Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe
Analysis ID:	1532770
MD5:	c87734c82ff73864e403bf882720012e
SHA1:	51ca8ccda0ff6c98d99e67745079d88f21206e8c
SHA256:	eeb8a21f143672528961d991b6fefbe712dd2e87455f01f4f1291698514ab019
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to query CPU information (cpuid)

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe (PID: 2888 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe" MD5: C87734C82FF73864E403BF882720012E)

WerFault.exe (PID: 6464 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 236 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3292 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 224 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Code function: 4x nop then push ebx

0_2_004AE52C

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	String found in binary or memory: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	String found in binary or memory: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabswflash.cabFlash
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	String found in binary or memory: http://www.clamav.net

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Binary or memory string: Couldn't DirectDrawCreateEx

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_00472080	0_2_00472080
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004AC1DF	0_2_004AC1DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004941B3	0_2_004941B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_0047E240	0_2_0047E240
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_0046C200	0_2_0046C200
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_0047A2EC	0_2_0047A2EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_00408343	0_2_00408343
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_00486320	0_2_00486320
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004983EA	0_2_004983EA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_00468410	0_2_00468410
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004845A0	0_2_004845A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004A4650	0_2_004A4650
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_0047E620	0_2_0047E620
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004946D6	0_2_004946D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004886E0	0_2_004886E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004AE6A0	0_2_004AE6A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_0046C740	0_2_0046C740
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_00492730	0_2_00492730
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_0046E931	0_2_0046E931
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004689F0	0_2_004689F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_00498A65	0_2_00498A65
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004C4B48	0_2_004C4B48
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004AAB20	0_2_004AAB20
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_00402BE0	0_2_00402BE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_00460C4B	0_2_00460C4B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004ACC50	0_2_004ACC50
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_0048CC67	0_2_0048CC67
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_00482CE0	0_2_00482CE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_00472E10	0_2_00472E10
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_00470E90	0_2_00470E90
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004AAF40	0_2_004AAF40
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004952DC	0_2_004952DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004672A0	0_2_004672A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_0040B3F2	0_2_0040B3F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_0047B3A0	0_2_0047B3A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_0048F430	0_2_0048F430
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004854B0	0_2_004854B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004AB730	0_2_004AB730
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004BF840	0_2_004BF840
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_0047387D	0_2_0047387D
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_00485970	0_2_00485970
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004939C8	0_2_004939C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004919EB	0_2_004919EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_0049F9B0	0_2_0049F9B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_0047BA50	0_2_0047BA50
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004ADA70	0_2_004ADA70
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004D1AC0	0_2_004D1AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004CBBA7	0_2_004CBBA7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_00483C00	0_2_00483C00
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_0047BCF0	0_2_0047BCF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_00465C90	0_2_00465C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004A5E60	0_2_004A5E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_00467E00	0_2_00467E00
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004ADFCE	0_2_004ADFCE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_0047DFB0	0_2_0047DFB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 236

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.winEXE@3/9@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2888

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\6cb700c8-5aee-405a-9867-9c60f1291a13

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 236
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 224

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Section loaded: apphelp.dll

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Static file information: File size 1634304 > 1048576

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004BB144 push eax; ret		0_2_004BB162
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Code function: 0_2_004BDE50 push eax; ret		0_2_004BDE7E

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Code function: 0_2_0040900B rdtsc

0_2_0040900B

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Code function: 0_2_0040900B rdtsc

0_2_0040900B

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Code function: 0_2_004BEBB7 EntryPoint,LdrInitializeThunk,

0_2_004BEBB7

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Binary or memory string: Program Manager
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Binary or memory string: Progman
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	Binary or memory string: CBK_AudioBitCBK_TimeSecCBK_TimeCBK_ID3GenreCBK_ID3YearCBK_ID3AlbumCBK_ID3ArtistCBK_ID3SongCBK_ChannelsCBK_AudioFreqCBK_AudioTypeCBK_AudioNameCBK_TotalSecCBK_TotalCBK_NumTracksCBK_TotalListSecCBK_TotalListCBK_NumInListCBK_CurItemListCBK_DateLongCBK_DateShortCBK_DateNumCBK_DayNumCBK_DayCBK_MonthNumCBK_MonthCBK_YearCBK_SecondCBK_MinuteCBK_HourCBK_Time24CBK_TimeHMSCBK_VFrameCBK_VTimeSecCBK_VTimeCBK_VTotalFramesCBK_VTotalSecCBK_VTotalCBK_VNameMonoStereo%7.3gkHzLayer ILayer IILayer IIIMPEG 1 MPEG 2 MPEG 2.5 && %dkbps%02d %lu%B %d, %Y%d/%m/%y%A%B%H:%M:%S%I:%M:%S %p.ACPCoInitialize Failed!MMBUntitled<Temp><Embedded><CD><SrcDrive><SrcDir>ProgmanProgram ManagerYXMXROWMXCOLIF_IDLECannot find the file

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Code function: 0_2_004082E6 cpuid

0_2_004082E6

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	1 Virtualization/Sandbox Evasion	1 Input Capture	31 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	2 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	16%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.clamav.net	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	false		unknown
http://upx.sf.net	Amcache.hve.3.dr	false	URL Reputation: safe	unknown
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	false		unknown
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabswflash.cabFlash	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1532770
Start date and time:	2024-10-13 22:42:46 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe
Detection:	MAL
Classification:	mal52.winEXE@3/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 58
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22, 20.189.173.20
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
VT rate limit hit for: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_33cbd787311dc2429e65fee66ad824c02ead7e_4c7bbdba_cbd6c6ef-7bea-4283-84d5-b2012cb51b43\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.682625679709652
Encrypted:	false
SSDEEP:	96:PokAFBD2/3dl+eies2NhMyoI7JfdQXIDcQvc6QcEVcw3cE/DPD+HbHg6ZAX/d5F+:P7Am/vseM0BU/QjEzuiFEZ24IO8z6
MD5:	2BB07FF6F527965FA9EB44706018C5B4
SHA1:	2756E0281DCC4CE5092DB2A211C6DB2466AE4AC7
SHA-256:	3A8786BB9B96DFD272117D370A8AD8F94784125074A778BA2BB61EAE5AE588FD
SHA-512:	56A359705377486BBE8025088A3073496EB9897B41B058FB210C1CD1CE0E4A8C34D55C6820D1E61C9BB837F91AAD7F40C4FC3FBB6CC0C9E865197EEC30E032B2
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.3.2.5.8.1.8.6.1.9.7.3.9.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.3.2.5.8.1.8.9.0.0.9.8.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.d.6.c.6.e.f.-.7.b.e.a.-.4.2.8.3.-.8.4.d.5.-.b.2.0.1.2.c.b.5.1.b.4.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.4.e.f.7.0.7.-.1.4.5.4.-.4.8.6.5.-.a.3.4.1.-.0.a.5.e.4.e.9.5.3.b.6.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.3.2...X.p.a.c.k...E...g.e.n...E.l.d.o.r.a.d.o...4.8.0...1.1.7.9.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.4.8.-.0.0.0.1.-.0.0.1.4.-.b.a.e.9.-.9.b.9.4.b.0.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.2.0.5.a.7.e.9.a.7.7.2.3.4.4.5.d.a.e.5.2.4.6.9.a.7.a.9.7.4.f.b.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.c.a.8.c.c.d.a.0.f.f.6.c.9.8.d.9.9.e.6.7.7.4.5.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_bcbd84ccbdb49ee0426243222b957337193e8feb_4c7bbdba_0ecf2dfb-43fa-4926-83ef-82aebbc861db\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6831822515620873
Encrypted:	false
SSDEEP:	96:Pyk5FP92/3dl+eids2NhMyohR7JfOQXIDcQwc6ccEgcw31vPD+HbHg6ZAX/d5FM8:PR5W/vsdq90uYKBwjEzuiFfZ24IO8z6
MD5:	046F219A68C95A7114502B0D7145C128
SHA1:	5A7828E7AD91BE1B2AB2661E306442AEB1A2303D
SHA-256:	6F8785D8E55930C7618CAA3DF0A5FB9C78110F5FBEC17E7530171077D01E25CC
SHA-512:	5342094210DAA98F6EECA4391153228AA9D352030423549547C35E23B9AD2B9E8059711DAFF82A8CDECFFD4A46E4B09BD99B07B9173E98A7A19D8079B7F0E1C9
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.3.2.5.8.6.6.5.3.4.6.1.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.3.2.5.8.6.6.7.6.8.9.8.5.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.e.c.f.2.d.f.b.-.4.3.f.a.-.4.9.2.6.-.8.3.e.f.-.8.2.a.e.b.b.c.8.6.1.d.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.5.7.2.5.7.d.0.-.8.7.f.9.-.4.e.2.8.-.9.d.7.4.-.1.e.f.f.9.3.a.9.8.7.d.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.3.2...X.p.a.c.k...E...g.e.n...E.l.d.o.r.a.d.o...4.8.0...1.1.7.9.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.4.8.-.0.0.0.1.-.0.0.1.4.-.b.a.e.9.-.9.b.9.4.b.0.1.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.2.0.5.a.7.e.9.a.7.7.2.3.4.4.5.d.a.e.5.2.4.6.9.a.7.a.9.7.4.f.b.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.c.a.8.c.c.d.a.0.f.f.6.c.9.8.d.9.9.e.6.7.7.4.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC902.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 13 20:44:26 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18578
Entropy (8bit):	1.9273185469121716
Encrypted:	false
SSDEEP:	96:5v8y1BLTaQnHkqxYi7nMIuH47yir3XeiWIkWI5IIhwJOJZ:qQQetuOCi7uBqOJZ
MD5:	E6441DA5B1E29010498E123B16B4A438
SHA1:	5D1CA21887F824B731ABAEE93B7B48414A922F32
SHA-256:	11CA11CD7566DD31CCE51DE86499B867E817B932AA083E997D4341035786FEDF
SHA-512:	CAF6EB868194171BFD61F512C1FE3B9C24D16FDFD56ABFD2E976E29D2D17F8FBB7CB65E3FC726711462DA95445FEC9733B7A631D7A1A1C438E63F98A9C63BAC6
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......*1.g............4...............<.......T...............T.......8...........T...........H...J?......................................................................................................eJ......L.......GenuineIntel............T.......H....0.g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC932.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8504
Entropy (8bit):	3.70172749826679
Encrypted:	false
SSDEEP:	192:R6l7wVeJsM6Mse6YEIxSU9vIgmfFqFv6pDRC89brlsfKZm:R6lXJv6G6YEuSU9vIgmfQFv87r+fd
MD5:	45EAA09B42329EC66B2A45683D244101
SHA1:	F33E631F759F2C303E623A389B240283ACE5FA65
SHA-256:	55CFF2F81C9FFD8E74C8E61B725C9365789A6EEE02A81EBCB73FE0FD4853AC8E
SHA-512:	17A766734F6168FC9BD9926965C973053E407C2C81BC38097BE1D238A13CC2379C28F506A457852B7085C18C58B6BECA61C2935B6319AC844650D3CA19EE4163
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC952.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4828
Entropy (8bit):	4.576967807020597
Encrypted:	false
SSDEEP:	48:cvIwWl8zs2MJg77aI9ZuWpW8VYzYm8M4J8+LOqFwI+q8bNpO7Tv1np+Y3d:uIjf1I73P7VnJzLUIGH0L+Y3d
MD5:	74ED3E4DFFBE7B472F3842578A8441F0
SHA1:	F09C1DC17B8BF81106DC837C25CD9B6E874EF587
SHA-256:	06B8EBB406951422BC66F62DCCD34B27D7ABEB0B91E7F563023779EE7D4115BA
SHA-512:	B26FEBD87BC0425E96FBB08EDFB1C907E7136D33110AB7E911476DC2D628BA75C148923CA56A7CA139F1962833EDB8AFCC429EABB098DB2E52B228C53D537C05
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="542147" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD0.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 13 20:43:38 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18710
Entropy (8bit):	1.9636835235980872
Encrypted:	false
SSDEEP:	96:5Q8mRLTaQwtkx1Yi7n7W44OsKxbiWIkWItIIwfCt6ede82sM:JjRaiOSGEqt6eExsM
MD5:	1885F31B41C1D98203387468427D8844
SHA1:	6D9A00F3D21E0F078404078ABC02E0C31BE9D75A
SHA-256:	C15900E404DCBA8FA943D36F8A814F3F3FF196A69125C6502E5FACBB481B2006
SHA-512:	6A558FE05AB583C29E1633C9BA42721E7448CA8B62B8C8565CF5B034FD1E51529B82E14AF2FF68E0FBA2EE3736307D6EB00AB67C7681F0D01C94618DBB5F6DBA
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........0.g............4...............<.......d...............T.......8...........T...............~?......................................................................................................eJ......L.......GenuineIntel............T.......H....0.g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE10.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8496
Entropy (8bit):	3.7046421875205167
Encrypted:	false
SSDEEP:	192:R6l7wVeJsv6wtfPse6YEIESU9eKgmfFCSprj89bTlsfCvxm:R6lXJM6YfN6YELSU9eKgmf0DT+fV
MD5:	B2C17CB488B41F2F4C9D1FD4F58819D1
SHA1:	E7BD2EB2ED756AFCCF7D2D5A8DE539D708055772
SHA-256:	8D29D7B6EC7B081CCC3B580D1F049B8964FD50024B8C6D15BF3DD5A03EAA74DD
SHA-512:	59FFA8456C41EBB414DAD200CF37434F39B788D30C0A26FBE3646892BF98277CE20E6BD0721C59A5A7EB9EF5833109A7CF60AFA1944BE7ACBDB658D651284EDE
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE4F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4824
Entropy (8bit):	4.574988151324334
Encrypted:	false
SSDEEP:	48:cvIwWl8zs2bJg77aI9ZuWpW8VYhIYm8M4J8gFR+q8o1Tv1np+Y3d:uIjfKI73P7VmJZZL+Y3d
MD5:	A03571931795F146C47E2FED461D394D
SHA1:	34A707AA24617D23F205F3A80197AE921C6CDF43
SHA-256:	918294FAB822EDC6B3BFC03E61FAA0F80CD7A54874E96B29B73E0FADE9D67975
SHA-512:	5B7CA5B26012532F72EDFFBCAE7D5838C5BB849A5A2D3F628DD2A800D4949969E259C8B21363C538366CC7509230F983D2DCDE4DA2BDEE5E258D3358DADE415C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="542146" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4217335732317045
Encrypted:	false
SSDEEP:	6144:kSvfpi6ceLP/9skLmb0OTTWSPHaJG8nAgeMZMMhA2fX4WABlEnNi0uhiTw:vvloTTW+EZMM6DFyY03w
MD5:	E1DF508C6846C9ED88CDC3DDF6E1A3C2
SHA1:	73BDE93E6B58EEB3F93C60DDA7CFC10414499904
SHA-256:	275332FED618BF981428EED4D635FB14802D1B55C9AAB66CB0DBD85E1000FEB4
SHA-512:	212BE1252073FB703A0D81D6946609D954CB20D5983030BFA1F861E94D948785DBA3314F63DDB9D06D3224BD91E148FC7AC5003A296971A34DE2DEFF5C4EAD71
Malicious:	false
Reputation:	low
Preview:	regf?...?....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmf^.................................................................................................................................................................................................................................................................................................................................................p..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.434096451777225
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe
File size:	1'634'304 bytes
MD5:	c87734c82ff73864e403bf882720012e
SHA1:	51ca8ccda0ff6c98d99e67745079d88f21206e8c
SHA256:	eeb8a21f143672528961d991b6fefbe712dd2e87455f01f4f1291698514ab019
SHA512:	ee2090fb49fda60f98f280a2c1cd6d795d320633ea341f35132a1af3f9c8babfe6176b6bb324f161b76c49b65e176b04f850a1ab75a71a574a9b5d2441de4887
SSDEEP:	24576:L2pJKU03osSn4apPd28fV9x6hCrRtwdNZCYw9PJ:AJKU0Yz4sffV9x6hCQgf
TLSH:	E7758D21F2C1481AE1E1C1724AF6F33CD9AB9F9C43256983C3ACFB793636C4A4A155D6
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM.....................P.............

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4bebb7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 004FFE90h
push 004BCD04h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [004EA320h]
xor edx, edx
mov dl, ah
mov dword ptr [005700C4h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [005700C0h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [005700BCh], ecx
shr eax, 10h
mov dword ptr [005700B8h], eax
push 00000001h
call 00007F452EEA54FCh
pop ecx
test eax, eax
jne 00007F4598B848DAh
push 0000001Ch
call 00007F45799453FCh
pop ecx
call 00007F4560CE54FCh
test eax, eax
jne 00007F4598B848DAh
push 00000010h
call 00007F45799453FCh
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F45450154FCh
call dword ptr [004EA3CCh]
mov dword ptr [00583E54h], eax
call 00007F45CA3954FCh
mov dword ptr [0057007Ch], eax
call 00007F457D3654FCh
call 00007F45C43654FCh
call 00007F4553A753FCh
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [004EA3C8h]
call 00007F456C3554FCh
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F4598B848D8h
movzx eax, word ptr [ebp+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10dce8	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x185000	0x92d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe9000	0xe9000	14843f3fec8733e48dfd8dab19e76ef4	False	0.49655059683476394	data	6.785102085287558	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xea000	0x27000	0x27000	5788fc339fa97e4045f2e03f15079561	False	0.20273687900641027	data	4.30353072089624	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x111000	0x74000	0x74000	1753117b178cbc45f533ffd882b970a8	False	0.08230485587284483	data	1.5879276262753053	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x185000	0xa000	0xa000	3fc98ab6ec7722b5992a5b4eded1d84a	False	0.135693359375	data	2.526045632832356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exePID: 2888, Parent PID: 1028

General

Target ID:	0
Start time:	16:43:38
Start date:	13/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe"
Imagebase:	0x400000
File size:	1'634'304 bytes
MD5 hash:	C87734C82FF73864E403BF882720012E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6464, Parent PID: 2888

General

Target ID:	3
Start time:	16:43:38
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 236
Imagebase:	0xe10000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 3292, Parent PID: 2888

General

Target ID:	9
Start time:	16:44:26
Start date:	13/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 224
Imagebase:	0xe10000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exePID: 2888, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	40%
Total number of Nodes:	5
Total number of Limit Nodes:	0

Executed Functions

Function 004BEBB7 Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 004BEBDD

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: af97576b9eddfdf9dce3f6d86368cac56c06dd38bf1ebeeea2ed54e0eb82bb47
Instruction ID: 1ac4b3afbfd349f1c3a262c859b4b0b302b6da21dc28eabf9ae404373e2a0b92
Opcode Fuzzy Hash: af97576b9eddfdf9dce3f6d86368cac56c06dd38bf1ebeeea2ed54e0eb82bb47
Instruction Fuzzy Hash: 8421C5718007059EDB089FB6EC48BAE7BB8EF45730F10072AE5359B2E0DB344884D765

Function 004BCD04 Relevance: 1.6, APIs: 1, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(?,000000FF), ref: 004BCDAB

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 39a600f2c8ea5f353078907d2f9317fb911f4e55ff7360e011be8bd17cce35af
Instruction ID: ad849eed8796f4386a204379a05edf78fe333868bf174bd884adfb0a126e3b99
Opcode Fuzzy Hash: 39a600f2c8ea5f353078907d2f9317fb911f4e55ff7360e011be8bd17cce35af
Instruction Fuzzy Hash: 7C215675500204ABCB10DF58DCC4AE6BB68EF04360F454666ED2597285D735F965CBE0

Non-executed Functions

Function 004CBBA7 Relevance: 26.7, Strings: 21, Instructions: 417COMMON

Download Yara Rule

Strings

+, xrefs: 004CBD9C
c, xrefs: 004CBC96
9, xrefs: 004CBDF4
E, xrefs: 004CBC91
1, xrefs: 004CBE1F
9, xrefs: 004CBCBC
-, xrefs: 004CBC7E
0, xrefs: 004CBC83
9, xrefs: 004CBE28
-, xrefs: 004CBDA5
C, xrefs: 004CBC88
9, xrefs: 004CBC68
0, xrefs: 004CBE46
+, xrefs: 004CBC79
9, xrefs: 004CBE38
9, xrefs: 004CBC16
0, xrefs: 004CBCD1
1, xrefs: 004CBDEC
e, xrefs: 004CBC9F
0, xrefs: 004CBE15
0, xrefs: 004CBD48

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: f7010685832d421fc74169a3b76d820226177e931b25beb6db0846eaf6fd487e
Instruction ID: ff25c293366d89a90b71b8715563bede504623b04d0068e128b5afd97c0d6e8f
Opcode Fuzzy Hash: f7010685832d421fc74169a3b76d820226177e931b25beb6db0846eaf6fd487e
Instruction Fuzzy Hash: C1E1EF39E44209CEEB658F64C852BFEBBB1EB04310F28451FD411EA3D1D7788982DB99

Function 0040B3F2 Relevance: 6.5, Strings: 5, Instructions: 296COMMON

Download Yara Rule

Strings

%d KB, xrefs: 0040B538, 0040B59F
%d KB of %d KB (%d%%), xrefs: 0040B51E, 0040B583
%d:%02d:%02d, xrefs: 0040B5D4, 0040B631
', xrefs: 0040B4D6
wininet.dll, xrefs: 0040B67A

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %d KB$%d KB of %d KB (%d%%)$%d:%02d:%02d$'$wininet.dll
API String ID: 0-1273491097
Opcode ID: d49f1d7220f73154547baebe900de82ce44fb9320066fd4344230f40c752368d
Instruction ID: f2f4f002e9942117c2c422964236c82df54598f2c6894fe1f2e0ce5c6bf5a105
Opcode Fuzzy Hash: d49f1d7220f73154547baebe900de82ce44fb9320066fd4344230f40c752368d
Instruction Fuzzy Hash: 60B1B571A00208AFDB04DFA5CC85FEF7BB5EB44320F108669E625BB2D0DB75A951CB58

Function 00460C4B Relevance: 5.8, Strings: 4, Instructions: 773COMMON

Download Yara Rule

Strings

Invalid Sample, xrefs: 00461447, 004615F2
C:\_\Projects\SunimageStudios\MMBuilder4.9.8.13\FMOD\src\music_formatxm.c, xrefs: 00460DA2, 00460DAC, 00460E2B, 00460E9A, 00460FB9, 00460FEA, 0046102F, 004613CC, 004613F4, 00461499, 004614B3, 004615D8, 00461622, 0046163E
Extended Module: , xrefs: 00460C94
OggS, xrefs: 004614EB

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: C:\_\Projects\SunimageStudios\MMBuilder4.9.8.13\FMOD\src\music_formatxm.c$Extended Module: $Invalid Sample$OggS
API String ID: 0-3331465696
Opcode ID: 616e7c7f120f34c14c59174b5318e5fac2b44a31d45d3362822b575cc9e612ad
Instruction ID: 7fe3fa554a506f75ef6628a140af4d7ca019d18a88484c26f42ae567eee2069e
Opcode Fuzzy Hash: 616e7c7f120f34c14c59174b5318e5fac2b44a31d45d3362822b575cc9e612ad
Instruction Fuzzy Hash: E3623670900304BBDB15CF69C841BEEBBB4BF15724F08435AE979AB2E1E7749640CB66

Function 004672A0 Relevance: 5.6, Strings: 4, Instructions: 606COMMON

Download Yara Rule

Strings

#W, xrefs: 0046795C
lQ, xrefs: 00467924
R, xrefs: 00467669
,0U, xrefs: 00467795

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: R$ #W$,0U$lQ
API String ID: 0-1577133675
Opcode ID: d2138fc22ac38c53d05818e95b861fcfc6f0d59530b7acdbf3e8ab27a4fd304b
Instruction ID: f8aa50d42eb091a5a88d514f4b7edf22050a14c6faebdf0af8a29c094d9cebde
Opcode Fuzzy Hash: d2138fc22ac38c53d05818e95b861fcfc6f0d59530b7acdbf3e8ab27a4fd304b
Instruction Fuzzy Hash: 3D32B8B1908341CFD304CF15C89825ABFE1FB84348F12897ED49A9B765E3349969CF89

Function 004AB730 Relevance: 2.1, Strings: 1, Instructions: 812COMMON

Download Yara Rule

Strings

Fax3Decode2D, xrefs: 004ABA7B, 004ABAC3, 004ABD88, 004ABDE8, 004ABF15, 004ABFAE, 004ABFF8, 004AC05D, 004AC0A7

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Fax3Decode2D
API String ID: 0-1076965030
Opcode ID: 0871fb4c23bc88555706c400b0df0fedb465ce202b2ba3b9eb96936dbec503df
Instruction ID: 484651f7dee36e458cfea2c360bec63d4eab8d309b04d1293eb92d771dc0ca8c
Opcode Fuzzy Hash: 0871fb4c23bc88555706c400b0df0fedb465ce202b2ba3b9eb96936dbec503df
Instruction Fuzzy Hash: DB6279756083428BC708DF28C89166FB7E1FF99304F14892EE995C7392E738D945CB9A

Function 00482CE0 Relevance: 1.8, Strings: 1, Instructions: 523COMMON

Download Yara Rule

Strings

(, xrefs: 00482E42

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: aae242fc3a95d2a8fa64a6b66b103ee95698779c14d01900729326a671013ddb
Instruction ID: 52a18b47120561f2599d45a0feacdcdc8ca244b2fb5b19cbfc9deb41d9ac17c4
Opcode Fuzzy Hash: aae242fc3a95d2a8fa64a6b66b103ee95698779c14d01900729326a671013ddb
Instruction Fuzzy Hash: 0A1271B1A04B419FD3109F699C48A1FBBE4BB94B20F104A2DF565D73E0DB74E840CB56

Function 004ADFCE Relevance: 1.8, Strings: 1, Instructions: 509COMMON

Download Yara Rule

Strings

Fax4Decode, xrefs: 004ADBE0, 004ADCEF, 004ADD4A, 004ADE5A, 004ADE9F

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Fax4Decode
API String ID: 0-2347097809
Opcode ID: 266345e5c87228e2fabcbf7d6edc945881a442b1840c623093ea21b3a2a08ce9
Instruction ID: 4fe7d09598954c8e99040bf8cc291e2eef5746b588feac74eab480ab916542ba
Opcode Fuzzy Hash: 266345e5c87228e2fabcbf7d6edc945881a442b1840c623093ea21b3a2a08ce9
Instruction Fuzzy Hash: 8A12A171A087428BC708CF28C45167FB7E2BFD9314F158A2EE4AA97741D734E815CB8A

Function 004AAF40 Relevance: 1.7, Strings: 1, Instructions: 495COMMON

Download Yara Rule

Strings

Fax3Decode1D, xrefs: 004AB21A, 004AB25A, 004AB380, 004AB3EB, 004AB430

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Fax3Decode1D
API String ID: 0-1797029221
Opcode ID: f128dce39b95127d1f90437e52d152e6182241390eeeb1088d819181e1c61b4a
Instruction ID: 409c150f16886ae37bb222ac356eb6f56aad9839a3bf56279019aca577f238ce
Opcode Fuzzy Hash: f128dce39b95127d1f90437e52d152e6182241390eeeb1088d819181e1c61b4a
Instruction Fuzzy Hash: B8028A716083418FC708DF28C8A567FB7E1FF9A304F05496EE89987352E778D8458B9A

Function 004AC1DF Relevance: 1.7, Strings: 1, Instructions: 434COMMON

Download Yara Rule

Strings

Fax3Decode2D, xrefs: 004ABC64, 004ABC80, 004AC05D, 004AC0A7

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Fax3Decode2D
API String ID: 0-1076965030
Opcode ID: 9433370108120f2d9bc8b7d461ac5188483077c9c0830ee88475afc2d56ceb79
Instruction ID: a6b50c9d61edbe7228a62115f11e66496daff657d2c20c870fd95687c6ba92e5
Opcode Fuzzy Hash: 9433370108120f2d9bc8b7d461ac5188483077c9c0830ee88475afc2d56ceb79
Instruction Fuzzy Hash: 24F1AF71A083428BC708CF28D4A167FB7E2BFD9314F158A2EE89997381D7349945C7DA

Function 004AE6A0 Relevance: 1.7, Strings: 1, Instructions: 413COMMON

Download Yara Rule

Strings

Fax3DecodeRLE, xrefs: 004AE8C9, 004AE907, 004AEA60, 004AEA9E

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Fax3DecodeRLE
API String ID: 0-1800350793
Opcode ID: 07f5bfdfb610d62c217764d1baa046afaaa3b5e802143a03f1aa7265ae4ba77c
Instruction ID: 6d2bdf6193477a63dd001bbb2d30447fc7acf886eb715f8dbe00d8ae332fa289
Opcode Fuzzy Hash: 07f5bfdfb610d62c217764d1baa046afaaa3b5e802143a03f1aa7265ae4ba77c
Instruction Fuzzy Hash: 22F1A1756083418FC708DF2AC491A6BB7E1FF9A304F05496EF8A687351E774D806CB9A

Function 004845A0 Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

3333, xrefs: 00484A3E

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 3333
API String ID: 0-2924271548
Opcode ID: 0be911a615aedfe103c573627d65e3705c132662727e407b73c14cfe375d8f5b
Instruction ID: a9c77db9c1084a626ff3a31722c88506b38510c83baafb81db3d97b1825de8f3
Opcode Fuzzy Hash: 0be911a615aedfe103c573627d65e3705c132662727e407b73c14cfe375d8f5b
Instruction Fuzzy Hash: B50292718097818FC311DF29C480A5AFFF1BF99310F558AAEE5D987362C735A445CB46

Function 004ADA70 Relevance: 1.6, Strings: 1, Instructions: 343COMMON

Download Yara Rule

Strings

Fax4Decode, xrefs: 004ADCEF, 004ADD4A, 004ADE5A, 004ADE9F

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Fax4Decode
API String ID: 0-2347097809
Opcode ID: 4d3901ac2e98c610536ef7b23e4f74a97296cf9b06440fad54a5089a6b40622d
Instruction ID: fca5a50df5a77145c4b3f8ec37d755f1f51893dbd3d017defb2afedffe24779c
Opcode Fuzzy Hash: 4d3901ac2e98c610536ef7b23e4f74a97296cf9b06440fad54a5089a6b40622d
Instruction Fuzzy Hash: BED12874A093028FC304CF28C89096BB7E2BFD9314F55496EF89A87755D735E805CB56

Function 004919EB Relevance: 1.0, Instructions: 980COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecee6d6b7500a96fe3358d572b1f71deacab1b9c8c66790ea71a5182c1587b58
Instruction ID: 81008331dcb5c978dcf0dfd3014a37ceaccdc061f373dfbf950e0f1d6bd6f35b
Opcode Fuzzy Hash: ecee6d6b7500a96fe3358d572b1f71deacab1b9c8c66790ea71a5182c1587b58
Instruction Fuzzy Hash: 84A286B5A00209EFCB08CF58D59099EBBB2FF88314F24C659E8699B355D731EA41CF94

Function 00485970 Relevance: .7, Instructions: 726COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8594ebf421c319996f23017f3e0186cf642fb945abbdb217eee8a4a416079db8
Instruction ID: 5b46a9c79d3cc68cb9f7013b449eb55aaf01a43a9a2a93ed3ce5d3f6f1907fff
Opcode Fuzzy Hash: 8594ebf421c319996f23017f3e0186cf642fb945abbdb217eee8a4a416079db8
Instruction Fuzzy Hash: AE52BD71A08B418FD314DF69C84461FBBE1BBD8760F048A2EE9A5D73A0EB74D845CB46

Function 004946D6 Relevance: .7, Instructions: 722COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c90a9b83c1cedee0dd970c459bcc9c5100c68fac567f39e451fd516d73593426
Instruction ID: 8b8a28319edd828aa1039ae0865231815de29660332a3daf3f70a343dbebbdd6
Opcode Fuzzy Hash: c90a9b83c1cedee0dd970c459bcc9c5100c68fac567f39e451fd516d73593426
Instruction Fuzzy Hash: 3C82BC34605209DFCB04CF58C5949E97BB2FF98354F1982A8E8498F756D732EAC2CB94

Function 00498A65 Relevance: .6, Instructions: 585COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2c8eabbb25c8f326f8dd4e6e1366114d2eec0920539b86250226b43b848fe2d
Instruction ID: c2f5606f8fe33a01acb20855037967343b453931ebb282af54003dc7e7e7f481
Opcode Fuzzy Hash: e2c8eabbb25c8f326f8dd4e6e1366114d2eec0920539b86250226b43b848fe2d
Instruction Fuzzy Hash: B4524274A00209DFCB08CF99C5909AEBBB2FF8D314B24C699E859AB355D731EA41CF54

Function 00486320 Relevance: .6, Instructions: 557COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 784e75ec305026da52f1d11f9b27a33e1f5652e85bad25a85b98c453f06bcf3c
Instruction ID: 2ff8070d236f090d706f2e8ff19c7011b87d8a223ac84711749f005a4130b9da
Opcode Fuzzy Hash: 784e75ec305026da52f1d11f9b27a33e1f5652e85bad25a85b98c453f06bcf3c
Instruction Fuzzy Hash: 2822FE71A097818BD360DF28C84471FBBE0BFD4720F058A2EE4A9973A1EB74D845CB46

Function 004952DC Relevance: .5, Instructions: 547COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b9a24c4c805cc013b7e66d4443dd893da8ec8561fc6115d400972e15aa1da9
Instruction ID: fda5dcb4320f68b5a468e9c2c55fa1fa98d47c534fffcf73c9f8775ff4110db2
Opcode Fuzzy Hash: 33b9a24c4c805cc013b7e66d4443dd893da8ec8561fc6115d400972e15aa1da9
Instruction Fuzzy Hash: 5D52DB78605209DFCB08CF18C4D49E97BB2FF98354F1982A8E8498F756D731EA81CB94

Function 00472080 Relevance: .5, Instructions: 535COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660e162818801ed54cea0d91db7f5f1a16f292a303e253802e37d95c246f6332
Instruction ID: e6f680f05ae71c76e84579829d2c851d8f0952a822da6fcdaa051c830d53dccd
Opcode Fuzzy Hash: 660e162818801ed54cea0d91db7f5f1a16f292a303e253802e37d95c246f6332
Instruction Fuzzy Hash: BF22D071A00B108FD752CF2CD9407A277E1BBA4349F188679C819CB356DBBA984EDB58

Function 0047B3A0 Relevance: .5, Instructions: 533COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be74cdb10c18400591c7b8369e3110bcdfa4fda074eedc9df11e7badb40b28e6
Instruction ID: 05d4acb782c9cda893ff1c2d280fc3ec0c71ab89dd948d1a523fd5eaebe74ac6
Opcode Fuzzy Hash: be74cdb10c18400591c7b8369e3110bcdfa4fda074eedc9df11e7badb40b28e6
Instruction Fuzzy Hash: 473201756083418FC708CF28D090AAABBF0FF89314F54896EE5999B361D335E949CF96

Function 00470E90 Relevance: .5, Instructions: 529COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2f858548578c420fdcb205f8c09f6e2bd5f579c2c113bf9eb2817b25c012c5
Instruction ID: 87e72da036be2250df1a234330efab5010a182ea65a0c7a0ac3b6f2691886148
Opcode Fuzzy Hash: 6e2f858548578c420fdcb205f8c09f6e2bd5f579c2c113bf9eb2817b25c012c5
Instruction Fuzzy Hash: C122B271610B148FD792CF1CD8847A177A1FB94309F1C8679C808CB766DBBAA84EDB58

Function 0046C740 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062b1ade1581d001230a607426954e7c6ab9aad8ba1957e9cd8b7e8a9a42d913
Instruction ID: fc1af8e76e9a1a80e24151e1bf7528e680ca870e43342fe0707a10ced07da664
Opcode Fuzzy Hash: 062b1ade1581d001230a607426954e7c6ab9aad8ba1957e9cd8b7e8a9a42d913
Instruction Fuzzy Hash: D322AAB1A083458FC748CF0AC4905AAFBE2FFC8300F1AC66DE69947355DB34A919CB85

Function 004886E0 Relevance: .5, Instructions: 490COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1e1cfa6eea7b16e0de514c641694d88a4443eff8373b4aad2343bbac08a259
Instruction ID: e02c142071f1b4e398928e47f360e32b7ef223a8accf6d7039186ae4519ba640
Opcode Fuzzy Hash: 1a1e1cfa6eea7b16e0de514c641694d88a4443eff8373b4aad2343bbac08a259
Instruction Fuzzy Hash: B812F6B1E007059BCB01EFA9DC8469EBBB4FF94360F208A19E465E73D0EB349945CB95

Function 004A5E60 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb5cf7f2dc48fc8a17170171ceea23e3466ea1f3dc05e64aa643223a2dae4f26
Instruction ID: b7c0634b1ed1f3cebcd7a0f9ab33e4192958e2f9f0b99770fb4e69c9b20cf964
Opcode Fuzzy Hash: bb5cf7f2dc48fc8a17170171ceea23e3466ea1f3dc05e64aa643223a2dae4f26
Instruction Fuzzy Hash: A43290B4E04209DFCB08CFA8C5909EEBBB2FF89314F248259E815A7355D734A951CFA4

Function 0047BCF0 Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e228b62260c3d9c3283b35bcd93c7339a15ae264b8bc46cd3a8f9de9e8b1918
Instruction ID: bd1ac1b617b7f7f1aa9f723bbac10df3875a5ddf949bda5bf9a0d1a90b90695c
Opcode Fuzzy Hash: 9e228b62260c3d9c3283b35bcd93c7339a15ae264b8bc46cd3a8f9de9e8b1918
Instruction Fuzzy Hash: F9F1BD716047028BD724CF28D9847ABB7E0FB95704F108D2EE49AC7741E778E949CB8A

Function 00467E00 Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082d6bdbfeaa0ffc59ffa838e7860dc3da144fbda64013d2b11aa4ff74d7080c
Instruction ID: 0e879ce47a36016be31b9f7977ae17d093810056a1dea430d84005537b328733
Opcode Fuzzy Hash: 082d6bdbfeaa0ffc59ffa838e7860dc3da144fbda64013d2b11aa4ff74d7080c
Instruction Fuzzy Hash: 1B028EB190478A4BD348CF0AC8505A9BBE3EFC9314F1FC6BDDA994B756DA346508CB48

Function 00468410 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85dfed64dc00d8edc2ecd485e9a1fe37d29aef7f340db35b91b2570a7e75c38f
Instruction ID: 9e0f15137c7ba0c3b5b6c07daddea71f13cde2b1b227b01c7e620f066103308c
Opcode Fuzzy Hash: 85dfed64dc00d8edc2ecd485e9a1fe37d29aef7f340db35b91b2570a7e75c38f
Instruction Fuzzy Hash: 78026EF190468A4BD348CF0AC8505A9BBE3EFD9314F1FC6BDCA994B756DA356508CB08

Function 0046C200 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd0aedcae6a69618be828fd944c17834449a18eca15f8db15a1e72fc037fea61
Instruction ID: 4101d6f4403c6538259544892443a660f63b2dc7175cf2723752e487d83e62db
Opcode Fuzzy Hash: dd0aedcae6a69618be828fd944c17834449a18eca15f8db15a1e72fc037fea61
Instruction Fuzzy Hash: 09F1B3B19046894BD708CF06C8905BAB7E3EFC8314F1FC6BED9895B755EA34A904CB49

Function 00483C00 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767b1a040c5eeb3cb0af48157c4dec79296606dfa3f620d7b205659a8a64c204
Instruction ID: 0e0de28a5c94b306aca2b5739a5458a5ad3ba52c26a8a193ff84081ebc6aa628
Opcode Fuzzy Hash: 767b1a040c5eeb3cb0af48157c4dec79296606dfa3f620d7b205659a8a64c204
Instruction Fuzzy Hash: C5E1C1B1A04741ABC311DF689C88A1FBBE4BBD5B20F044B2EF5A5973D0DB74D8418B5A

Function 00472E10 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd59d38de768a14ff52b549d60241c8622ca41e33d980f50cc052c8b2f01bcb9
Instruction ID: 21715af87caa61365742064e7bdc18bde01b599b2a2f0755926c232d12e0e6b1
Opcode Fuzzy Hash: bd59d38de768a14ff52b549d60241c8622ca41e33d980f50cc052c8b2f01bcb9
Instruction Fuzzy Hash: 08024F75A00A04CFC314CF1DE8447A1B7A1F7F4350F69826AC84B8B3A5E7B5595AEF88

Function 00402BE0 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa81a3186c0ee3f7f424b906eceb81a31a6e04e7578c8d6f6378296ded2970e5
Instruction ID: 9263c236d37bde0812ad4a5779748de255ea8375b8909faf459910fd60ed304e
Opcode Fuzzy Hash: aa81a3186c0ee3f7f424b906eceb81a31a6e04e7578c8d6f6378296ded2970e5
Instruction Fuzzy Hash: 22F1C570A007009BCB219F74C4947EABFF5FF54650F10891ED4EEA72A6DA346989CBA4

Function 004689F0 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f91719342a598a7e05d9a1e079c1d788de9a0e9e510d10f7e2a4ede200ef18
Instruction ID: 57eb3a94b3b80cdc5045b76878df4060c288a09b9021aea743092008d0bc84b1
Opcode Fuzzy Hash: a4f91719342a598a7e05d9a1e079c1d788de9a0e9e510d10f7e2a4ede200ef18
Instruction Fuzzy Hash: 01E192B160838A8FD704CF19D4902AAF7E1FFC8314F094A7DE98997742DB78A905CB49

Function 004941B3 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04545df01fef2d8603ecb584d3239db3ffc21030412313aedd1c3eaa0b596ee0
Instruction ID: 94218af467179b32b2cde7721cdf47b96a15ad6cf21eef152ef8a3c75470e5f6
Opcode Fuzzy Hash: 04545df01fef2d8603ecb584d3239db3ffc21030412313aedd1c3eaa0b596ee0
Instruction Fuzzy Hash: 2202CA346052099FCB04CF18C5D49E97BB6FF98354F1982A8E8498F756D732EAC2CB94

Function 004854B0 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8571368e2c94b3c4571df84d98b14d974d8d22a6f1226291dca6fc194ace0750
Instruction ID: 0fc37d5e663bd2e89127e46a53ec81d5e8870e90157b3d4392e41fe52e368426
Opcode Fuzzy Hash: 8571368e2c94b3c4571df84d98b14d974d8d22a6f1226291dca6fc194ace0750
Instruction Fuzzy Hash: 4FD1AE71904B409FC310AF68CC8451EBBE1BBD4720F448E2EF5AA973A0DB35D895CB4A

Function 0048CC67 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e603ce3373506b332d126606cf6f8764f2985826a55977de10e63dbf2057883
Instruction ID: 257f65ae18c06abe2dde963d57b75261c978bf4df161975445e6a01d0c3f7e2b
Opcode Fuzzy Hash: 5e603ce3373506b332d126606cf6f8764f2985826a55977de10e63dbf2057883
Instruction Fuzzy Hash: 5ED1CA74E0414A8FCF08DFA8C590AFEBBF2FF89304B248559D855AB355D731AA41CB94

Function 00465C90 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c41025a0921fc7d1a7156457f58139a33b5a19aa78c3b51cccbd25543d4492
Instruction ID: 76ef566949e40d9882cddac7644e5a0a4125c3b72d5bb58d7745ef8c50770e37
Opcode Fuzzy Hash: e6c41025a0921fc7d1a7156457f58139a33b5a19aa78c3b51cccbd25543d4492
Instruction Fuzzy Hash: 61A18EB1705A068FDB28CF29D890666F3E2FBC4310B148A2ED556C7B54E731F919CB41

Function 0047E240 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3138c2161538d4e2bfbec9c30bb49b702f07f28928c180ff53d5ddb8691fda25
Instruction ID: 91f50875fcbe481ce56db1884e7669afab254d91437ac4e84f4a98085e7736b4
Opcode Fuzzy Hash: 3138c2161538d4e2bfbec9c30bb49b702f07f28928c180ff53d5ddb8691fda25
Instruction Fuzzy Hash: 66B15B341087818FC315CF29D0906ABBBE1FF89354F544A9DE4EA8B352C335EA4ACB56

Function 004A4650 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 953fdb6f14a6c158136e1cd7547620e6307a9674b7e421fe5ec9ee9327470129
Instruction ID: 6a56b60e4322470868e2bfdc96c16fc12ec3077d3519effe7449119a5ea30fac
Opcode Fuzzy Hash: 953fdb6f14a6c158136e1cd7547620e6307a9674b7e421fe5ec9ee9327470129
Instruction Fuzzy Hash: 4AA1583160D3868FC308CF69C89016AFBE2BFDA208F5DDA7DE5C987312D671A5198B45

Function 004C4B48 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8cdc8d946712dd5b2d19c8fb426b1e6bb959fdf5179e9ae5efb1a2138006e7
Instruction ID: 61d4f3d3fe9748b75caa6f1525b6fb452d1a21046e241d3f86c0fbf8f8c6a7ca
Opcode Fuzzy Hash: 8a8cdc8d946712dd5b2d19c8fb426b1e6bb959fdf5179e9ae5efb1a2138006e7
Instruction Fuzzy Hash: 04B17E3990120ADFDB15CF04C6E0BA9BBA1BF98318F15C19ED81A5B352D735EE42CB94

Function 0047E620 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ec41c46c69d53048ef03adcf53b8c2d06555790f6f1e41e663ca2f8db29973
Instruction ID: b7517ad9775959a06a87335597981958f44d8b6ccb97904d8b0926fa40300029
Opcode Fuzzy Hash: 90ec41c46c69d53048ef03adcf53b8c2d06555790f6f1e41e663ca2f8db29973
Instruction Fuzzy Hash: B4A1A9745087818BC319CF29D0E12ABBBE1FF89704F144A9EE4EA47341C7399A0DCB96

Function 0048F430 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60f67e350f05e76dd521e3340781996e598dcdf71aa39a3177b831e37cbd323
Instruction ID: 20a214bdb5227f898d1e5a63c1e740ca3592335f3c280fa7e2fb2ffb4fd4b84a
Opcode Fuzzy Hash: d60f67e350f05e76dd521e3340781996e598dcdf71aa39a3177b831e37cbd323
Instruction Fuzzy Hash: 3A919D705047018BC714EF19C48462BFBE0FF9C718F14896EE89A9B312E735E95ACB96

Function 0049F9B0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58f0ce9ef3bb1a1e2c0df880989362d0dd9a16f7622ccf7ea60b2f5d451b8537
Instruction ID: 37973702e3e525008f588e7cd41c4e08f29a3193691ad1bfdefd28ec5aef24d9
Opcode Fuzzy Hash: 58f0ce9ef3bb1a1e2c0df880989362d0dd9a16f7622ccf7ea60b2f5d451b8537
Instruction Fuzzy Hash: E9A13974A087458FC714CF29C49095AFBF2BFC8704F198A6DE99987325E770E905CB86

Function 00492730 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd24304c4abf3a3bb0a60ad74ea8f4d0764ef67288512b65010fae8ab31b6d13
Instruction ID: 141f293279fd37fba60f602e91b5be802347cbcd8f7ce2b8bb04764519322535
Opcode Fuzzy Hash: dd24304c4abf3a3bb0a60ad74ea8f4d0764ef67288512b65010fae8ab31b6d13
Instruction Fuzzy Hash: 63A14F74E05148EFCB08CF99C590AADFBF2EF88314F28C1A9E459AB355D630AB51DB44

Function 004ACC50 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9285ce3bd51279bfbf2ff016011c0fc835a3cef75140f551e9780e29e349b43d
Instruction ID: fdacc619983cb7ec617bc63a3db0499b6b9af85d94e6b3188e715944b4308d45
Opcode Fuzzy Hash: 9285ce3bd51279bfbf2ff016011c0fc835a3cef75140f551e9780e29e349b43d
Instruction Fuzzy Hash: 5D8148757057418FD369CF38C4D0AEBB7E2BBAA304F15892DD59A87341EB31A806CB85

Function 0047DFB0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96d9ee1eaee0a8da0051f10e0c717bc06f94893c212da658bca913a8ea9936b
Instruction ID: d3e4da86235d6b0f91986f248bf416cfd91f01a31468f9d05a290e90d73f7f0a
Opcode Fuzzy Hash: a96d9ee1eaee0a8da0051f10e0c717bc06f94893c212da658bca913a8ea9936b
Instruction Fuzzy Hash: 8F81E53150CB914BD325CF29D4A16EBBBE1EFC5704F588A9ED8DA47342C239990DC792

Function 0047387D Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5abacd8482e9122b905e121166ea4ede68ec87fca2c4afc236ae61680c862edc
Instruction ID: e851b71bbc3560605d5587fb03665c6e2e911ff30ef298e336e7ee1c523d492d
Opcode Fuzzy Hash: 5abacd8482e9122b905e121166ea4ede68ec87fca2c4afc236ae61680c862edc
Instruction Fuzzy Hash: EA913E716006148FD714CF1CE9847E177A1FBA4314F18827AD85ACF396E7B6984AEF88

Function 004AAB20 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b137f5a8d16ccda411b07383ec214e77445d811d8196c74a2340a57174dbaf0
Instruction ID: 86ee1d904b916f941879a5d6505c302318786a8af34d4b57fa8e5dbb910a9309
Opcode Fuzzy Hash: 4b137f5a8d16ccda411b07383ec214e77445d811d8196c74a2340a57174dbaf0
Instruction Fuzzy Hash: 965129326046C24FD7258A3C88545BA7B939FB3324B1DC3AAD4E68F7E5D3289C19C356

Function 004D1AC0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a77274a374a83270891047a9ada59e47b1de2ede87ccedda635a8decdd05ce6
Instruction ID: 2e048b9b601e1a85dff869013d670e5d6aaf20f12749d17d6fc1a99a519f6691
Opcode Fuzzy Hash: 8a77274a374a83270891047a9ada59e47b1de2ede87ccedda635a8decdd05ce6
Instruction Fuzzy Hash: D541F2327042545BE70CCE29985A6AF7BD2EBC9350F048A3EFD86C7381DB759509C3A6

Function 004983EA Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eeb8111574a3b5f81a806fe5c88e1d085b560764f4e129ecfb4f96c20fd4697c
Instruction ID: 23ec7c3a989cccaf13117dcff6f1005e02257696fe150ef433f6e10c5345ae00
Opcode Fuzzy Hash: eeb8111574a3b5f81a806fe5c88e1d085b560764f4e129ecfb4f96c20fd4697c
Instruction Fuzzy Hash: BD61F671610549AFDB18CF2DC8916A93BE2EF8D364F45C628F929CF391C639E641CB84

Function 0047BA50 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb24fe0c72093d4e55ae2818cc32eb25b15af8a797ba64735b64b291833bbed
Instruction ID: d8621673ed4f5b4b068b38c66a3da90cafb82beccdce70ab6527852c9c78396c
Opcode Fuzzy Hash: 3cb24fe0c72093d4e55ae2818cc32eb25b15af8a797ba64735b64b291833bbed
Instruction Fuzzy Hash: 5451A1726102118FD718CF19D5D4AAAB7A1FB84330F5AC5BEC8094B762C779E849CBD4

Function 004939C8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10803abfe9408497155cc95b833ea7c9711583ce37e106a614ae27aaf438bbb8
Instruction ID: 46ade54b38a89188860f0a8a7a57f34bbf80b5b9b36476d6a411077158d6ae34
Opcode Fuzzy Hash: 10803abfe9408497155cc95b833ea7c9711583ce37e106a614ae27aaf438bbb8
Instruction Fuzzy Hash: 3A51C638600609ABCB14CF58C4909EDBBB2FF8C359F5581A9ED499B345C735AE96CB80

Function 00408343 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d79190779ce79fa2eeb8db84566380dd244e1d09099cebe50fdff5c1b36f4f3
Instruction ID: 6634d0e0c641760cf6f14b4ba0e1bf143d210d75b743b026ca43d900d3f5a9fe
Opcode Fuzzy Hash: 8d79190779ce79fa2eeb8db84566380dd244e1d09099cebe50fdff5c1b36f4f3
Instruction Fuzzy Hash: F641C772E553869FC305CBA844803D97F60AB3A214F2CC6AED4449B383D2B79A17C755

Function 004AE52C Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25dbbec07972e827935204aa65a706bf9e716d69b6bbe577eb9217b3a8d84203
Instruction ID: 57f5d4e3e61eae40d131d9e6cee58113ddddea5353db4589ef9e633684e20e09
Opcode Fuzzy Hash: 25dbbec07972e827935204aa65a706bf9e716d69b6bbe577eb9217b3a8d84203
Instruction Fuzzy Hash: A8113D32B016019FD3208E9AD8815A7F3ACFF91321F14CA69EA548BF41EB35E8158794

Function 004BF840 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction ID: 9a88a1101b128aed7c77b2d6872e7d9a5471aaf8a76afc3161d76d5ebd283ee8
Opcode Fuzzy Hash: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction Fuzzy Hash: 74117AA720004283D708AA6ACCB42F7E396EBD532072C927BD04A8F744D329981D9628

Function 0046E931 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b9f17a9856f5df6cfcd35dee87d8552d33e820aea7905f9102d985d02bee05
Instruction ID: 435673c4bf63559bae11650a15c22e7bdd0923de067ae1c260c6f216c8a24cb7
Opcode Fuzzy Hash: 63b9f17a9856f5df6cfcd35dee87d8552d33e820aea7905f9102d985d02bee05
Instruction Fuzzy Hash: A91166366052A18FC71DCB2A88804667BA2AFEB21035D85DDC6815B366C530FC56DBD1

Function 0047A2EC Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a009ba7f61ca2f80a1679c463755f8fb237b57adc86e6e852a805a62e787f96e
Instruction ID: dd77e7e2542e6cc41ec80785e209233ee8d8eec4cb26ab23b28847132b5f4a5f
Opcode Fuzzy Hash: a009ba7f61ca2f80a1679c463755f8fb237b57adc86e6e852a805a62e787f96e
Instruction Fuzzy Hash: 3201B1702281208BAF1C8E24D9E51BF7391DBDA315368C49FDD4BD7349D528F821829B

Function 0040900B Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c11a34e7fc2797c81b6d3d96ec211f9510f615d443a3dcb81f81fe25ef23bd2
Instruction ID: 388506fa408a8c8649c0d9032b3b4f844e792020124fe7ade5f7e65e638fc156
Opcode Fuzzy Hash: 2c11a34e7fc2797c81b6d3d96ec211f9510f615d443a3dcb81f81fe25ef23bd2
Instruction Fuzzy Hash: BC015272E002689BCB14CF9DCD41BDDFBB9EB48730F104216E425B32D0C67559008AA4

Function 004082E6 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2848058522.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2848040944.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848140067.00000000004EA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000511000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848173365.0000000000530000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2848231152.0000000000587000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c749595c377feada4e38bc7b4c8236450e21c63ec817ce0f6473c998b7efa4a
Instruction ID: f25893e3c592bd7e8bf7ba40b4d6a9d7b26c8eea93a8ae938c0a28298ba5231a
Opcode Fuzzy Hash: 2c749595c377feada4e38bc7b4c8236450e21c63ec817ce0f6473c998b7efa4a
Instruction Fuzzy Hash: 3CF082B6548644BFD710DB49AD42BAABB6CE740A70F20432BF011926C0D27969018579

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_33cbd787311dc2429e65fee66ad824c02ead7e_4c7bbdba_cbd6c6ef-7bea-4283-84d5-b2012cb51b43\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_bcbd84ccbdb49ee0426243222b957337193e8feb_4c7bbdba_0ecf2dfb-43fa-4926-83ef-82aebbc861db\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC902.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC932.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC952.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD0.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE10.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE4F.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

Function 004BEBB7 Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Function 004BCD04 Relevance: 1.6, APIs: 1, Instructions: 73
libraryCOMMON