IOC Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe

loading gif

Files

File Path
Type
Category
Malicious
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_33cbd787311dc2429e65fee66ad824c02ead7e_4c7bbdba_cbd6c6ef-7bea-4283-84d5-b2012cb51b43\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_bcbd84ccbdb49ee0426243222b957337193e8feb_4c7bbdba_0ecf2dfb-43fa-4926-83ef-82aebbc861db\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC902.tmp.dmp
Mini DuMP crash report, 14 streams, Sun Oct 13 20:44:26 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC932.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC952.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDD0.tmp.dmp
Mini DuMP crash report, 14 streams, Sun Oct 13 20:43:38 2024, 0x1205a4 type
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE10.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE4F.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe
"C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.480.11794.exe"
 malicious
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 236
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 224

URLs

Name
IP
Malicious
http://www.clamav.net
unknown
http://upx.sf.net
unknown
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
unknown
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabswflash.cabFlash
unknown

Registry

Path
Value
Malicious
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
ProgramId
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
FileId
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
LowerCaseLongPath
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
LongPathHash
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
Name
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
OriginalFileName
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
Publisher
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
Version
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
BinFileVersion
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
BinaryType
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
ProductName
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
ProductVersion
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
LinkDate
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
BinProductVersion
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
AppxPackageFullName
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
AppxPackageRelativeId
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
Size
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
Language
\REGISTRY\A\{95e3454b-63b7-b980-3a0d-fa03e566e74b}\Root\InventoryApplicationFile\securiteinfo.com|65290bf1aa9cfede
Usn
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property
00180011F365DFFB
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceTicket
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
DeviceId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363}
ApplicationFlags
There are 13 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
4EA000
unkown
page readonly
7CE000
heap
page read and write
400000
unkown
page readonly
401000
unkown
page execute read
400000
unkown
page readonly
7C0000
heap
page read and write
587000
unkown
page readonly
1F0000
heap
page read and write
4EA000
unkown
page readonly
530000
unkown
page write copy
401000
unkown
page execute read
511000
unkown
page write copy
590000
heap
page read and write
9D000
stack
page read and write
19D000
stack
page read and write
640000
heap
page read and write
530000
unkown
page write copy
511000
unkown
page write copy
7CA000
heap
page read and write
587000
unkown
page readonly
There are 10 hidden memdumps, click here to show them.