Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe
Analysis ID:	1431432
MD5:	a0eb783f7d96fc0aa4b43d9d29801ecc
SHA1:	c6404438c66a3780d9285463ff193ed02a034185
SHA256:	1d54ffeacd4f1b7db036645676e3941b6f2bb272853b79ccf4548576883c9b95
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to detect virtual machines (STR)

Detected potential crypto function

Entry point lies outside standard sections

Found potential string decryption / allocating functions

One or more processes crash

PE file contains sections with non-standard names

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe (PID: 6808 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe" MD5: A0EB783F7D96FC0AA4B43D9D29801ECC)

WerFault.exe (PID: 3672 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Virustotal: Detection: 40%

Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI

Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://bbs.zouboke.cn/NCVIP/SCVersion.html
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_buyseed?mod=repertory&act=buySeed
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_buyseed?mod=repertory&act=buySeednumcName
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_getuserseed?mod=repertory&act=getUserSeed
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://farm.qzone.qq.com/cgi-bin/cgi_farm_getuserseed?mod=repertory&act=getUserSeedcIdD
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run&flag=1
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run&uinY=&uIdx=http://nc.qzone.qq.com/cgi
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=planting
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=scarify
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=scarifycodedirection
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://ptlogin2.qq.com/check?appid=353&uin=
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://ptlogin2.qq.com/getimage
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://ptlogin2.qq.com/login
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://show.qq.com/cgi-bin/qqshow_user_info
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://show.qq.com/cgi-bin/qqshow_user_infoname=uin=
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&appid=15000101&hide_title_bar=1&no_verifyi
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://user.qzone.qq.com/
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://www.59tou.com
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://www.59tou.com?scV4.1.0.0
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://www.59tou.com?scV4.1.0.0http://user.qzone.qq.com/
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	String found in binary or memory: http://www.clamav.net

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_00464130	0_2_00464130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_004644A0	0_2_004644A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_0048C674	0_2_0048C674
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_004488A0	0_2_004488A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_00424B50	0_2_00424B50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_00468BA0	0_2_00468BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_0042CF40	0_2_0042CF40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_00469040	0_2_00469040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_004351E0	0_2_004351E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_00469470	0_2_00469470
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_00485C6F	0_2_00485C6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_00481F86	0_2_00481F86
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_00426020	0_2_00426020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_0046A240	0_2_0046A240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_0046A7C0	0_2_0046A7C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_004229A0	0_2_004229A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_0042EB30	0_2_0042EB30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_0043AC90	0_2_0043AC90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_00456DF0	0_2_00456DF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_0047AF40	0_2_0047AF40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_00457890	0_2_00457890
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_00463DA0	0_2_00463DA0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: String function: 0047C2E8 appears 170 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: String function: 0048B735 appears 62 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: String function: 0047AA7F appears 46 times

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 232

Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal60.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6808

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\5592b4bb-f12f-414b-ab5f-d66802374432

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Virustotal: Detection: 40%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 232

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Section loaded: apphelp.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Static file information: File size 1479680 > 1048576

Source: initial sample

Static PE information: section where entry point is pointing to: .clam01

Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Static PE information: section name: .clam01
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Static PE information: section name: .clam02
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Static PE information: section name: .clam03
Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Static PE information: section name: .clam04

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_0047C2E8 push eax; ret	0_2_0047C306
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_0047A460 push eax; ret	0_2_0047A48E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_0049F208 push esp; retf 000Fh	0_2_0049F209
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_0049F20C push 76000FCAh; retf 000Fh	0_2_0049F211
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_0049F6E0 push es; ret	0_2_0049F6E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_0049F708 push esp; retn 000Fh	0_2_0049F709
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_0049F70C push 7A000FC2h; retn 000Fh	0_2_0049F711
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	Code function: 0_2_0049FE47 push eax; retf	0_2_0049FE75

Source: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Static PE information: section name: .clam02 entropy: 7.077204265573221

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Code function: 0_2_0049F59C str word ptr [eax+edx*8+0Fh]

0_2_0049F59C

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Code function: 0_2_00478E10 EntryPoint,LdrInitializeThunk,

0_2_00478E10

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Software Packing	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	41%	Virustotal		Browse
SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	100%	Avira	TR/Crypt.XPACK.Gen
SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://bbs.zouboke.cn/NCVIP/SCVersion.html	0%	Avira URL Cloud	safe
http://www.59tou.com?scV4.1.0.0http://user.qzone.qq.com/	0%	Avira URL Cloud	safe
http://www.59tou.com	0%	Avira URL Cloud	safe
http://www.59tou.com?scV4.1.0.0	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.59tou.com?scV4.1.0.0http://user.qzone.qq.com/	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false	Avira URL Cloud: safe	unknown
http://www.59tou.com?scV4.1.0.0	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false	Avira URL Cloud: safe	unknown
http://farm.qzone.qq.com/cgi-bin/cgi_farm_buyseed?mod=repertory&act=buySeed	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://bbs.zouboke.cn/NCVIP/SCVersion.html	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false	Avira URL Cloud: safe	unknown
http://show.qq.com/cgi-bin/qqshow_user_infoname=uin=	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://farm.qzone.qq.com/cgi-bin/cgi_farm_buyseed?mod=repertory&act=buySeednumcName	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://farm.qzone.qq.com/cgi-bin/cgi_farm_getuserseed?mod=repertory&act=getUserSeedcIdD	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://ui.ptlogin2.qq.com/cgi-bin/login?link_target=blank&appid=15000101&hide_title_bar=1&no_verifyi	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://show.qq.com/cgi-bin/qqshow_user_info	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://www.clamav.net	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://nc.qzone.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=scarifycodedirection	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://ptlogin2.qq.com/getimage	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://farm.qzone.qq.com/cgi-bin/cgi_farm_getuserseed?mod=repertory&act=getUserSeed	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://ptlogin2.qq.com/check?appid=353&uin=	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=planting	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://user.qzone.qq.com/	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://nc.qzone.qq.com/cgi-bin/cgi_farm_plant?mod=farmlandstatus&act=scarify	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://www.59tou.com	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false	Avira URL Cloud: safe	unknown
http://ptlogin2.qq.com/login	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://nc.qzone.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run&uinY=&uIdx=http://nc.qzone.qq.com/cgi	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high
http://nc.qzone.qq.com/cgi-bin/cgi_farm_index?mod=user&act=run&flag=1	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431432
Start date and time:	2024-04-25 05:29:52 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe
Detection:	MAL
Classification:	mal60.winEXE@2/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 38
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_30f3736b47cfb9d1de897e1dfe0f23861ec6a4_8a5a6b8f_33faa546-2f18-40b2-844a-dde5791fff97\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.687254449507586
Encrypted:	false
SSDEEP:	96:Y2Ff5+TAskhMyoI7Jf9QXIDcQvc6QcEVcw3cE/P+HbHg6ZAX/d5FMT2SlPkpXmTC:PV5yAy0BU/IjEzuiFFZ24IO8+R
MD5:	3D7B46D6CBE9BE13473687C6CDB86FF1
SHA1:	8FD5E3156479695651C830FFB588A3A47955C98F
SHA-256:	A2BC51D1A458F11867247833D73D1488ADE9D9529A87585D99F10BC1FEF5112A
SHA-512:	8FAA3AA8ED84ADD319FE3138B4CAE230CA3EE64A0159953220CAAFF1D66C438E5F504700592B928D4ABA626EC44DE515794E4A4CC169ADE69B51744BC04AAB51
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.4.8.9.4.4.5.4.5.3.8.5.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.4.8.9.4.4.5.6.7.2.5.9.9.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.3.f.a.a.5.4.6.-.2.f.1.8.-.4.0.b.2.-.8.4.4.a.-.d.d.e.5.7.9.1.f.f.f.9.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.8.f.6.9.7.7.7.-.8.6.4.c.-.4.5.4.8.-.8.1.7.6.-.1.3.2.6.8.d.0.6.4.e.8.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...T.r.o.j.a.n...P.S.E...1.1.S.C.E.U.B...1.0.6.9.9...1.2.0.8.7...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.9.8.-.0.0.0.1.-.0.0.1.4.-.5.c.a.7.-.0.e.f.5.c.0.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.5.9.8.f.8.e.5.3.8.2.e.5.4.b.6.1.0.3.5.f.3.b.9.d.f.7.4.5.8.4.f.0.0.0.0.f.f.f.f.!.0.0.0.0.c.6.4.0.4.4.3.8.c.6.6.a.3.7.8.0.d.9.2.8.5.4.6.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER37D9.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 03:30:45 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18714
Entropy (8bit):	1.9762959279562577
Encrypted:	false
SSDEEP:	96:5Bt8dE3Vv4cCHOmi7nrn2mmlFBWIkWI50I4PjAOJ:P286OSmSVP0OJ
MD5:	07C313B1A619A4629BE274FCB8B83F65
SHA1:	443003504541D6BC7F3352F66AC97ACBE2F720F6
SHA-256:	1E03E06ABCFAD4AAD06EA645CAB060F860FDD8FDC05F1E69C7F9C4C85CBA1E6B
SHA-512:	7CCF5033C52FCD37659A2C7FECABE7E4F41DDE2F44692893D5A4B267FFE2ADBB8DFE25128C5E4AF9C226442D6468FD50C281F471E5A1423D7BA6816518204461
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......e.)f............4...............<.......d...............T.......8...........T................?......................................................................................................eJ......L.......GenuineIntel............T...........e.)f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3818.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8494
Entropy (8bit):	3.7069412093699023
Encrypted:	false
SSDEEP:	192:R6l7wVeJOP6E6YS/SU9BxgmfLC1prH89bs0sfcEkm:R6lXJO6E6Y6SU9BxgmfmAsnfL
MD5:	FEEF8E57287103E7DA3E942B796FF0F4
SHA1:	24A781B170570399794F26B6347D54C21ECF39A2
SHA-256:	DD0B373A6843BEE338087649A3769ECC423EA3B880E918ECBB9785ECF489DE46
SHA-512:	283A55F43BEF40038DA80A7BE68FF3156BC26FEA82113FDCD4C1F3E333E86B8AE280E2EC45C575FCFDE6EC1F01AEC1ABBC1DA0E6F5C1EA9A95BE56C964058A36
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3848.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4834
Entropy (8bit):	4.608445623329582
Encrypted:	false
SSDEEP:	48:cvIwWl8zsVJg77aI93vijBWpW8VYmYm8M4JwwFlh+q8GUoJCq+KWd:uIjfvI7pvijQ7ViJ33JCq+KWd
MD5:	7D1DE3863CCF6EE88304FC33D3B4B286
SHA1:	C50EB39E56A4247C830CE01AB7EAF0DCDCAF4C0D
SHA-256:	0E9974E71895C172543BD45709323FF7496FFB0C0B430C657749FF5BAC7D0515
SHA-512:	76C2B0190C934B37DFC2A1D919F6F2341F8BA3FFC5549115E6A0FAED9A202066E6161190044441AEC412D2218B18AEB37E56D428B2C54ED4B16A7E55D3CE8E84
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="294873" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372377109970228
Encrypted:	false
SSDEEP:	6144:aFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNviL:SV1QyWWI/glMM6kF7Zq
MD5:	83882720DC634B7D8237A4F345E603E0
SHA1:	570100077C46962EEDCB0A0E76C2E72D71A5AF6B
SHA-256:	2389356467EC89CD36BC585A3EBD3DED73F00B673B91C30C79CED9EE53F78779
SHA-512:	58A8BF010CDCA83523CA88676D038248BFC5A12623382C965B1F6B8FA3A2F95B52FC2DB80FC4D39A0B62455F1FD5EB9E4E132D1612C8A401BDE13B753080F3EC
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm~dB...................................................................................................................................................................................................................................................................................................................................................T.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.754151642167965
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe
File size:	1'479'680 bytes
MD5:	a0eb783f7d96fc0aa4b43d9d29801ecc
SHA1:	c6404438c66a3780d9285463ff193ed02a034185
SHA256:	1d54ffeacd4f1b7db036645676e3941b6f2bb272853b79ccf4548576883c9b95
SHA512:	0ef74ee0261d49d36ed118d807904c463640b9eb25ca3afb4f67ddc480432a7c7d7d7918aca394b70da975f2d4392e66e8b84e0832d737c9e1447495ec7f4a4c
SSDEEP:	24576:hao17ODDWL/lFoRZ5snN2mrJYT8KOrlG3k:hADDq4L6NyQKORX
TLSH:	C865AE51B9D380B1E675243004B67B36FA75EA460F1AAFC3B3ACDD2C2F72641953B11A
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM...................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x478e10
Entrypoint Section:	.clam01
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 004F0AF0h
push 0047B428h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0049F2A4h]
xor edx, edx
mov dl, ah
mov dword ptr [005489E4h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [005489E0h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [005489DCh], ecx
shr eax, 10h
mov dword ptr [005489D8h], eax
push 00000001h
call 00007F6DE0DAB951h
pop ecx
test eax, eax
jne 00007F6DE0DA692Ah
push 0000001Ch
call 00007F6DE0DA69E8h
pop ecx
call 00007F6DE0DAB6FCh
test eax, eax
jne 00007F6DE0DA692Ah
push 00000010h
call 00007F6DE0DA69D7h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F6DE0DAB52Ah
call dword ptr [0049F3A4h]
mov dword ptr [0054A1E4h], eax
call 00007F6DE0DAB3E8h
mov dword ptr [0054899Ch], eax
call 00007F6DE0DAB191h
call 00007F6DE0DAB0D3h
call 00007F6DE0DA98B1h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0049F220h]
call 00007F6DE0DAB064h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F6DE0DA6928h
movzx eax, word ptr [ebp+00h]

Data Directories

Name	Virtual Address	Virtual Size
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.clam01	0x1000	0x9e000	0x9e000	eeac33f0332abf4048de4104717b9d7e	False	0.5311990086036392	data	6.520172497285075	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.clam02	0x9f000	0x60000	0x60000	b07c5051663bb9c7d824fc02274201d2	False	0.7133839925130209	zlib compressed data	7.077204265573221	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.clam03	0xff000	0x4c000	0x4c000	4b314eecc375c4d474c96e2205f34ab5	False	0.09711657072368421	data	1.9534800043734108	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.clam04	0x14b000	0x1f000	0x1f000	7e7234f4937a2e81824c53f8408b2f2c	False	0.08805601058467742	data	1.4353683114964646	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exePID: 6808, Parent PID: 4084

General

Target ID:	0
Start time:	05:30:45
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe"
Imagebase:	0x400000
File size:	1'479'680 bytes
MD5 hash:	A0EB783F7D96FC0AA4B43D9D29801ECC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 3672, Parent PID: 6808

General

Target ID:	4
Start time:	05:30:45
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6808 -s 232
Imagebase:	0x1a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exePID: 6808, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	2
Total number of Limit Nodes:	0

Executed Functions

Function 00478E10 Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00478E36

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 852bbab473ec44e9434d2fb0fa5206a334a031323a73365ee88540d4af3425c7
Instruction ID: 1a7dadee4d3542234e4701c75d8cce714d0ab50b532edaded05c971706081eb8
Opcode Fuzzy Hash: 852bbab473ec44e9434d2fb0fa5206a334a031323a73365ee88540d4af3425c7
Instruction Fuzzy Hash: A42191B0C50705AED708ABA2DC4ABFE7BB8EF15708F10852FF509DA291DF3884409B59

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00426020 Relevance: 5.9, Strings: 4, Instructions: 859COMMON

Download Yara Rule

Strings

,TQ, xrefs: 004260DE
,TQ, xrefs: 004269EF, 004269F6
,TQ, xrefs: 0042645B
,TQ, xrefs: 00426AE5

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ,TQ$,TQ$,TQ$,TQ
API String ID: 0-2312002942
Opcode ID: 242c8eaffe7d010be64101d9d020378f261876e5da7d6cc7c39ca99f2ce57e95
Instruction ID: a80fc65e1f3bef79a24cf75512dc9022ee5da68f85480b8f42dd1253e6981d3c
Opcode Fuzzy Hash: 242c8eaffe7d010be64101d9d020378f261876e5da7d6cc7c39ca99f2ce57e95
Instruction Fuzzy Hash: B862F1717043219BD724DF25E880B6FB7E4AF84704F55492EF88A97381DA38EC45CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0043AC90 Relevance: 5.2, Strings: 3, Instructions: 1494COMMON

Download Yara Rule

Strings

4, xrefs: 0043B132
WHI, xrefs: 0043B278, 0043C188, 0043C2CF
{HI, xrefs: 0043AEBE, 0043AF5C, 0043AFFC, 0043BF0C

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog
String ID: 4$WHI${HI
API String ID: 3519838083-4163243837
Opcode ID: c7d742a94b080b6bdb42f596b6ac0d43086b77a59b69cf752fc3ebecd5dff0c7
Instruction ID: f928b442f0aaeda41f0dc64107dcacc4a44d372af83daae6f1ebdef89e6bc429
Opcode Fuzzy Hash: c7d742a94b080b6bdb42f596b6ac0d43086b77a59b69cf752fc3ebecd5dff0c7
Instruction Fuzzy Hash: EBD239712083849FD724DF65C895BAFB7E9EFC8704F004A2EF58A83251DB74A905CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004644A0 Relevance: 3.5, APIs: 2, Instructions: 495COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 0046451F
__ftol.LIBCMT ref: 00464532

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __ftol
String ID:
API String ID: 495808979-0
Opcode ID: 8223aba9ede0bf009a5b6076c8fd4906a4ba6c1ad525ceafe8317a794f57c10b
Instruction ID: 4762022fd1be295cfbd205296bbfd2015cdbf20332f5eb70f16ef769b0a2d3ac
Opcode Fuzzy Hash: 8223aba9ede0bf009a5b6076c8fd4906a4ba6c1ad525ceafe8317a794f57c10b
Instruction Fuzzy Hash: 3402C371A087018FC718CF29C99125FBBE1FFC9304F148A2EE99A87355E734A9058B87

Uniqueness

Uniqueness Score: -1.00%

Function 00464130 Relevance: 3.3, APIs: 2, Instructions: 276COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 004641AA
__ftol.LIBCMT ref: 004641BD

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __ftol
String ID:
API String ID: 495808979-0
Opcode ID: ffa7420329351fe70f1753609f2dddfea1692191b06ecb787cd1a65f67070381
Instruction ID: fdb35b1749397ed0b9311182d9f7d804247417ab66675304ead974f8cdfd4bdf
Opcode Fuzzy Hash: ffa7420329351fe70f1753609f2dddfea1692191b06ecb787cd1a65f67070381
Instruction Fuzzy Hash: 4EA169B16083058FC708CF19C99125BFBE5FBD9301F098A2EE58A87351E234E909CF96

Uniqueness

Uniqueness Score: -1.00%

Function 004351E0 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

MTrk, xrefs: 0043535C
d, xrefs: 00435424

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: MTrk$d
API String ID: 0-4044675371
Opcode ID: 013aab3f79d19d49a3bde93343fef5d7c5356275b670243bab468c4cdc50789d
Instruction ID: eefb9fa0fe5a7c7894306762ddd5054c39b6fdd38dcb16cfb015ee352944ec45
Opcode Fuzzy Hash: 013aab3f79d19d49a3bde93343fef5d7c5356275b670243bab468c4cdc50789d
Instruction Fuzzy Hash: C191A171B006059FD718CF29C88066AB7E2EFD8304F24993EE85ACB345EA78E945CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004229A0 Relevance: 2.2, Strings: 1, Instructions: 979COMMON

Download Yara Rule

Strings

d, xrefs: 004229B3

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 462bc6457ad3308a3e33784b54a005257550846699c33fc8dca8b5a4053bbb42
Instruction ID: 796e0001326325db057e69f1db5dce7803d9c97b5fd4c1a2850b1211eb9c197f
Opcode Fuzzy Hash: 462bc6457ad3308a3e33784b54a005257550846699c33fc8dca8b5a4053bbb42
Instruction Fuzzy Hash: 78728C71704351ABC320DF25D880B6FB7E8AF84B04F51492EF98997341DB78E945CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0048C674 Relevance: 1.9, APIs: 1, Instructions: 422COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0048C679

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: de467745f62e74634391110d47d6ce8cee0246f21cb468293faff7b330889882
Instruction ID: 9fbdb9b41a8d595ece5633b14f251e332f1c4a431f09e68ec0a792549bed29de
Opcode Fuzzy Hash: de467745f62e74634391110d47d6ce8cee0246f21cb468293faff7b330889882
Instruction Fuzzy Hash: 8CE16B70600209AFDF15EF65C8C1ABE7BA9EF44714F10891AF816EA291D738E901DB79

Uniqueness

Uniqueness Score: -1.00%

Function 00485C6F Relevance: 1.7, Strings: 1, Instructions: 417COMMON

Download Yara Rule

Strings

Z Q, xrefs: 00485DC5, 00485E36, 00485E97, 00485F80, 00485FCA

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Z Q
API String ID: 0-394409908
Opcode ID: 3ff2035a268c8c739ee912fe05d6ab8cab211ea7c1fbb89038df8ee69cb05edd
Instruction ID: 9a8d6b32fc9fb7a8bc6ebbeb0ddc012300c84bebdcceff86e57d732e670da3e8
Opcode Fuzzy Hash: 3ff2035a268c8c739ee912fe05d6ab8cab211ea7c1fbb89038df8ee69cb05edd
Instruction Fuzzy Hash: 07E10131D55A49CEEB25EF54C8057FE7BB1BB14305F68881BD601AB281D37C8A86DB09

Uniqueness

Uniqueness Score: -1.00%

Function 004488A0 Relevance: .9, Instructions: 903COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8cb36225d670f8de47820125af785e6af58a9b20f4526891ecae9c900f92db
Instruction ID: 8b3f8a415be1d9bf86d4792568dc71a0215f4728d2848bbdf3b235db610d6a4e
Opcode Fuzzy Hash: 9b8cb36225d670f8de47820125af785e6af58a9b20f4526891ecae9c900f92db
Instruction Fuzzy Hash: 7B52B9767447095BD308CE9ACC9159AF3D3ABC8304F498A3CE956C3346EEB8ED0AC655

Uniqueness

Uniqueness Score: -1.00%

Function 0042EB30 Relevance: .6, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390f95ad85a8be8cc02b02743207f16d0d7c024dae2cf1d95beeea0ef8cae8b4
Instruction ID: 5215b0f1f66601f329e0d7b2cecbf9348789c06915777f1fb1b8bf6a49b2dba0
Opcode Fuzzy Hash: 390f95ad85a8be8cc02b02743207f16d0d7c024dae2cf1d95beeea0ef8cae8b4
Instruction Fuzzy Hash: A1320370F00225DBDB14DFAAD881AEEB7B1BF08314F64417AE406A7381D738AD45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0046A240 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
Instruction ID: 60dab683f2fbd2dbecf38058ab098cf0c081b4acd4b7755ef1b0f272c95cb5b2
Opcode Fuzzy Hash: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
Instruction Fuzzy Hash: C0F1AD725086408FC3098F18D5989E27BE1FFA8314B1F42FAD449AB363E736D841CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00469040 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117d97c18bb037726ef080ccaa3078ae9c3d1298e37d3f34379a519f34f5e2e4
Instruction ID: c81d4f905d8d1bf63fbd1a7b863958100183a7ab22b1e6fbb8bb6b6342c11df9
Opcode Fuzzy Hash: 117d97c18bb037726ef080ccaa3078ae9c3d1298e37d3f34379a519f34f5e2e4
Instruction Fuzzy Hash: A8D12675204B418FD324CF29C990AA7B7E9FF89304B14892ED8DA87B51EB75F842CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0042CF40 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfae619ca40940b31c915545bd43e3500b43bcabc13122a14f09c1f4f0d08a7
Instruction ID: 605c12a02660793d125d56719818648c17563f1a60f45d01773e9269ad277001
Opcode Fuzzy Hash: 1cfae619ca40940b31c915545bd43e3500b43bcabc13122a14f09c1f4f0d08a7
Instruction Fuzzy Hash: 40C1DE71B086A08FD725CE05E0657ABBBE2AF91748FD8845FE0C1473A2D63C9C56C74A

Uniqueness

Uniqueness Score: -1.00%

Function 0046A7C0 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1126a1a7b1f5d1d6df60719f9ab307fdbdbd5674a6e211371faa7af099894a8a
Instruction ID: 4d29e5d1de13de38a3ed22a1bb8500057af2990b6bd44837395288ecf3c0cce7
Opcode Fuzzy Hash: 1126a1a7b1f5d1d6df60719f9ab307fdbdbd5674a6e211371faa7af099894a8a
Instruction Fuzzy Hash: 08D18D751082518FC319CF18E5D88E67BE1BFA8740F0E42F9C98A9B323D7359845CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00468BA0 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c111c338c8f616af57eab87536070480c5c557b1c8944e30148694ac671838cb
Instruction ID: c39bd3de76b3294973ab4f8348cbd32f642dc206623ef18fd1dae01cd7b61224
Opcode Fuzzy Hash: c111c338c8f616af57eab87536070480c5c557b1c8944e30148694ac671838cb
Instruction Fuzzy Hash: D6B13675214B418FD328CF29C9909A7B3E6FF89304B18892ED4CAC7B55EA35F841CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00424B50 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2546357a86c30abac2dd62889bec0610ab3a28c70181055dbed279ec64a12e65
Instruction ID: cebe5380bc49b15f2807290700951b7300b65b6d13ab32373b9b03251b7df6d8
Opcode Fuzzy Hash: 2546357a86c30abac2dd62889bec0610ab3a28c70181055dbed279ec64a12e65
Instruction Fuzzy Hash: B6B18A703007129BD724DF69D880BABB7E4FF94314F94493EE96A87291CB34B945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00481F86 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 77cf0f5c0fa9becdbc297f44fcdf232111a4e2756f73e6c94dbc784a5ecc356c
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 28B18B3590020ADFDB15DF04C6D0AADBBA1BB59318F24C59EC91A5B382C775EE42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00457890 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
Instruction ID: ebd98ae67f99c6999dce984a2e8d9589c297c7250009847828d24183e13f9bac
Opcode Fuzzy Hash: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
Instruction Fuzzy Hash: 61A10775A087418FC314CF29C49086AFBF2BFC8714F198A6DE99987325E770E945CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00456DF0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction ID: 03611004e15c0ec1023716023cc1e190c4960fc0c873eecaf9593406b29fe80f
Opcode Fuzzy Hash: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction Fuzzy Hash: 5F81063954A7819FC711CF29C0D04A6FBA2BF9E204F5C999DE9C50B317C231A91ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00463DA0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c7bcc2ab73f65935c7023a1ce424193a9f6fbb8264c16fb84a0b8bb7e9e0800
Instruction ID: da360f24bbc5c481cf50ce8765db5ab18f89bf8f4b9d7384ed9b3594eef9cf31
Opcode Fuzzy Hash: 7c7bcc2ab73f65935c7023a1ce424193a9f6fbb8264c16fb84a0b8bb7e9e0800
Instruction Fuzzy Hash: B2518FB16087418FC328CF28D89166BBBE1BFC8345F19492EE59AC7301E730E515CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00469470 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
Instruction ID: 72e2d122d6179bbde32ebe2afb45dc97f0996875be6068e5504c936b84cc377a
Opcode Fuzzy Hash: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
Instruction Fuzzy Hash: 61311E3374958203F71DCA2F8CA12BAEBD74FC522871DD57E99CA87356ECF988164144

Uniqueness

Uniqueness Score: -1.00%

Function 0047AF40 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction ID: a0aa15a2f99833b805cf0d549d3ac2b4cfeb227e4977c4d60a94317167a17348
Opcode Fuzzy Hash: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction Fuzzy Hash: 0D117AE32440418BD70ACA2AC4B02FFA396EBC532072CC37BE04E8F344D2299829950B

Uniqueness

Uniqueness Score: -1.00%

Function 0049F59C Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67e2ae83a0f6f260188b52e9666dfccde2dfefe24c665a03c6b89c85ed4a0ba
Instruction ID: 337e2aa0a0b79539dcddca67bfccadf52a8056157dec5e2aad040b41b05c22db
Opcode Fuzzy Hash: c67e2ae83a0f6f260188b52e9666dfccde2dfefe24c665a03c6b89c85ed4a0ba
Instruction Fuzzy Hash: 09010C2404DBC38FD3579B388C6A541FF71AE076647E984EAC4F19B4E3E72818A6C742

Uniqueness

Uniqueness Score: -1.00%

Function 00459AF0 Relevance: 12.3, APIs: 8, Instructions: 306
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__ftol.LIBCMT ref: 00459E48
__ftol.LIBCMT ref: 00459E65
__ftol.LIBCMT ref: 00459E81
__ftol.LIBCMT ref: 00459E9B
__ftol.LIBCMT ref: 00459EB9
__ftol.LIBCMT ref: 00459ED7
__ftol.LIBCMT ref: 00459EF3
__ftol.LIBCMT ref: 00459F0D

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __ftol
String ID:
API String ID: 495808979-0
Opcode ID: 565247a3b9c416ca5eaa37b735ef7d75cde83cdd7dd4cd515987cf39201f3716
Instruction ID: 6964747978ffe90c9691c7cf15328e766ad4debcd15e0e56c7364eaee2b937b0
Opcode Fuzzy Hash: 565247a3b9c416ca5eaa37b735ef7d75cde83cdd7dd4cd515987cf39201f3716
Instruction Fuzzy Hash: D7D14372A09342CFD3019F21D08965ABBB0FFD5744F9A4999E0D56626AE3308978CB87

Uniqueness

Uniqueness Score: -1.00%

Function 0040D0A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__ftol.LIBCMT ref: 0040D19A

Strings

VUUU, xrefs: 0040D339
VUUU, xrefs: 0040D31C

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __ftol
String ID: VUUU$VUUU
API String ID: 495808979-3149182767
Opcode ID: f8d934fda4407a7e8592dad192057de5f108210fcceab98fd16bb81396356265
Instruction ID: cb76925391f435609f59a9bdba28e0143ee61afa144d46b2d486526b40bf36d3
Opcode Fuzzy Hash: f8d934fda4407a7e8592dad192057de5f108210fcceab98fd16bb81396356265
Instruction Fuzzy Hash: 7391C271609305CBC304DF19E4905AEBBE4EFC8368F00896FF889972A1DB35D959CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__ftol.LIBCMT ref: 0041E014
__ftol.LIBCMT ref: 0041E025

Strings

DISPLAY, xrefs: 0041DFB9

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __ftol
String ID: DISPLAY
API String ID: 495808979-865373369
Opcode ID: ec6581cdbf2ec1bcc8ecca98332277cd0cff2e7dc8eebc066dfe6e3fbe11caa2
Instruction ID: cf6b65ff62bbf22192803d895f562520e37500edf0139c0221a98013ddfffa9e
Opcode Fuzzy Hash: ec6581cdbf2ec1bcc8ecca98332277cd0cff2e7dc8eebc066dfe6e3fbe11caa2
Instruction Fuzzy Hash: 6041E775608301DFC710DF25CC81B9A7BA4BB88714F004A3EF94AA6292D7789945CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00460940 Relevance: 9.3, APIs: 6, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__ftol.LIBCMT ref: 0046096C
__ftol.LIBCMT ref: 00460978
__ftol.LIBCMT ref: 004609A8
__ftol.LIBCMT ref: 004609B6
__ftol.LIBCMT ref: 00460B8E
__ftol.LIBCMT ref: 00460B97

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __ftol
String ID:
API String ID: 495808979-0
Opcode ID: 0346c4ced9dba9aadfbb04538c22b2cea7b52aad56f0ddc5a46e54e5def725a0
Instruction ID: 2b29864b9f27767ac4ec0debad3118cf2c130da33d3caffc2f9acd49be12cb1e
Opcode Fuzzy Hash: 0346c4ced9dba9aadfbb04538c22b2cea7b52aad56f0ddc5a46e54e5def725a0
Instruction Fuzzy Hash: 06A148B16043019BD714DF69C880A2BB7E5FFC8B08F14892EF99987351EB38EC058B56

Uniqueness

Uniqueness Score: -1.00%

Function 0045DAE0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 497
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__ftol.LIBCMT ref: 0045DE0A
__ftol.LIBCMT ref: 0045DE28
__ftol.LIBCMT ref: 0045DF2A
__ftol.LIBCMT ref: 0045DF35

Strings

Z, xrefs: 0045E077

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __ftol
String ID: Z
API String ID: 495808979-1505515367
Opcode ID: 1bd02f535c5db51952110704c84331b770d161dcfb5dc12b3bb97f0b8e5fbe7a
Instruction ID: 2a75e02bf141b76be6c7ceb743cdbf1123c51bdeb0d7fafbc927d77a66655ceb
Opcode Fuzzy Hash: 1bd02f535c5db51952110704c84331b770d161dcfb5dc12b3bb97f0b8e5fbe7a
Instruction Fuzzy Hash: 9B127BB0A087028BC724DF19D58061ABBF1FFC8740F10892EE99587356EB75E859CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00429430 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 369COMMON

Download Yara Rule

Strings

WHI, xrefs: 0042960D, 00429809, 004298A2, 004298BB
{HI, xrefs: 004294BD, 004295BA, 00429602, 004297BA, 004297FE

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog
String ID: WHI${HI
API String ID: 3519838083-2376219039
Opcode ID: adad17cea721ccf09894fa22d3e44b9768edd7b8516a3009d651973d3eaf6dbc
Instruction ID: bda11dc8dc80669b846eb73e9d901c67a43ae282fc220bbe925878f83c2559ed
Opcode Fuzzy Hash: adad17cea721ccf09894fa22d3e44b9768edd7b8516a3009d651973d3eaf6dbc
Instruction Fuzzy Hash: 97D18D712083519FC314DF65C884A6FBBE8FBC8704F548E2EF59993241E778E9098B96

Uniqueness

Uniqueness Score: -1.00%

Function 00414210 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 271COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 00414329
__ftol.LIBCMT ref: 00414336

Strings

WHI, xrefs: 004143D1, 00414527
{HI, xrefs: 00414389, 004144DD

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __ftol
String ID: WHI${HI
API String ID: 495808979-2376219039
Opcode ID: 610a5e0f6d418ca5c6d45386d3ecd55d5198890325469c6fa9d329ad2db5699f
Instruction ID: 2ab7652ad4bce80d32f619e804d880c713f23e10f1c3c9c232883447bc5693ab
Opcode Fuzzy Hash: 610a5e0f6d418ca5c6d45386d3ecd55d5198890325469c6fa9d329ad2db5699f
Instruction Fuzzy Hash: 56A18C716083419FC314CF69C884A9BBBE9FBC8744F244A2DF5A587390EB74D844CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0048ABC4 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0048ABC9

Strings

MS Sans Serif, xrefs: 0048AC9B
Helv, xrefs: 0048ACAE
MS Shell Dlg, xrefs: 0048AC88

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog
String ID: Helv$MS Sans Serif$MS Shell Dlg
API String ID: 3519838083-2894235370
Opcode ID: e760bbf595540a4497ca1ccd8a8d63f6720a810a603e3368359a753bc0159a83
Instruction ID: 26cab286630fef2d5c659b1fcb83baa8aba41dc135d41bddcd2f1add577c0167
Opcode Fuzzy Hash: e760bbf595540a4497ca1ccd8a8d63f6720a810a603e3368359a753bc0159a83
Instruction Fuzzy Hash: 34616C7190020ADFDF10EFA5D9859EEBBB1BF14305F20483FE505E2291DB788A55CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004721B6 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004721BB

Strings

, xrefs: 00472230
WHI, xrefs: 00472205, 00472302
4, xrefs: 004721D0

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog
String ID: $4$WHI
API String ID: 3519838083-3947791329
Opcode ID: c1968b9045c77b1f1748204ea7d18129ff969c6fb1f6cb7dcc4b4b67e66957ae
Instruction ID: ca2663d6b46173888faf1f8119bc6425694e94e3207f993902a7280a58e98589
Opcode Fuzzy Hash: c1968b9045c77b1f1748204ea7d18129ff969c6fb1f6cb7dcc4b4b67e66957ae
Instruction Fuzzy Hash: AA414971D002099ECB10DFE5C985AEDBBB8EF15308F20817BE904E3241E7789A49CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0044AE50 Relevance: 6.4, APIs: 4, Instructions: 351COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 0044AEC6
__ftol.LIBCMT ref: 0044AF1C
__ftol.LIBCMT ref: 0044AF72
__ftol.LIBCMT ref: 0044AFC8

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __ftol
String ID:
API String ID: 495808979-0
Opcode ID: 58d2aceac224db149df6edbdb6fa5ef7725fffbbe3a08c71f1883ab3afb7de70
Instruction ID: 192c1babd9acf6b6fbd6d139a156df8c2e33b41c1e7a3857f4b706e32d910d7a
Opcode Fuzzy Hash: 58d2aceac224db149df6edbdb6fa5ef7725fffbbe3a08c71f1883ab3afb7de70
Instruction Fuzzy Hash: DED1B4F1540B01ABE324EB75CC82BEB73A8AB44744F104D2EF19A962D1DB38F4458F5A

Uniqueness

Uniqueness Score: -1.00%

Function 0045FBD0 Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 0045FBDD
__ftol.LIBCMT ref: 0045FBE8
__ftol.LIBCMT ref: 0045FBF6
__ftol.LIBCMT ref: 0045FC02

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __ftol
String ID:
API String ID: 495808979-0
Opcode ID: 82f0a274a8bdfc49bd6a908cd3f5e2044c41f9ca1138d7db5e9fde60df90302e
Instruction ID: 07c508b34b7cafd759ec1516f3ee2f07baa418867e35fa288697defe30c6c680
Opcode Fuzzy Hash: 82f0a274a8bdfc49bd6a908cd3f5e2044c41f9ca1138d7db5e9fde60df90302e
Instruction Fuzzy Hash: 955149756083059BC724DF29D480A5BBBE4EB88314F00893FFD9687351D779E84D8B66

Uniqueness

Uniqueness Score: -1.00%

Function 0045FFC0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 0046001B
__ftol.LIBCMT ref: 00460032
__ftol.LIBCMT ref: 004600C1
__ftol.LIBCMT ref: 004600CA

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __ftol
String ID:
API String ID: 495808979-0
Opcode ID: f5cf8d5f77d4305829f0a4eaca778e0b46048b37656c88620c5a879af0362711
Instruction ID: 3286fd145c08423bb87abbf2041a290b1a28e59c445e0229e84f96e9c1d74306
Opcode Fuzzy Hash: f5cf8d5f77d4305829f0a4eaca778e0b46048b37656c88620c5a879af0362711
Instruction Fuzzy Hash: AA414A716083018BCB24DF19E490B6BB3E5FF88314F54895EE89A8B311E735EC45CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00475962 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 280COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00475967

Strings

(, xrefs: 00475C5E
, xrefs: 00475B3F

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog
String ID: $(
API String ID: 3519838083-55695022
Opcode ID: 8a60ab5594148fb244c3d0b9397db1cb282a05886476a87007cc2745ff38eb31
Instruction ID: b0a35caa338a74aa508d5ff2eb5b987d8e9733cae7d6764649d7e6d25e64321e
Opcode Fuzzy Hash: 8a60ab5594148fb244c3d0b9397db1cb282a05886476a87007cc2745ff38eb31
Instruction Fuzzy Hash: C3B12970A00709DFCB14DFA9C885AAEB7F5FF88304B20895EE01AEB251D7B5AD45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00478FE2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00479072

Strings

pow, xrefs: 0047904A, 00479067

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: bc8c33457011a8a62e95725360b535b68634f60e77b18d5f3fa5c21670eda7b1
Instruction ID: d171a244f2596dc9c601a6d299f706d294c51e207a7830df8d5676d0bc14c419
Opcode Fuzzy Hash: bc8c33457011a8a62e95725360b535b68634f60e77b18d5f3fa5c21670eda7b1
Instruction Fuzzy Hash: 87515D6191824296DB117715C9053FB2B94EB55310F20CE9FE08D823A9EF3C8CE9E64E

Uniqueness

Uniqueness Score: -1.00%

Function 00474FC8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 0047505C
__ftol.LIBCMT ref: 00475067

Strings

W, xrefs: 004750A9

Memory Dump Source

Source File: 00000000.00000002.1736535949.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1736518255.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.00000000004E3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000514000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.000000000054B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1736535949.0000000000567000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __ftol
String ID: W
API String ID: 495808979-655174618
Opcode ID: 9f2cad027f82f611b50487d1548e70cd856e1f5760a99f53d0d3c886f50df07c
Instruction ID: e2ad414b8911ca4f284d6c652c364ee39485669ef8368fc25096c0996237700f
Opcode Fuzzy Hash: 9f2cad027f82f611b50487d1548e70cd856e1f5760a99f53d0d3c886f50df07c
Instruction Fuzzy Hash: DB415D75A01249EFCB04CF98C999AEEBBB4FF44300F1184AAE859AB351C7749E10CF95

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_30f3736b47cfb9d1de897e1dfe0f23861ec6a4_8a5a6b8f_33faa546-2f18-40b2-844a-dde5791fff97\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER37D9.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3818.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3848.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exePID: 6808, Parent PID: 4084

General

Chronological Activities

Analysis Process: WerFault.exePID: 3672, Parent PID: 6808

General

Chronological Activities

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan.PSE.11SCEUB.10699.12087.exe

Function 00478E10 Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Function 00459AF0 Relevance: 12.3, APIs: 8, Instructions: 306
COMMON

Function 0040D0A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 250
COMMON

Function 0041DF10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114
COMMON

Function 00460940 Relevance: 9.3, APIs: 6, Instructions: 282
COMMON

Function 0045DAE0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 497
COMMON