseandjapaneselatinx-ebcdic-japaneseandkanax-ebcdic-hebrewiso_8859-8-iwindows-1255x-mac-hebrewvisualiso-ir-138iso_8859-8:1988iso_8859-8hebrewcsisolatinhebrewlogicaliso-8859-8-idos-862ibm869windows-1253x-mac-greekibm737iso-ir-126iso_8859-7:1987iso_8859-7greek8greekelot_928ecma-118csisolatingreekx-ebcdic-denmarknorway-eurox-ebcdic-denmarknorway x-ebcdic-greekx-ebcdic-greekmodernx-ebcdic-cyrillicserbianbulgarianx-ebcdic-cyrillicrussianx-mac-cyrillicx-cp1251windows-1251l5cyrillicibm866cp866csisolatincyrilliccsisolatin5iso-ir-144iso_8859-5:198iso_8859-5koi8-rukoi8-ukoi8rkoi8koicskoi8rx-ebcdic-traditionalchinesex-mac-chinesetradx-chinese-etenx-chinese-cnsx-x-big5csbig5cn-big5big5x-ebcdic-simplifiedchinesex-mac-chinesesimphz-gb-2312iso-ir-58gbkgb2312-80gb231280gb_2312-80csiso58gb231280csgb231280csgb2312cn-gbchinesegb2312x-euc-cneuc-cncp870x-cp1250windows-1250x-mac-celatin2l2csisolatin2cp852ibm852iso8859-2iso-ir-101iso_8859-2:1987iso_8859-2windows-1257latin4l4iso-ir-110iso_8859-4:1988iso_8859-4csisolatin4cp500ibm775iso-8859-4x-ebcdic-arabiccp1256windows-1256x-mac-arabiciso-ir-127iso_8859-6:1987iso_8859-6ecma-114csisolatinarabicdos-720asmo-708arabicus-asciilatin1utf-32beutf-32utf16utf-16pstpdtmstmdtcstedtcdtestututcgmt\backupbundles/legal/LICENSE.txtinstaller/images/license/ERRORInstallerDialoginstaller/images/prefs finder/installer/images/overview/installer/images/banner/installer/images/overview2/installer/images/ok icon/installer/images/error icon/Please specify a directory for installationInput RequestConfirmation RequestAre you sure you want to install into

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe "C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 232
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 232

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Section loaded: apphelp.dll

Jump to behavior

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static file information: File size 1474560 > 1048576

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x114000

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0047F563 push eax; ret		0_2_0047F564
Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Code function: 0_2_0047F532 push 3B000001h; ret		0_2_0047F537

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Code function: 0_2_004FE46E EntryPoint,LdrInitializeThunk,

0_2_004FE46E

Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	Binary or memory string: Or\PUnable to start, code C0442Unable to start, code C0441Serence Technology CoreHeapSetInformationKernel32.dllBUTTONBUTTONonClickFolioNZFolioTTMZFolioTMZtooltips_class32COMBOBOXCOMBOBOXonChangeS_WND_STATICSTATICSysListView32SysListView32onSelectionChangeonDblClickonEndEditonStateChangeSCROLLBARCourier NewRichEdit20WonFocusonBlurmsctls_trackbar32ToolWindow32TrayNotifyWndShell_TrayWndFolioSysTabControl32SysTabControl32EDITEDITcomponentNg

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	2 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	13%	ReversingLabs
SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	100%	Avira	HEUR/AGEN.1341547
SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.clamav.net	SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	false		unknown
http://www.membershiprewards.com/HomePage.aspx?=widget	SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	false		unknown
http://upx.sf.net	Amcache.hve.3.dr	false	URL Reputation: safe	unknown
http://www.klipfolio.com/phplib/scripts/tools/mailtofriend.php?==?	SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	false		unknown
http://www.serence.com/site.php?page=dnld_kfdialogs/klip	SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	false		unknown
http://www.klipfolio.com/phplib/scripts/tools/mailtofriend.php	SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	false		unknown
http://www.serence.com/site.php?page=dnld_kf	SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1527907
Start date and time:	2024-10-07 11:36:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe
Detection:	MAL
Classification:	mal64.winEXE@3/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 44
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Simulations

Behavior and APIs

Time	Type	Description
05:37:27	API Interceptor	2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_e725c4998f2ba627acb67b53dd0cceda535ad98_4776a078_87f0d626-6d6e-4be0-b621-260d8459f5a4\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6889545530032476
Encrypted:	false
SSDEEP:	96:O1Ffcu+T+sTXOsbhMyoI7JfdQXIDcQvc6QcEVcw3cE/P+HbHg6ZAX/d5FMT2SlP2:SNcNNTXON0BU/IjEzuiF8Z24IO8b
MD5:	D961BE2A09BFB11025D8F976D59236D6
SHA1:	5CC688C3B9D4B0A46862A014CD524536BA80AEAC
SHA-256:	1AF3434A2EE474BD28E6875A5BEC728A4B1F1740D1294E6FB81AFDF810BCFC6A
SHA-512:	868F536E788741B0B1214A9CFF0CC263A290FE5420AD2E03EF660A80EF158C724D28EADEFB534762FE5CC0407BD3243C775797CF7B9E142BDCB7F4812B882692
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.7.6.7.4.2.2.3.0.5.0.8.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.7.6.7.4.2.2.5.5.5.0.8.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.f.0.d.6.2.6.-.6.d.6.e.-.4.b.e.0.-.b.6.2.1.-.2.6.0.d.8.4.5.9.f.5.a.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.1.2.7.c.4.a.-.2.2.e.d.-.4.3.6.0.-.8.c.6.a.-.7.e.b.4.d.4.c.d.f.9.9.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...H.e.u.r.i.s.t.i.c...H.E.U.R...A.G.E.N...1.3.4.1.5.4.7...2.8.5.7...1.0.6.6.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.1.0.-.0.0.0.1.-.0.0.1.4.-.4.b.4.d.-.6.7.7.6.9.c.1.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.1.6.b.b.a.2.5.5.0.1.4.f.9.e.b.4.d.4.5.7.9.6.8.6.f.4.2.2.b.a.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.c.8.d.5.3.9.c.d.1.e.f.9.1.1.c.9.4.6.8.8.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_f97a154eca4d9e66511a6419fa11876b2554a68_4776a078_d0e779fb-6d15-4014-8ef4-9ecf278ccc60\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6892007972969236
Encrypted:	false
SSDEEP:	96:24wFdzQqh+sWOsbhMyo67JfmQXIDcQ9c6CcEGcw3Bk++HbHg6ZAX/d5FMT2SlPkT:SfzQwNWO80TGM1kPjEzuiF8Z24IO8b
MD5:	4533BFCC58CBEF5168B9D20B95F8ED1A
SHA1:	2ABB8AC7488E05915633729AA750C66E77ACA193
SHA-256:	EE228B3FFCFF65984A740C69A33DE474FEC1E66520D4F0D1EDABF4AC804FC863
SHA-512:	903940135E02975EA4FD10E61B183BD569AF90905C4EB856FD020F15BB992AA86F84417421FB26F6CDAE52672A55CBBF18E8A61B0A7B249E70FAE8946443D33B
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.7.6.7.4.4.7.8.4.8.6.9.0.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.7.6.7.4.4.8.1.1.4.3.2.7.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.0.e.7.7.9.f.b.-.6.d.1.5.-.4.0.1.4.-.8.e.f.4.-.9.e.c.f.2.7.8.c.c.c.6.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.0.5.8.e.b.4.-.c.4.3.d.-.4.0.5.6.-.8.d.c.d.-.6.3.b.9.6.6.d.d.9.5.0.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...H.e.u.r.i.s.t.i.c...H.E.U.R...A.G.E.N...1.3.4.1.5.4.7...2.8.5.7...1.0.6.6.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.1.0.-.0.0.0.1.-.0.0.1.4.-.4.b.4.d.-.6.7.7.6.9.c.1.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.1.6.b.b.a.2.5.5.0.1.4.f.9.e.b.4.d.4.5.7.9.6.8.6.f.4.2.2.b.a.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.c.8.d.5.3.9.c.d.1.e.f.9.1.1.c.9.4.6.8.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A26.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Oct 7 09:37:02 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18718
Entropy (8bit):	1.9741070686805364
Encrypted:	false
SSDEEP:	96:568mizyfMei7nlRW4y2JoYRbBWIkWIFQI4a1GtWt:PqOlMI1aEtW
MD5:	806D9FD50A2122E5FA3949645A59CC60
SHA1:	64FC6617313A2E8753773FA76921926F558A5A90
SHA-256:	CA9C416AEBBD65A34B242A128A41FE0763C6573078B4CA53C46FE1D4C4C85F95
SHA-512:	338479761E449617689812D4ADE3D376CEA4C141E108EF0AEE5D46AD6E311C0ED2CBAAD263EB4ED8F175F92CB7BF5CF614B50752A4448EE1DD02A3E7D6D3EDAB
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g............4...............<.......d...............T.......8...........T................?......................................................................................................eJ......L.......GenuineIntel............T..............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A65.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8506
Entropy (8bit):	3.709405590916636
Encrypted:	false
SSDEEP:	192:R6l7wVeJWL6L6YEIISUNZgmfCCd/pr089bvZesfCpc/lm:R6lXJS6L6YE3SUNZgmfPxvZdfCyg
MD5:	9186330D2A39F17E76B970118C8F0D01
SHA1:	D22175F7717BC6636B62E8183255187F42075D39
SHA-256:	07922594821E52D8A515B94E603CA16E27ED390A9358230816F38F7021E7B220
SHA-512:	53A1D6D35ACBEDFF0DC54F75F666837AF3EBF6509234FD44525B3E12A56D3F24E4314DE8F523F85A7FC2CC5A454C7ECD3B3CC076BBE46E41AAE221229CFA0CE9
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A85.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4844
Entropy (8bit):	4.612919201654738
Encrypted:	false
SSDEEP:	48:cvIwWl8zsktJg77aI95wlnWpW8VY+itYm8M4JegF2+q8/ze88+9bd:uIjfkHI7007VjPJYCe88+9bd
MD5:	7F39F8E3877BDA8E4315FA277F4A9DFE
SHA1:	96F375C5F311AA58B855CA2CA6A25AB5A4D785ED
SHA-256:	AC113FAA2162CA4017AE59AA95C1D8BE5F184762DBD5734D80BD06170AED78C8
SHA-512:	F242BEF6586E5F4F6D9AB52FFBEF063FEBE3DB164C64764BBF46806B73C4BBD7B816E53BA0AB7FEAA3073FC3AD4C8BCDED8EB2F03BF17A34D0082CBE6FBAA8F9
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="532839" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E00.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Oct 7 09:37:27 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18586
Entropy (8bit):	1.9344574976872688
Encrypted:	false
SSDEEP:	96:5H8y8zyfcgp4ii7nVeVUAH4WyDdD6geBWIkWIxQIwsYF+m5:ypXiOuYtOh8m5
MD5:	1F1A3AA9F3D251846908FC66300D5FCA
SHA1:	6B3D6A2959A5DD2769009C121167779634127188
SHA-256:	0DC45C73EB95E6670595BA316016E2337BC463BB4A49F666065824DA538E3680
SHA-512:	163B0FA9D8CA9AC4501884F50B951EC87161DE4AEDE52D7D74D178AAD84C40FE68B7D6880588E9C6BE06854C2ED3E86356E769D465BFEE03EF448F7D0264F7E7
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........g............4...............<.......T...............T.......8...........T...........H...R?......................................................................................................eJ......L.......GenuineIntel............T..............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E30.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8518
Entropy (8bit):	3.7068428084519662
Encrypted:	false
SSDEEP:	192:R6l7wVeJW16/0f6YEIaSUA5gmfCFWk2/pD089bAZesfczQagm:R6lXJ86/0f6YE1SUA5gmfMWXAZdfczQc
MD5:	D867BC62A6B1BA516A5033EAE0B8AAC9
SHA1:	5620CBA06E67E05610F1A638C93669F72C4D37F9
SHA-256:	B6B139DA8ABB5522A018BCD3237AD373A4450B49444C5C23A32C1BAF0F2A1397
SHA-512:	B4F94751B9DA5372D8986BE723CBD18D2FE984BFF56D50F24593A0B9BE51A4B7181C12D8CFF4880933B487A8E424FCFDB7C019E67B31E88D44B699EABA4C3A36
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E50.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4848
Entropy (8bit):	4.613601577305639
Encrypted:	false
SSDEEP:	48:cvIwWl8zsYJg77aI95wlnWpW8VY+sPYm8M4JevOqF21+q8VhOBe88+9bd:uIjfeI7007VjsSJEqyee88+9bd
MD5:	8DC05C77CA91ED69E5F9ECB9FB4E4FEA
SHA1:	0EF81B8B9BD4D88AF0F8C3FF6C0584BE93968A8E
SHA-256:	AFA42488CA5ACF19A0C8C9154422221DB0CA3FE716FEF0E8E3D66F9A68E30F55
SHA-512:	58D8DAC10C28B1CDB7DB82629EBA204AD4F4444FDA8A2E9A457503B43B431198DF04F1A7A5393DC7A5C71AED038D8CCDDB9FC8E01BD52677CD3674176F27C971
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="532840" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421742745787778
Encrypted:	false
SSDEEP:	6144:VSvfpi6ceLP/9skLmb0OTRWSPHaJG8nAgeMZMMhA2fX4WABlEnNs0uhiTwn:cvloTRW+EZMM6DFya03wn
MD5:	817AD0BF49DEA2B2316FA7682546ABC3
SHA1:	1CF2FCEBEBADC033D728DC165468C291EC518335
SHA-256:	7F3A970DFE5DF6B90FFFCCB8BCA23CBAF0029B963FFE8516A6DC821FB7EDE973
SHA-512:	E6B9C847B5CF301FA7092BF2166F0EA23F50D9078ABA0516CAF434876516FD9CE0349B5D81F7ECAE8878F7DC13442ED3EF4E0FA64F0B4A67BBB257C8D6666040
Malicious:	false
Reputation:	low
Preview:	regf?...?....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.+.v...................................................................................................................................................................................................................................................................................................................................................B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.12827765838489
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe
File size:	1'474'560 bytes
MD5:	152109865fa6bf8a6bbfb266c8178322
SHA1:	5c8d539cd1ef911c94688aa89412b1565e61653e
SHA256:	c2a503bd56357a5f9426b4c6e8835771af786d2de7cb6d4f55b0926832988ca2
SHA512:	90acf15354956c6831bc46efb6ef5b82fcb0d7e1b6b01494f4d2ca29cb8e0163fa08ed6e41c362a4c98bd7c8450c03a521b48a2b5f86be1f69bbe7778ab6fc1b
SSDEEP:	24576:Gf5OnzwN8QT6MjZvhlv/jFWrrPLIR3CR+19I4QVFsK8MkMwMlaf9RKXodHNidfNO:GmwN8QWSFhlv/jFWrvWyRU9DQsK8MkMN
TLSH:	4365BFAD77C2CC56D8258EF15914EB04DEEAA755CAB6C88F113CFC8E87380A9C386715
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM.................@...0......n......

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4fe46e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0051AB20h
push 004FFA4Ch
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00515274h]
xor edx, edx
mov dl, ah
mov dword ptr [0053D58Ch], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0053D588h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0053D584h], ecx
shr eax, 10h
mov dword ptr [0053D580h], eax
push 00000001h
call 00007F4A4D74F54Fh
pop ecx
test eax, eax
jne 00007F4A1C9DE61Ah
push 0000001Ch
call 00007F49B472F54Fh
pop ecx
call 00007F49C590F54Fh
test eax, eax
jne 00007F4A1C9DE61Ah
push 00000010h
call 00007F49B472F54Fh
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F49B8A5F64Fh
call dword ptr [005151F8h]
mov dword ptr [0053E7D0h], eax
call 00007F4A75E6F64Fh
mov dword ptr [0053D5C4h], eax
call 00007F4A28E4F64Fh
call 00007F4A6FE3F64Fh
call 00007F4A5A55F54Fh
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [00515270h]
call 00007F4A17E2F64Fh
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F4A1C9DE618h
movzx eax, word ptr [ebp+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x128cf0	0x85	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x127078	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x140000	0x27048	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x115000	0x560	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x114000	0x114000	7487c85158e645170f3ade52bc65351d	False	0.45840409873188404	COM executable for DOS	6.713781471624988	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x115000	0x14000	0x14000	9ee6ca9718ce471939d735ead21705e1	False	0.25218505859375	data	4.336505082324772	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x129000	0x17000	0x17000	e37f0f8005abee0dbbb82324ba04a584	False	0.2867484714673913	data	4.06456226231229	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x140000	0x28000	0x28000	8e61f19cb7bdd8ef0844961b2f9c62f7	False	0.003533935546875	data	0.060700746938513225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Exports

Name	Ordinal	Address
?KeyboardHookCallback@@YGJHIJ@Z	1	0x42f832
?MouseHookCallback@@YGJHIJ@Z	2	0x42f8a4

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exePID: 6160, Parent PID: 1028

General

Target ID:	0
Start time:	05:37:01
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe"
Imagebase:	0x400000
File size:	1'474'560 bytes
MD5 hash:	152109865FA6BF8A6BBFB266C8178322
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 3180, Parent PID: 6160

General

Target ID:	3
Start time:	05:37:02
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 232
Imagebase:	0xa00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 5396, Parent PID: 6160

General

Target ID:	8
Start time:	05:37:27
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6160 -s 232
Imagebase:	0xa00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exePID: 6160, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	40%
Total number of Nodes:	5
Total number of Limit Nodes:	0

Executed Functions

Function 004FE46E Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 004FE494

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0827bb73fbdcd629f9b51389938fe7f3f99c95f11b392180fe403113a55eda5f
Instruction ID: d95ed65289f8d16e66510dc726d4cf422ffd44bbfc5291ee3925adc18b44ecbb
Opcode Fuzzy Hash: 0827bb73fbdcd629f9b51389938fe7f3f99c95f11b392180fe403113a55eda5f
Instruction Fuzzy Hash: 0421C1B1900705AFDB14AFB5AC05B7E7BB8EF54734F10472AE5219B2E0DB788884DB61

Function 004FFA4C Relevance: 1.6, APIs: 1, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(?,000000FF), ref: 004FFAF3

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ef0d4d46ff744e9664b43b4876ba45444ba7127a83c631e45cb689b0944ddad
Instruction ID: 3ba0d7c4ce098de235337bca47c1c0d6c2b37c777cb07e6c4f46b0c01403bc06
Opcode Fuzzy Hash: 3ef0d4d46ff744e9664b43b4876ba45444ba7127a83c631e45cb689b0944ddad
Instruction Fuzzy Hash: 662165329002089BCB10DF58D884ABAB768FF04360F4446A6ED29972C5E735F969CBE0

Non-executed Functions

Function 004D9608 Relevance: 40.7, Strings: 31, Instructions: 1940COMMON

Download Yara Rule

Strings

>, xrefs: 004D9918
#, xrefs: 004DA1E2
=, xrefs: 004DA1DD
$, xrefs: 004DAD21
\, xrefs: 004D973A
., xrefs: 004D97C1
', xrefs: 004D983B
_, xrefs: 004DAD18
0, xrefs: 004DA80E
\, xrefs: 004D9A0F
), xrefs: 004D9853
+, xrefs: 004D9EDE
_, xrefs: 004D9A54
-, xrefs: 004D9EE3
=, xrefs: 004DA21C
., xrefs: 004D9DAF
_, xrefs: 004D9728
(zS, xrefs: 004D9D36
#, xrefs: 004DA245
#%u%c, xrefs: 004DA1EE
$, xrefs: 004D9788
", xrefs: 004D9832
_, xrefs: 004D977F
:, xrefs: 004D9844
0, xrefs: 004D9BAB
$, xrefs: 004D9731
$, xrefs: 004D9A59
], xrefs: 004D992D
,zS, xrefs: 004D9D2F
-, xrefs: 004D96DF
8, xrefs: 004D9D2A

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: "$#$#$#%u%c$$$$$$$$$'$(zS$)$+$,zS$-$-$.$.$0$0$8$:$=$=$>$\$\$]$_$_$_$_
API String ID: 0-1433155925
Opcode ID: de8c3cf8bed5f0983734abe0531c0367e9a3bbded49e67dd53466287e9f6f13e
Instruction ID: d2aa16120c524ae5cc029901451889e4b8c36d31b017eecda6bfcc06435da7eb
Opcode Fuzzy Hash: de8c3cf8bed5f0983734abe0531c0367e9a3bbded49e67dd53466287e9f6f13e
Instruction Fuzzy Hash: B6E21671114701AEDB248F24D8A1BBA33A4EF01324F14861FF965CA3D0EB78ED95DB5A

Function 0041745E Relevance: 28.7, Strings: 22, Instructions: 1199COMMON

Download Yara Rule

Strings

If-None-Match, xrefs: 004175D3
&sponsorID=, xrefs: 00417771
http, xrefs: 00417F60
HTTP/1.1, xrefs: 00417933
location, xrefs: 00417F47
Content-Encoding, xrefs: 00417CE7
gzip, xrefs: 00417CFD
set-cookie, xrefs: 00417C89
memberID=XXX&sponsorID=YYY, xrefs: 00417721
proxy-authorization, xrefs: 004179DB
2, xrefs: 004177F2
Set-Cookie, xrefs: 00417C6D, 0041807E
Location, xrefs: 00417F26
User-Agent, xrefs: 004176B5
If-Modified-Since, xrefs: 004175EC
Content-type, xrefs: 004180BF
Basic , xrefs: 00417A5C
Cookie, xrefs: 00417CAD, 00417CC2, 0041809D
Proxy-Authorization, xrefs: 004179BD, 004179C2, 00417A90
Content-length, xrefs: 004180CD
HEAD, xrefs: 004174D5
Referer, xrefs: 00418071

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: &sponsorID=$2$Basic $Content-Encoding$Content-length$Content-type$Cookie$HEAD$HTTP/1.1$If-Modified-Since$If-None-Match$Location$Proxy-Authorization$Referer$Set-Cookie$User-Agent$gzip$http$location$memberID=XXX&sponsorID=YYY$proxy-authorization$set-cookie
API String ID: 0-1398579905
Opcode ID: 56a96a367cfe0b595347523827e092160806dcd6af1b62c4ea7edb555d4fa459
Instruction ID: c52de2479cb908a551c2554d7af60b5ba2e3b3aa4c0e6e7a65742dbf848b2c9f
Opcode Fuzzy Hash: 56a96a367cfe0b595347523827e092160806dcd6af1b62c4ea7edb555d4fa459
Instruction Fuzzy Hash: E5A2ED31A043499BDB25DFA8DC84BEEBBB1AF45330F14075AE075A72E1DB389885CB15

Function 00506895 Relevance: 26.7, Strings: 21, Instructions: 417COMMON

Download Yara Rule

Strings

+, xrefs: 00506A8A
e, xrefs: 0050698D
9, xrefs: 00506AE2
c, xrefs: 00506984
0, xrefs: 005069BF
0, xrefs: 00506A36
E, xrefs: 0050697F
0, xrefs: 00506B03
9, xrefs: 00506904
-, xrefs: 00506A93
-, xrefs: 0050696C
0, xrefs: 00506971
9, xrefs: 00506956
1, xrefs: 00506ADA
9, xrefs: 00506B26
9, xrefs: 005069AA
+, xrefs: 00506967
9, xrefs: 00506B16
1, xrefs: 00506B0D
0, xrefs: 00506B34
C, xrefs: 00506976

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: 1138c12be023931b11817c89cd952865c325a82b629c9e2fd6ce254dbf496c27
Instruction ID: 39a65f6f04976afb8e839eecfa7c591657ca8fffcda18ddc904d510209c65160
Opcode Fuzzy Hash: 1138c12be023931b11817c89cd952865c325a82b629c9e2fd6ce254dbf496c27
Instruction Fuzzy Hash: CDE10F71E5520ADEEB258F68C8553FD7FB1FB40320F28862BD451EA2D2D7748AA1CB50

Function 0040D213 Relevance: 10.7, Strings: 8, Instructions: 729COMMON

Download Yara Rule

Strings

TrayNotifyWnd, xrefs: 0040D875
Folio, xrefs: 0040D73C
ToolWindow32, xrefs: 0040D886
0, xrefs: 0040D61A
S_WND_, xrefs: 0040D5B0
:, xrefs: 0040D666
Shell_TrayWnd, xrefs: 0040D864
X, xrefs: 0040DA80

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0$:$Folio$S_WND_$Shell_TrayWnd$ToolWindow32$TrayNotifyWnd$X
API String ID: 0-1944771203
Opcode ID: 2cf2172d9b53456dd3acf1866de18d00e6f704ab0a628a4b19322dee5731e245
Instruction ID: b65e53909aa6990765d0133a68bc0266f76f850d2432c2b0bd24778997badc26
Opcode Fuzzy Hash: 2cf2172d9b53456dd3acf1866de18d00e6f704ab0a628a4b19322dee5731e245
Instruction Fuzzy Hash: CD428C71900205AFDB20CFA4DC84AAE7BB8FF44310F14862AF566A76E0D778ED49DB54

Function 0040EFDB Relevance: 8.1, Strings: 6, Instructions: 608COMMON

Download Yara Rule

Strings

EDIT, xrefs: 0040F5CC
onFocus, xrefs: 0040F2DE
EDIT, xrefs: 0040F571
onClick, xrefs: 0040F20E
onChange, xrefs: 0040F423
onBlur, xrefs: 0040F2AC

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: EDIT$EDIT$onBlur$onChange$onClick$onFocus
API String ID: 0-2899121265
Opcode ID: 055075c495695278020ffb29927d0f62777ae3589af8b3e218774c9dac8779fd
Instruction ID: 9190ca2dc4f0651ad6f8ffec1fcade7bbda2d2348944a6a5475171b27020f4fd
Opcode Fuzzy Hash: 055075c495695278020ffb29927d0f62777ae3589af8b3e218774c9dac8779fd
Instruction Fuzzy Hash: 8B22E472100641AFDB309F64DC84D6B77A5EF48320B148B3AF566ABAE1C775EC89CB14

Function 00470828 Relevance: 6.9, Strings: 5, Instructions: 665COMMON

Download Yara Rule

Strings

d, xrefs: 00470D10
onUpdate, xrefs: 00470985, 00470A90
ItemProperties, xrefs: 00470A2E
onCreate, xrefs: 00470BFE, 00470CAB
Item, xrefs: 004709D5, 00470C4D

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Item$ItemProperties$d$onCreate$onUpdate
API String ID: 0-3355200302
Opcode ID: cb998cab6e921110d598153536c6eaba6b167ff25a2d634c9daaa71ada796879
Instruction ID: 9e79731e0de87e309445754a0e8fd3896ee6ccd5fb137c62acbbe2ded8fc5eea
Opcode Fuzzy Hash: cb998cab6e921110d598153536c6eaba6b167ff25a2d634c9daaa71ada796879
Instruction Fuzzy Hash: 38525A71A01304DFDB24CF68C884BAEB7F1BF49324F14866AE56A9B3E1C774A841CB55

Function 004200F7 Relevance: 5.9, Strings: 4, Instructions: 886COMMON

Download Yara Rule

Strings

not(, xrefs: 004207A0
:attribute(, xrefs: 00420891
attval(, xrefs: 004208B3
,, xrefs: 00420AEB

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ,$:attribute($attval($not(
API String ID: 0-1389088720
Opcode ID: 0859d23a4aee2c5b3b762862f12fcc6b12807bdaa21c73ec3958217031abe8f8
Instruction ID: d8f89266f30b1cfd837f35e92f5c18d7f8a981e47d47f2c54e4870b8ced8186f
Opcode Fuzzy Hash: 0859d23a4aee2c5b3b762862f12fcc6b12807bdaa21c73ec3958217031abe8f8
Instruction Fuzzy Hash: 1C82AF71E043559FCB04CFA8D454AAEBBF0EF04320F18869AD465EB3E2D7789981CB95

Function 0046AC52 Relevance: 5.6, Strings: 4, Instructions: 628COMMON

Download Yara Rule

Strings

\myklips\, xrefs: 0046B1DA
<version>, xrefs: 0046B0B0
</version>, xrefs: 0046B0CB
</klip>, xrefs: 0046AEB3

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: </klip>$</version>$<version>$\myklips\
API String ID: 0-1899208773
Opcode ID: 91878f83b9d8ca8c93bee4671237b4a34c14837f592224f9bf8a8649a5d598b1
Instruction ID: bb92c639feaa699605a3d1e419b7ef8540ba584584244a746d6764b2b084ebfe
Opcode Fuzzy Hash: 91878f83b9d8ca8c93bee4671237b4a34c14837f592224f9bf8a8649a5d598b1
Instruction Fuzzy Hash: CA428E31A00205DFCB15CFA9C994AAD77F1FF54320F1406AAE426AB3E1EB346D85CB56

Function 004B1FFB Relevance: 4.6, Strings: 3, Instructions: 880COMMON

Download Yara Rule

Strings

0zQ, xrefs: 004B2412
5, xrefs: 004B2407
PyQ, xrefs: 004B2315

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 0zQ$5$PyQ
API String ID: 0-613121781
Opcode ID: a7c0008604e45633d42f258f3c4dcaa97c55d960fbd43af58ba8af8dd95f8e22
Instruction ID: 150a651721f1db14b58bcf2a5d48aa34c613db944f63b781d3c9789385a9bb29
Opcode Fuzzy Hash: a7c0008604e45633d42f258f3c4dcaa97c55d960fbd43af58ba8af8dd95f8e22
Instruction Fuzzy Hash: 1E62F371D00619DBDF25CFD8DA402EEBBB1FF44320F24825BD461A62D4DBB84A45DB68

Function 00403BCC Relevance: 4.5, Strings: 3, Instructions: 784COMMON

Download Yara Rule

Strings

COMBOBOX, xrefs: 0040404A
COMBOBOX, xrefs: 00404081
onChange, xrefs: 00403F55

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: COMBOBOX$COMBOBOX$onChange
API String ID: 0-284224068
Opcode ID: baccfce857b7d9cb22d1710f829c7325dbfa43562cb2f26efafd98c21980672e
Instruction ID: 95a1aed58e7093dd618f368dde7fd8a2b98de33802d062d71e40e5b0278d9acd
Opcode Fuzzy Hash: baccfce857b7d9cb22d1710f829c7325dbfa43562cb2f26efafd98c21980672e
Instruction Fuzzy Hash: C35293B2500245AFDB208F64DC84DAB7BB9FF94354B008929F626AB2E0D774ED45DB24

Function 0040189F Relevance: 4.3, Strings: 3, Instructions: 543COMMON

Download Yara Rule

Strings

BUTTON, xrefs: 00401DF4
onClick, xrefs: 00401B2C, 00401BFF
BUTTON, xrefs: 00401D90

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: BUTTON$BUTTON$onClick
API String ID: 0-2769331960
Opcode ID: 8145f818587894722ba90a982f121e44ad6e8cb0e11012fb5097b356604ac537
Instruction ID: f02fb58dfe7b55ff9242d8efbba008056d2de2647608481fd2bccfdd1e4d6b73
Opcode Fuzzy Hash: 8145f818587894722ba90a982f121e44ad6e8cb0e11012fb5097b356604ac537
Instruction Fuzzy Hash: 8A125A71600242AFDB20CF68DC84D6B7BE5AF44720B148A39F526AB6F1D735EC85DB24

Function 00439E19 Relevance: 4.2, Strings: 1, Instructions: 2936COMMON

Download Yara Rule

Strings

C, xrefs: 0043C0A2

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: C
API String ID: 0-1037565863
Opcode ID: a05b32f64fbb7998eaa18aa76dfd1313958748ed721f12f8c7cc70fa43261588
Instruction ID: 32f1e9a032ffa4f63196941018671ca8c6a6faff4c03ef503eebfb8dc1c1946d
Opcode Fuzzy Hash: a05b32f64fbb7998eaa18aa76dfd1313958748ed721f12f8c7cc70fa43261588
Instruction Fuzzy Hash: 9743B071A00205CFDB18CF68C884BAEB7F2FF48324F14562EE56A9B391D774A845CB55

Function 004034E2 Relevance: 4.2, Strings: 3, Instructions: 430COMMON

Download Yara Rule

Strings

BUTTON, xrefs: 00403902
onClick, xrefs: 00403757
BUTTON, xrefs: 0040389C

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: BUTTON$BUTTON$onClick
API String ID: 0-2769331960
Opcode ID: 01b6fc4becf75389add3002966ca23f012d8b0bbcb0aa2d2b8d285a0dfe79e2f
Instruction ID: 70acff10dfd3079b53028422cda8942352f33132edddd2499425eb08abdc8361
Opcode Fuzzy Hash: 01b6fc4becf75389add3002966ca23f012d8b0bbcb0aa2d2b8d285a0dfe79e2f
Instruction Fuzzy Hash: 82E193B1200241AFDB208F68DC84D6B7FA8EF45361B148B39F5669B2E1C774ED44DB24

Function 0042C3A7 Relevance: 4.1, Strings: 3, Instructions: 399COMMON

Download Yara Rule

Strings

,, xrefs: 0042C4B8
<, xrefs: 0042C3B7
, xrefs: 0042C7A7

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $,$<
API String ID: 0-3345203925
Opcode ID: 79c702a7917a54e4d8de04380da539a35b4c81fdd9ec93c229a0ca72288fef8a
Instruction ID: fdb6ca09a25ac93c1559b28c8e5f73fb0ebe1371e6a5faf5e61a300e7ea1fd24
Opcode Fuzzy Hash: 79c702a7917a54e4d8de04380da539a35b4c81fdd9ec93c229a0ca72288fef8a
Instruction Fuzzy Hash: 1AF14831704625DFCB60CF68D6C4D6EB7F1BB88310B95895AE84AA7611D734F882CF49

Function 004B348E Relevance: 3.5, Strings: 2, Instructions: 1010COMMON

Download Yara Rule

Strings

NaN, xrefs: 004B34E7, 004B350D
Infinity, xrefs: 004B34E0

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Infinity$NaN
API String ID: 0-4285296124
Opcode ID: d0f3ad84a9f5c5ed018afbffaeb1b857c68d8ca4dcc25371729c00978239dab2
Instruction ID: 451ccbc096a05975152b027134795a4661227fafc91aa927d2996c731bbcd873
Opcode Fuzzy Hash: d0f3ad84a9f5c5ed018afbffaeb1b857c68d8ca4dcc25371729c00978239dab2
Instruction Fuzzy Hash: B382E771D00209DFCF11CFAAC9806ED7BB0FF04365F25466BE465A6290D7388B95CBA9

Function 00489A1E Relevance: 3.4, Strings: 1, Instructions: 2113COMMON

Download Yara Rule

Strings

klips/images/alert animation/, xrefs: 0048AFBF

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: klips/images/alert animation/
API String ID: 0-2929400070
Opcode ID: d4e915e2f3b5486ce997dfb71759e1b4bcf3bc3c8cf78c73bff009a856689879
Instruction ID: 88821da37bef38680905227e03fa30ec284d769c71c32a366c80e49943f089dc
Opcode Fuzzy Hash: d4e915e2f3b5486ce997dfb71759e1b4bcf3bc3c8cf78c73bff009a856689879
Instruction Fuzzy Hash: 02137971A00209AFDF18DFA8C884BEEBBB6FF48304F14455AE516A7390CB74AD54CB21

Function 0040B675 Relevance: 2.9, Strings: 2, Instructions: 354COMMON

Download Yara Rule

Strings

BUTTON, xrefs: 0040B9F4
BUTTON, xrefs: 0040B999

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: BUTTON$BUTTON
API String ID: 0-1930890356
Opcode ID: 7790a63cdce93eeabd41695da757a461aefb36741df234b174b28e237c8324c6
Instruction ID: 330097922811cf0b804d6408968b87967ed64868c702ca4eff20ca28acbc7a4f
Opcode Fuzzy Hash: 7790a63cdce93eeabd41695da757a461aefb36741df234b174b28e237c8324c6
Instruction Fuzzy Hash: 97D18272200246EFDB208F68DC84D6B7BB5EF44320B148639F566A76E1C774EC84DB58

Function 00471965 Relevance: 2.4, Strings: 1, Instructions: 1130COMMON

Download Yara Rule

Strings

item, xrefs: 00471A2B

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: item
API String ID: 0-521872670
Opcode ID: 21e526e75260df14490f8632042fc1e04ade4bf638c601264e8c7af3829a9ce1
Instruction ID: c79a90bf4dc369a1da55bd93d9695d6b33b2c798dac842debbd9593df0ed3bd3
Opcode Fuzzy Hash: 21e526e75260df14490f8632042fc1e04ade4bf638c601264e8c7af3829a9ce1
Instruction Fuzzy Hash: F3B25B70A00606CFCB28CF58C6909AEB7F2FB49310B21CA5AD85AA7650D774F946CF59

Function 004D76CB Relevance: 2.1, Strings: 1, Instructions: 884COMMON

Download Yara Rule

Strings

x, xrefs: 004D7BE8

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: x
API String ID: 0-2363233923
Opcode ID: b44a31bf4ca3d8f3b105f80317d2664a4198fa0edc2ce625cf1c3ad19c5bc510
Instruction ID: ba4a9ff30bd363f3bf902957b4895f0fadbbed609e669b5139779f5203be17a6
Opcode Fuzzy Hash: b44a31bf4ca3d8f3b105f80317d2664a4198fa0edc2ce625cf1c3ad19c5bc510
Instruction Fuzzy Hash: 5E628DB3D1D261ABD7258F18C8643BD7BE0AF41724F18829BD460CA3D2E67C8985D359

Function 0044998F Relevance: 2.1, Strings: 1, Instructions: 811COMMON

Download Yara Rule

Strings

R E, xrefs: 004499B8, 0044A260

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: R E
API String ID: 0-55292529
Opcode ID: 9400e7f34402c03d6fc1cea60c4e2066bcde5d496afe15faa94e204dec8acd55
Instruction ID: 1723ab6d000dc6dd917fe17b48d304f6be36f02e628777ad137ba4819e38e4e0
Opcode Fuzzy Hash: 9400e7f34402c03d6fc1cea60c4e2066bcde5d496afe15faa94e204dec8acd55
Instruction Fuzzy Hash: C6726171E00219DFEF14CFA8C984AAEB7B1FF48324F10465AD426AB291D734AD82DF55

Function 004417EC Relevance: 2.0, Strings: 1, Instructions: 721COMMON

Download Yara Rule

Strings

k, xrefs: 004419BC

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: a9e0db485cae42b632760c26b77dc1297e1d5c582e7f780369f63104d3e6bfc0
Instruction ID: 901458d8fee35b859a52c62aa71b07c94a358293e6ed4a72774e52b53473562b
Opcode Fuzzy Hash: a9e0db485cae42b632760c26b77dc1297e1d5c582e7f780369f63104d3e6bfc0
Instruction Fuzzy Hash: 70521B70A00649DFEB18CF99C8958AEB7B2FF84304B14806EE456EB761D774ED81CB44

Function 0043FA85 Relevance: 1.9, Strings: 1, Instructions: 657COMMON

Download Yara Rule

Strings

k, xrefs: 0043FC60

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: k
API String ID: 0-140662621
Opcode ID: 4fa507993dc9115ec45e3b7a6275f6f3bbfa4f9037a9ee8d1a11c0327560f422
Instruction ID: 58701fa5bf7901c150caa593d721ef9f20db843b697dc7f371c9002f42a24459
Opcode Fuzzy Hash: 4fa507993dc9115ec45e3b7a6275f6f3bbfa4f9037a9ee8d1a11c0327560f422
Instruction Fuzzy Hash: 2B420670A00209DFDB28CF99C9849AEBBB6FF88304F20946EE8169B751C774AD45CF54

Function 0044BC95 Relevance: 1.8, Strings: 1, Instructions: 527COMMON

Download Yara Rule

Strings

R E, xrefs: 0044BCCA, 0044C23E

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: R E
API String ID: 0-55292529
Opcode ID: 8ec6910612eef586922c3ca3f0ecd24f131ed7170b84fe758b60009d03040ef4
Instruction ID: 8384f1b0ee7d92fe47cc6ec04cb0c573e9a07171471c9062d39340dfe8dd13fc
Opcode Fuzzy Hash: 8ec6910612eef586922c3ca3f0ecd24f131ed7170b84fe758b60009d03040ef4
Instruction Fuzzy Hash: 85223971E00218CFEF54CFA8C980AEDB7B5FB44320F14465AD426AB291DB74AD82CF95

Function 00404A93 Relevance: .9, Instructions: 932COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2a768ea25ef21afc02183655f3666f69a819c262f4e9d63ac37476c1bb6e5d
Instruction ID: dc73a8b2043c72600b10f0612726ee2c6c8e6d01e538b260763071b56c2714d5
Opcode Fuzzy Hash: ba2a768ea25ef21afc02183655f3666f69a819c262f4e9d63ac37476c1bb6e5d
Instruction Fuzzy Hash: 3C8291B1900605DFCB14CFA8C984EAEB7B5FF84320F148669E526AB2E1D734AD45CF64

Function 00443AE7 Relevance: .9, Instructions: 861COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d250a4aba7af399003567563ae25765128258076caee255c6fb4f762e967e927
Instruction ID: 1a8b9043da736f91bb3f757076bdc1ac91ee53391c73dac4d7b8d2ae1691950b
Opcode Fuzzy Hash: d250a4aba7af399003567563ae25765128258076caee255c6fb4f762e967e927
Instruction Fuzzy Hash: 62723A71A00609DFDB28CF59C8859AEB7B6FF88705B24846EE4169B351CB34EE41CF54

Function 00495655 Relevance: .9, Instructions: 852COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b6dd94c94738ba71e65df13466d4fb0136713afc2fd9147f884a7d387402b06
Instruction ID: d8c0bf9e8c1d1935eb1e0d4df79d66c2e4ff8dd4954e1a330d2c779d219df158
Opcode Fuzzy Hash: 3b6dd94c94738ba71e65df13466d4fb0136713afc2fd9147f884a7d387402b06
Instruction Fuzzy Hash: 36721434600B05DFCB29CF68C988D6ABBB2FF49304B2085AEE4568B6A1C775ED41DF54

Function 00479193 Relevance: .8, Instructions: 840COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54509a8a6ea4da9990777300359a9113fd27f74956dcac6974c93c9f2624a4ee
Instruction ID: 069338df278d543b5f0bf81c0e0e404319fab34b54ed7d49374ecc1691687822
Opcode Fuzzy Hash: 54509a8a6ea4da9990777300359a9113fd27f74956dcac6974c93c9f2624a4ee
Instruction Fuzzy Hash: 59625C716107009BCB34DF65D980A6BB7E6BF48720B044B1EE4AB87BE0DB34AC45DB59

Function 00434E74 Relevance: .8, Instructions: 799COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5dc49349499578b438e004b57d4994dc4dce10877cc8146915f677e361dd5aa
Instruction ID: 9bea51ac24bde846e75bf5aaeb58b7cc97749820a355edcaf0887954986d234f
Opcode Fuzzy Hash: b5dc49349499578b438e004b57d4994dc4dce10877cc8146915f677e361dd5aa
Instruction Fuzzy Hash: 1D527536F4060AABDF08CED9CC819DDB7B3EBC8314B198278D515E7345DAB8A616CB50

Function 004423B9 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0526f5064993b1346136eb10e90b6d43691c85708aab1cce70e304af24a1f31
Instruction ID: 8c0c3a9e29271b6ee421c1bf7a51c55add4d0decbfb39c9bc654115574dbdd38
Opcode Fuzzy Hash: f0526f5064993b1346136eb10e90b6d43691c85708aab1cce70e304af24a1f31
Instruction Fuzzy Hash: D4321571A00204AFEB21DBA5CD95FEE7774AF05730F504B88E535AB2E1CBB49A41CB64

Function 0049FF3A Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d9af9295819cc65c4280ec6b0d310db74c22f90406ec94b138c619a7349483
Instruction ID: 417f2d5023567fd552f232e50eaeb82bec2ee6ba075f3fb5a2f84ce6f74c1ff5
Opcode Fuzzy Hash: 83d9af9295819cc65c4280ec6b0d310db74c22f90406ec94b138c619a7349483
Instruction Fuzzy Hash: CB32D170A00709DFCB28CF99C8948AEBBB5FF9A304B20885EE452AB751D775E941CF54

Function 00475FB3 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c512a29ff400bdfdeb8a44fa9eecc51a7b8f9136e189c8b0b3d1683455848a
Instruction ID: 1d86f07b3b4abd111f44e62c80fab2a49e6bccc239c4484d4d847ef37a1214b1
Opcode Fuzzy Hash: a9c512a29ff400bdfdeb8a44fa9eecc51a7b8f9136e189c8b0b3d1683455848a
Instruction Fuzzy Hash: 5832A470600A41EFCB24CF29C4949AABBF2FF44310B1AC6AED4598B792C735ED85CB55

Function 0043E34D Relevance: .5, Instructions: 532COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96291eaa7287b6f6cfec581c88c6834748bfb4ace9adea02620872019cc5dd85
Instruction ID: 3cddfa28141c29afe92e67ffd7660333c338a22c0e04054e5fa5bcc278f08052
Opcode Fuzzy Hash: 96291eaa7287b6f6cfec581c88c6834748bfb4ace9adea02620872019cc5dd85
Instruction Fuzzy Hash: E0221475A01209EFCB18CF9AC8849AEBBB2FF48304F54946EE4169B391D774E942DF44

Function 00475736 Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 636ba8d6d1e971cb0c209ce833838b551060c3bf4f9cd8b1414bd14828c90fc6
Instruction ID: b5eb8f54fecadc7866c69a90707db0b80ff4907024507ab76c931dc6aa684daf
Opcode Fuzzy Hash: 636ba8d6d1e971cb0c209ce833838b551060c3bf4f9cd8b1414bd14828c90fc6
Instruction Fuzzy Hash: 08225E70A00A45DFCB24CF69C580AEEBBF1BB08324F18C65AE569DB791D3B4E941CB54

Function 004451F7 Relevance: .5, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca18fd389b035e5ee56a01e39488a43ef52e8ba99dbbb51dc570267548e83a0
Instruction ID: df13847e86854b1632a88a11bf85b55c821521c03e6375a35ede71d1e276ba83
Opcode Fuzzy Hash: fca18fd389b035e5ee56a01e39488a43ef52e8ba99dbbb51dc570267548e83a0
Instruction Fuzzy Hash: 1612C074A00609EFDB18CF99C884CAEBBB6FF88308B10845AE8569B752D774ED45CF54

Function 0046804C Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c669f2fdf8b66b45a47dc2d62d770947629778001c0a2c391e1248c2b4536bc6
Instruction ID: 5b65ceea73f12f52fdf9153f12f16cbbcdb82167395547bde217b062142f75bf
Opcode Fuzzy Hash: c669f2fdf8b66b45a47dc2d62d770947629778001c0a2c391e1248c2b4536bc6
Instruction Fuzzy Hash: 77022770A00609EFCB18CF98C9848AEBBB2FF89304B10855EE456AB351DB75ED45CF55

Function 0044433A Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7e17eb6153ecc471ac1bf62cf3600ef05c2d0440a3680130baf5ccd2bff515
Instruction ID: 8dd5992facce443a6408e9ddae92f11c041a164331720064b7c8b65c36416655
Opcode Fuzzy Hash: 9d7e17eb6153ecc471ac1bf62cf3600ef05c2d0440a3680130baf5ccd2bff515
Instruction Fuzzy Hash: 45020871A00604DFEB28CF98C891AAEB7B2BFC5305B15846EE0169B751DB38AD41CF54

Function 00490434 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24de51fa92a7dc78843b48cec1449a4c1c7ec251ecb4b6580b52e2e42af4d213
Instruction ID: 5a5f304c4670814064319b95129633ffd5bbe47497a92a5bd219bd95c6309b1d
Opcode Fuzzy Hash: 24de51fa92a7dc78843b48cec1449a4c1c7ec251ecb4b6580b52e2e42af4d213
Instruction Fuzzy Hash: F2F18F30A041159FDF10DFA8C590BAEBFB1BF45320F1581AAD855AB392C339ED42CB99

Function 00440955 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25afab3b7b06a1a1cb7fd132ee6d1a5fad5b29b0b80ff03ca8ebd96394b763aa
Instruction ID: ed07fed9d69d4b6d01f9fc1eedf85ccab215e56b38993159af0b9b5da5fa282d
Opcode Fuzzy Hash: 25afab3b7b06a1a1cb7fd132ee6d1a5fad5b29b0b80ff03ca8ebd96394b763aa
Instruction Fuzzy Hash: 98F1D170A00709EFDB28CF98C884CAEBBB5FF88308B10855EE556AB751D774A952CF54

Function 00466817 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7137193713ca857c639b688756abe98e88dfcaf3f87bd713b357977e2236b498
Instruction ID: 4d6ad6f54178e3d66180a9300aca3f683ec8e67ddc424f27f020e52ce21b6a47
Opcode Fuzzy Hash: 7137193713ca857c639b688756abe98e88dfcaf3f87bd713b357977e2236b498
Instruction Fuzzy Hash: E8F12671A00209EFCB18CFA8C8848AEBBB6FF89304B11856EE456AB351D734ED45CF55

Function 004765D8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 592067cc940cb8fdbf9babcb47a589460f7cde59ef648dbca97d5b05d498951e
Instruction ID: 9f0227bd753c09e80b54a8979ad1e88147e9207755f0440c7b48db164b8bf890
Opcode Fuzzy Hash: 592067cc940cb8fdbf9babcb47a589460f7cde59ef648dbca97d5b05d498951e
Instruction Fuzzy Hash: D9C18070604B009FC724CF29C590E6ABBF2BF45310B168AAED46ACB3A1C774ED45CB55

Function 004FEFE2 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5cdf8b44a17726ef50f9a950de4a483a85b3869b5309a4f2b4531c91b56600
Instruction ID: b2beb17011dce85f2f4edf1f1c7b1708a00d84928cc8779c42d89621ad214644
Opcode Fuzzy Hash: 1a5cdf8b44a17726ef50f9a950de4a483a85b3869b5309a4f2b4531c91b56600
Instruction Fuzzy Hash: DEB17E35A0020ADFDB15CF14C5D0AA9BBA1FF58328F24C1AED9595B382D735EE46CB90

Function 0043E885 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8932e69ac6dd49924e2affd1ec37368922b3fb7a6dd2e6a48c68cb0d3519eff9
Instruction ID: 65430177ff5d8392690e9b45aeffd4ed2c4c62a3d016c6dc07b435ad080fa52a
Opcode Fuzzy Hash: 8932e69ac6dd49924e2affd1ec37368922b3fb7a6dd2e6a48c68cb0d3519eff9
Instruction Fuzzy Hash: 50B11A71A01219DFCF08DF99C8848AEBBB5FF48700B24949AE411AB395D774EE41DF94

Function 0044F4C8 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d97dfd9e71a5cbe7d9c94fc807745acdf9fa3ffa49ef1d8fcddc3c82d9b49976
Instruction ID: f45a04fcfe06b8e5de154e198a6f6a9ca193612f6a78ef312a579c9f9c486b39
Opcode Fuzzy Hash: d97dfd9e71a5cbe7d9c94fc807745acdf9fa3ffa49ef1d8fcddc3c82d9b49976
Instruction Fuzzy Hash: FDA16E31610215DFEB68CF68C690D6EB3F1BF45310B61096ED4539BAA1CB38F94ACB19

Function 00495EBE Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2317565774.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2317548684.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317656299.0000000000515000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.0000000000529000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317679523.000000000053B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2317719661.0000000000566000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6bda97bf5a8a77a733d785767d9b9de00817b646a7396baac3cf6215f5838bc
Instruction ID: 95e527e7edf1d880c960b660347b1d0b6426019fa1a99f3354405dac247a9670
Opcode Fuzzy Hash: e6bda97bf5a8a77a733d785767d9b9de00817b646a7396baac3cf6215f5838bc
Instruction Fuzzy Hash: 3281E075A00708EFCB28CF68C4848AEBBB5FF44318B2184AAE4569B765D774ED40CF94

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_e725c4998f2ba627acb67b53dd0cceda535ad98_4776a078_87f0d626-6d6e-4be0-b621-260d8459f5a4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_f97a154eca4d9e66511a6419fa11876b2554a68_4776a078_d0e779fb-6d15-4014-8ef4-9ecf278ccc60\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A26.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A65.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1A85.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E00.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E30.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E50.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Exports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
SecuriteInfo.com.Heuristic.HEUR.AGEN.1341547.2857.10664.exe

Function 004FE46E Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Function 004FFA4C Relevance: 1.6, APIs: 1, Instructions: 73
libraryCOMMON