Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe
Analysis ID:	1431431
MD5:	44ba489fd3a12bd062c96421145d2d2f
SHA1:	867383ba1ed8a9760c4051beb1a694fa662758f9
SHA256:	161a2f35c23c46ab65bdb91ed5cc720919b96d11fc6b9a8d2a9498d2ec35fc84
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Virustotal: Detection: 19%

Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: Http://ptlogin2.qq.com/check?uin=
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ad.23gua.com/farm.html
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ad.23gua.com/pasture.html
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://api.23gua.com/farm/key.xml
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://api.23gua.com/fy/
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://api.23gua.com/fy/QQ
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://api.23gua.com/fy/card.xml
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://api.23gua.com/fy/farm.html
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://api.23gua.com/fy/farm.htmlU
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://api.23gua.com/fy/farm.xml
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://appimg.qq.com/happyfarm/module/Main2_v_6.swf
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://appimg.qq.com/happyfarm/module/Main2_v_9.swf
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://appimg.qq.com/happyfarm/module/loading2_v_1.swf
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://base.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://captcha.qq.com/getimage?aid=10000101&vc_type=
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ctc.appimg.qq.com/mc/module/Master2_v_5.swf
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ctc.appimg.qq.com/mc/module/mc/main/commonui_v_5.swf?v=1
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ctc.appimg.qq.com/mc/module/mc/main/farmui1_v_25.swf
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ctc.appimg.qq.com/mc/module/mc/main/farmui2_v_19.swf
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_buyseed?mod=repertory&act=buySeed
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_getseedinfo?mod=repertory&act=getSeedInfo
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_getuserseed?mod=repertory&act=getUserSeed
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_ini_run_v2?v=12
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_reclaim?mod=user&act=reclaim
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_reclaimpay?mod=user&act=reclaimPay
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_upgrade
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_attack_beast
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_getseedinfo?mod=repertory&act=getSeedInfo
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_getuserseed?mod=repertory&act=getUserSeed
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_pickup_crystal
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_reclaim?mod=user&act=reclaim
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_reclaimpay?mod=user&act=reclaimPay
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_upgrade
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/animalConfig.xml
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_buy_animal
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_donate_animal
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_enter
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_feed_food
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_fight
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_get_Exp
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_get_animals
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_get_package
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_get_repertory?target=animal
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_harvest_product
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_help_pasture
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_post_product
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_raise_cub
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_sale_product
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_steal_product
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_up_animalhouse
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/animalConfig.xml
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_buy_animal
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_donate_animal
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_enter
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_feed_food
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_fight
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_get_Exp
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_get_animals
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_get_repertory?target=animal
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_harvest_product
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_post_product
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_raise_cub
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_sale_product
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_steal_product
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_attack_beast
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_getFriendList?mod=friend
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_getstatus_filter?cmd=3
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_getusercrop?f=1
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run&ownerId=
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=clearWeed
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=spraying
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=water
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_pickup_crystal
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=harvest
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=planting
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=scarify
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_saleall?mod=repertory&act=saleAll
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_steal_v2?mod=farmlandstatus&act=scrounge
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_getFriendList?mod=friend
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_getstatus_filter?cmd=3
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_getusercrop?f=1
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run&ownerId=
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=clearWeed
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=spraying
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=water
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=harvest
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=planting
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=scarify
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_saleall?mod=repertory&act=saleAll
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_steal_v2?mod=farmlandstatus&act=scrounge
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ptlogin2.qq.com/getimage?aid=353&
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ptlogin2.qq.com/getimage?aid=353&U
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ptlogin2.qq.com/login?u=
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://www.23gua.cm
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://www.23gua.com
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://www.23gua.comopen
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://www.23gua.comopenS3
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://www.clamav.net
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://www.indyproject.org/

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0047A1E4	0_2_0047A1E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004BC56C	0_2_004BC56C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0047FCE4	0_2_0047FCE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004C8E84	0_2_004C8E84
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004B2F40	0_2_004B2F40
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004A7F70	0_2_004A7F70

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 232

PE file does not import any functions

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal52.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1072

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2375f42e-1180-4ee2-8b4f-04e2b52962ad

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Virustotal: Detection: 19%

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: NATS-SEFI-ADD
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: NATS-DANO-ADD
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: jp-ocr-b-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: jp-ocr-hand-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: ISO_6937-2-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: 0=http://appimg.qq.com/happyfarm/module/loading2_v_1.swf
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: NATS-SEFI-ADD
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: NATS-DANO-ADD
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: jp-ocr-b-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: jp-ocr-hand-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: ISO_6937-2-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: 0=http://appimg.qq.com/happyfarm/module/loading2_v_1.swf
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: 80=http://appimg.qq.com/happyfarm/module/loading2_v_1.swf

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 232

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Section loaded: apphelp.dll

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Static file information: File size 1761280 > 1048576

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Static PE information: Raw size of CODE is bigger than: 0x100000 < 0x162000

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0046B058 push 0046B084h; ret	0_2_0046B07C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004C5074 push 004C50A0h; ret	0_2_004C5098
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004CD02C push 004CD0E5h; ret	0_2_004CD0DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_00434020 push 0043406Ch; ret	0_2_00434064
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004BF0CC push 004BF126h; ret	0_2_004BF11E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004430FC push 00443128h; ret	0_2_00443120
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004D1080 push 004D10ACh; ret	0_2_004D10A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0046B090 push 0046B0BCh; ret	0_2_0046B0B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004A70B4 push 004A712Eh; ret	0_2_004A7126
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004CD108 push 004CD134h; ret	0_2_004CD12C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0048611C push 00486148h; ret	0_2_00486140
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0046B110 push 0046B13Ch; ret	0_2_0046B134
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_00430130 push 0043015Ch; ret	0_2_00430154
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004A71D8 push 004A7204h; ret	0_2_004A71FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004171D4 push 0041724Ah; ret	0_2_00417242
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0046E1EC push 0046E238h; ret	0_2_0046E230
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004551F4 push 0045525Ah; ret	0_2_00455252
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004261F8 push 004262A3h; ret	0_2_0042629B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004A7188 push 004A71B4h; ret	0_2_004A71AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0046E188 push 0046E1CBh; ret	0_2_0046E1C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_00433198 push 004331E7h; ret	0_2_004331DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004951B8 push 004951FBh; ret	0_2_004951F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0046E244 push 0046E28Fh; ret	0_2_0046E287
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0041724C push 004172F4h; ret	0_2_004172EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0045525C push 004552E9h; ret	0_2_004552E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_00458204 push 00458230h; ret	0_2_00458228
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004322C4 push 00432302h; ret	0_2_004322FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0043D2D4 push 0043D300h; ret	0_2_0043D2F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004312DC push 00431308h; ret	0_2_00431300
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0043D284 push 0043D2B0h; ret	0_2_0043D2A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0043129C push 004312C8h; ret	0_2_004312C0

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Code function: 0_2_00562DC0 EntryPoint,LdrInitializeThunk,

0_2_00562DC0

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9d50f1a2eb86aa236a701d83e0f8c17bb555f3_2ef1b157_e76709af-2bca-4fd8-aeaf-5d9a60530078\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	8316ED6580E71BB97C0C7C07323C71F2	8798C60A1F23947C674C3584E773608201A0DABE	4E1843C1B563A5332494C481C4F7C761F7AE40713309797352BE7DF4F27A8C9D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER866C.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Apr 25 03:30:42 2024, 0x1205a4 type	4C4E1A24103F9A245FFE47DF7A986F67	39AD340A4F70595D10C826EB0ABAA988FCFE97BE	0AF49133B0825126F738B51CBCC594A7F8B6B3D6DD3030563EC384F18C8E8D2F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER86AB.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	22A6156272002C2648CFEB2E42E82331	3240B5384CC272EF6FE43C13757652ECD52CA935	9E760AA889F21C82B6B7F71A3549380EF8B579C6F21236F36BF0B27CCCF9E5BB
C:\ProgramData\Microsoft\Windows\WER\Temp\WER86EB.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	0EBFE19DAA905E2E4B24B9657FFA9C1B	6DE170D407CE0DD5C0C05BE78C968B49F965DB1C	777A81DBCFFD558B3BF992951FC74394A846F3718B6D2AE04FDE9AA5522FB7F1
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	6700BD3C845044C8521B7E152E4982AA	3EFC176BD3CF400010457DDF4186132C1BC3DD3A	1F620B2037B28A616E60B5C3035678FB2035691DEBFCF196FF9C31DB74E817CF

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Virustotal: Detection: 19%

Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: Http://ptlogin2.qq.com/check?uin=
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ad.23gua.com/farm.html
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ad.23gua.com/pasture.html
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://api.23gua.com/farm/key.xml
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://api.23gua.com/fy/
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://api.23gua.com/fy/QQ
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://api.23gua.com/fy/card.xml
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://api.23gua.com/fy/farm.html
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://api.23gua.com/fy/farm.htmlU
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://api.23gua.com/fy/farm.xml
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://appimg.qq.com/happyfarm/module/Main2_v_6.swf
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://appimg.qq.com/happyfarm/module/Main2_v_9.swf
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://appimg.qq.com/happyfarm/module/loading2_v_1.swf
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://base.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://captcha.qq.com/getimage?aid=10000101&vc_type=
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ctc.appimg.qq.com/mc/module/Master2_v_5.swf
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ctc.appimg.qq.com/mc/module/mc/main/commonui_v_5.swf?v=1
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ctc.appimg.qq.com/mc/module/mc/main/farmui1_v_25.swf
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ctc.appimg.qq.com/mc/module/mc/main/farmui2_v_19.swf
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_buyseed?mod=repertory&act=buySeed
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_getseedinfo?mod=repertory&act=getSeedInfo
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_getuserseed?mod=repertory&act=getUserSeed
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_ini_run_v2?v=12
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_reclaim?mod=user&act=reclaim
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_reclaimpay?mod=user&act=reclaimPay
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_upgrade
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_attack_beast
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_getseedinfo?mod=repertory&act=getSeedInfo
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_getuserseed?mod=repertory&act=getUserSeed
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_pickup_crystal
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_reclaim?mod=user&act=reclaim
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_reclaimpay?mod=user&act=reclaimPay
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://farm.xiaoyou.qq.com/cgi-bin/cgi_farm_upgrade
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/animalConfig.xml
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_buy_animal
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_donate_animal
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_enter
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_feed_food
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_fight
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_get_Exp
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_get_animals
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_get_package
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_get_repertory?target=animal
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_harvest_product
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_help_pasture
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_post_product
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_raise_cub
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_sale_product
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_steal_product
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.qzone.qq.com/cgi-bin/cgi_up_animalhouse
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/animalConfig.xml
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_buy_animal
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_donate_animal
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_enter
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_feed_food
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_fight
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_get_Exp
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_get_animals
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_get_repertory?target=animal
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_harvest_product
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_post_product
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_raise_cub
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_sale_product
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://mc.xiaoyou.qq.com/cgi-bin/cgi_steal_product
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_attack_beast
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_getFriendList?mod=friend
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_getstatus_filter?cmd=3
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_getusercrop?f=1
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run&ownerId=
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=clearWeed
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=spraying
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=water
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_pickup_crystal
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=harvest
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=planting
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=scarify
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_saleall?mod=repertory&act=saleAll
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_steal_v2?mod=farmlandstatus&act=scrounge
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_getFriendList?mod=friend
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_getstatus_filter?cmd=3
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_getusercrop?f=1
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run&ownerId=
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=clearWeed
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=spraying
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_opt?mod=farmlandstatus&act=water
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=harvest
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=planting
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=scarify
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_saleall?mod=repertory&act=saleAll
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://nc.xiaoyou.qq.com/cgi-bin/cgi_farm_steal_v2?mod=farmlandstatus&act=scrounge
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ptlogin2.qq.com/getimage?aid=353&
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ptlogin2.qq.com/getimage?aid=353&U
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://ptlogin2.qq.com/login?u=
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://www.23gua.cm
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://www.23gua.com
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://www.23gua.comopen
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://www.23gua.comopenS3
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://www.clamav.net
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: http://www.indyproject.org/

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0047A1E4	0_2_0047A1E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004BC56C	0_2_004BC56C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0047FCE4	0_2_0047FCE4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004C8E84	0_2_004C8E84
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004B2F40	0_2_004B2F40
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004A7F70	0_2_004A7F70

One or more processes crash

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 232

PE file does not import any functions

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal52.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1072

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2375f42e-1180-4ee2-8b4f-04e2b52962ad

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Virustotal: Detection: 19%

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: NATS-SEFI-ADD
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: NATS-DANO-ADD
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: jp-ocr-b-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: jp-ocr-hand-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: ISO_6937-2-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: 0=http://appimg.qq.com/happyfarm/module/loading2_v_1.swf
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: NATS-SEFI-ADD
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: NATS-DANO-ADD
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: jp-ocr-b-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: jp-ocr-hand-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: ISO_6937-2-add
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: 0=http://appimg.qq.com/happyfarm/module/loading2_v_1.swf
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	String found in binary or memory: 80=http://appimg.qq.com/happyfarm/module/loading2_v_1.swf

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 232

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Section loaded: apphelp.dll

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Static file information: File size 1761280 > 1048576

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Static PE information: Raw size of CODE is bigger than: 0x100000 < 0x162000

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0046B058 push 0046B084h; ret	0_2_0046B07C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004C5074 push 004C50A0h; ret	0_2_004C5098
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004CD02C push 004CD0E5h; ret	0_2_004CD0DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_00434020 push 0043406Ch; ret	0_2_00434064
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004BF0CC push 004BF126h; ret	0_2_004BF11E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004430FC push 00443128h; ret	0_2_00443120
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004D1080 push 004D10ACh; ret	0_2_004D10A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0046B090 push 0046B0BCh; ret	0_2_0046B0B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004A70B4 push 004A712Eh; ret	0_2_004A7126
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004CD108 push 004CD134h; ret	0_2_004CD12C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0048611C push 00486148h; ret	0_2_00486140
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0046B110 push 0046B13Ch; ret	0_2_0046B134
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_00430130 push 0043015Ch; ret	0_2_00430154
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004A71D8 push 004A7204h; ret	0_2_004A71FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004171D4 push 0041724Ah; ret	0_2_00417242
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0046E1EC push 0046E238h; ret	0_2_0046E230
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004551F4 push 0045525Ah; ret	0_2_00455252
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004261F8 push 004262A3h; ret	0_2_0042629B
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004A7188 push 004A71B4h; ret	0_2_004A71AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0046E188 push 0046E1CBh; ret	0_2_0046E1C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_00433198 push 004331E7h; ret	0_2_004331DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004951B8 push 004951FBh; ret	0_2_004951F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0046E244 push 0046E28Fh; ret	0_2_0046E287
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0041724C push 004172F4h; ret	0_2_004172EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0045525C push 004552E9h; ret	0_2_004552E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_00458204 push 00458230h; ret	0_2_00458228
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004322C4 push 00432302h; ret	0_2_004322FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0043D2D4 push 0043D300h; ret	0_2_0043D2F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_004312DC push 00431308h; ret	0_2_00431300
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0043D284 push 0043D2B0h; ret	0_2_0043D2A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe	Code function: 0_2_0043129C push 004312C8h; ret	0_2_004312C0

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Code function: 0_2_00562DC0 EntryPoint,LdrInitializeThunk,

0_2_00562DC0

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

ID:	1431431
Product:	CloudBasic
Start time:	05:29:47
Start date:	25.04.2024
Sample:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	44ba489fd3a12bd062c96421145d2d2f
SHA1:	867383ba1ed8a9760c4051beb1a694fa662758f9
SHA256:	161a2f35c23c46ab65bdb91ed5cc720919b96d11fc6b9a8d2a9498d2ec35fc84
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.12002.13899.exe