Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe
Analysis ID:	1431441
MD5:	a920ac600a4eece342df14133eb71d2d
SHA1:	7c3a1857cae379e496ea85c2d843de1f2df5ccd0
SHA256:	6584b8ab339ea332ecec21cf168631914ac2a2da631aa8d46c711191f9c0b8f0
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

One or more processes crash

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe (PID: 4440 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe" MD5: A920AC600A4EECE342DF14133EB71D2D)

WerFault.exe (PID: 6644 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6572 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Virustotal: Detection: 14%

Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Code function: 4x nop then sub esp, 00000104h

0_2_0041350A

Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	String found in binary or memory: http://www.clamav.net

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00406440	0_2_00406440
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00402460	0_2_00402460
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00401000	0_2_00401000
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00404800	0_2_00404800
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00423410	0_2_00423410
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_004078E0	0_2_004078E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_004090F0	0_2_004090F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_0041B890	0_2_0041B890
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00415940	0_2_00415940
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00418540	0_2_00418540
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00401570	0_2_00401570
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00405570	0_2_00405570
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00422D10	0_2_00422D10
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00401130	0_2_00401130
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00416DC0	0_2_00416DC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_0040D1D0	0_2_0040D1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_004221D0	0_2_004221D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_0040C990	0_2_0040C990
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_004149BE	0_2_004149BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00424260	0_2_00424260
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00419E10	0_2_00419E10
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00403A30	0_2_00403A30
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00401ED0	0_2_00401ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00423AD0	0_2_00423AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_004176E0	0_2_004176E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00420A90	0_2_00420A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_0040B6A0	0_2_0040B6A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00407360	0_2_00407360
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_0041AB61	0_2_0041AB61
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00422770	0_2_00422770
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_00404FD0	0_2_00404FD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Code function: 0_2_004067A0	0_2_004067A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 232

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.winEXE@3/9@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4440

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\58df6ea1-31fe-49ba-9d8f-0d89b019b5fa

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Virustotal: Detection: 14%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 232
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 232

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Section loaded: apphelp.dll

Jump to behavior

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Static file information: File size 4091904 > 1048576

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x33e000

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Code function: 0_2_004146A8 push 8B004A90h; retf

0_2_004146AD

Source: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Static PE information: section name: .text entropy: 6.806844075796486

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Code function: 0_2_00496CC0 LdrInitializeThunk,

0_2_00496CC0

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Code function: 0_2_00408E50 cpuid

0_2_00408E50

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Software Packing	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	14%	Virustotal		Browse
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.clamav.net	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe	false		high
http://upx.sf.net	Amcache.hve.3.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431441
Start date and time:	2024-04-25 05:32:40 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe
Detection:	MAL
Classification:	mal52.winEXE@3/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 34
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.42.65.92
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_157921775d97238581ed3b366b95cf1c64be916_659c366a_92538246-93df-4565-a726-1d27617655d3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6844995449249972
Encrypted:	false
SSDEEP:	96:RiFYJqEx4+et+s2yhMyoI7JfdQXIDcQvc6QcEVcw3cE/D+U+HbHg6ZAX/d5FMT22:wfT+T0BU/QjEzuiF+Z24IO8ra
MD5:	B23598B24158E9347843034E8EE52AE7
SHA1:	72C69B83EB45A5C98954E61C3A77EF31E460C545
SHA-256:	63656DC23FBC3F667E1CB78223F4EBA0AE5CF9D635F187C0133663F62A965E74
SHA-512:	265689AC073D21CD2107B8ADF53F74D3B4EB9A866190BFB84AEFE8EDA242F80DD64AB7F671EC7A931374E50AD95F7D18C882EC1D7B8540DF24D90F075AB6F33B
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.4.8.9.6.0.8.9.5.8.7.7.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.4.8.9.6.0.9.2.8.6.8.9.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.2.5.3.8.2.4.6.-.9.3.d.f.-.4.5.6.5.-.a.7.2.6.-.1.d.2.7.6.1.7.6.5.5.d.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.2.9.d.b.0.6.-.8.6.8.6.-.4.6.5.1.-.a.b.b.1.-.5.5.b.6.b.3.6.e.9.4.4.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.3.2...X.p.a.c.k...E...g.e.n...E.l.d.o.r.a.d.o...2.7.2.7.6...2.8.6.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.5.8.-.0.0.0.1.-.0.0.1.4.-.3.6.a.5.-.6.9.5.6.c.1.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.d.c.b.9.3.4.7.3.8.4.0.4.0.1.8.8.d.6.4.e.7.8.7.7.c.1.0.0.4.f.d.0.0.0.0.f.f.f.f.!.0.0.0.0.7.c.3.a.1.8.5.7.c.a.e.3.7.9.e.4.9.6.e.a.8.5.c.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_beab1a24e9683be28b983258c9265328e81ee45_659c366a_7f945e3d-5e31-4c48-903a-f07ec79a8b51\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6845419381514984
Encrypted:	false
SSDEEP:	96:FeFOnqEx4+et8s2yhMyohR7JfzQXIDcQwc6ccEMcw3DPy+U+HbHg6ZAX/d5FMT22:og6T8NY0uY23RjEzuiF+Z24IO8ra
MD5:	00D52560A77DA81E0031730272BED077
SHA1:	368B6C9F8AFB2882B3590BE26B71C663D083F1D8
SHA-256:	5B8934522EB4463C266D378F66CB6266BBFA6D006767D30B28CBC738844C4A7E
SHA-512:	36EC17CFF9DC248047EFD51BE45CFAF7FF4CFA2FB616D728481868C0E927A4377516CD39E0853D25FDB4A033EC4FA9D172C33CDA01F3698908451D59B89CDFB6
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.4.8.9.6.5.1.8.4.6.4.8.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.4.8.9.6.5.2.0.8.0.8.5.7.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.f.9.4.5.e.3.d.-.5.e.3.1.-.4.c.4.8.-.9.0.3.a.-.f.0.7.e.c.7.9.a.8.b.5.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.3.8.4.3.e.e.-.1.e.2.8.-.4.2.c.d.-.b.9.3.f.-.4.2.2.f.7.2.7.e.5.d.6.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.3.2...X.p.a.c.k...E...g.e.n...E.l.d.o.r.a.d.o...2.7.2.7.6...2.8.6.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.5.8.-.0.0.0.1.-.0.0.1.4.-.3.6.a.5.-.6.9.5.6.c.1.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.d.c.b.9.3.4.7.3.8.4.0.4.0.1.8.8.d.6.4.e.7.8.7.7.c.1.0.0.4.f.d.0.0.0.0.f.f.f.f.!.0.0.0.0.7.c.3.a.1.8.5.7.c.a.e.3.7.9.e.4.9.6.e.a.8.5.c.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER398.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 03:34:11 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18580
Entropy (8bit):	1.9333880523913431
Encrypted:	false
SSDEEP:	96:5W8iE3S1v1/+QmIO/i7nIGr4Vy4YCQL+65eO6WIkWIrIIwsLf7jc:fmwOPrl860ZsLf7jc
MD5:	C26B7F8B7DFAF1BD80FD7175A64286C0
SHA1:	E267C589C39555D3E7B00CDB5B13CA15C1F397F0
SHA-256:	925810645E33C70902448BE4939C6CDFE57849CAE695AAA3B5D302CA3C198D18
SHA-512:	D18555E78E5A984D328CCB53673B63DA6B4FA691CB093BDD58E510F06651B3871EAC59E55065232E5B59A3E2B742289C2C9DCEE4C3FEE695398CCD03C7E34F22
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......3.)f............4...............<.......T...............T.......8...........T...........H...L?......................................................................................................eJ......L.......GenuineIntel............T.......X.....)f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D7.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8514
Entropy (8bit):	3.7020173145884065
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1u6XALa6YEInSUiTGZgmfIqmltpDRC89bpCsf6jm:R6lXJM6wLa6YEYSUiTIgmfPmT7pBfn
MD5:	F021BF379E5C1957362B0132EC524B29
SHA1:	296CF404C53DEF682C9F314A2B7C12BDB78C08DA
SHA-256:	7CB525C9A4822519F25249CDD92FC5DCE3061E98480815A4F6F2A14D609A9537
SHA-512:	D1E1831D3E0B0D80C17B739646304B0CB36F1840AE826152E96014F1FB67062DACEB8F3D2910072AAB796425EFEFD3D70878342065CAE40EFBBD5156BB7E9EB1
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.4.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F8.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4833
Entropy (8bit):	4.584414983745469
Encrypted:	false
SSDEEP:	48:cvIwWl8zsiJg77aI9IjWpW8VY/Ym8M4Je+EOqFs+q8KNqOucNYX+Hydd:uIjfwI7GS7VrJZE4FoRqY+Hydd
MD5:	E712E8135042E9347B28056C133FCF65
SHA1:	6FAB2A169F0C6A94075CFCFCD27E91D1118FACBA
SHA-256:	0E46B3D5C7A2DC07768F5ECB7D8E929D9AC204787C6DCED1950F75CC7E2D4EDB
SHA-512:	C0F0AD4DF18A51F16776460D6D58CD8E68E4411A5C3BD986B5C565B15493F0375649C1F4CD84B0B12B994132A3383073036ABB59BD342E99E532ACDBCE0AB586
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="294876" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C1D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 03:33:29 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18712
Entropy (8bit):	1.9772270009413937
Encrypted:	false
SSDEEP:	96:5s8+E301v1/RJK/i7n2GfF4lWQLE18bO6WIkWIPII4t7jHmLZ:1rO2cDMltHHmLZ
MD5:	7C5B574951DD77A34037E4BF2ADDBFBC
SHA1:	F977086E27168491E0A5E8CA8B1EBA6BCE8BB42B
SHA-256:	36CA1A0AC26103574E050F71CAD28CE620C0F0D07B96058AF9D629C9DD948409
SHA-512:	6F512E58D7ED3634A0BBA8D25FE0B08B37282A25F9C539A4864B0CA3D905A9EF4AAE3B6C54223D6DEB051549B602793E344B42B039D31892F7D70D40D4EA0682
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........)f............4...............<.......d...............T.......8...........T................?......................................................................................................eJ......L.......GenuineIntel............T.......X.....)f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C5C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8502
Entropy (8bit):	3.704582744375886
Encrypted:	false
SSDEEP:	192:R6l7wVeJ1u6I6YEIiSU9AWgmfICGpr089bFCsfvXm:R6lXJM6I6YEtSU9AWgmfByFBfe
MD5:	8777B50EEFA4AEFCB14148CA613EA163
SHA1:	5AA1DFBE3E8AD61EB9A44CE161050DCE5B08B5AD
SHA-256:	CC991069B9A9AD84EB11DBDAC27180A29C0A6030990E66BD86E82F369F9D7792
SHA-512:	5283C619BED6C3E9D45DD8CB1DFEEE9776F1252AB892BAB09BF260D52938255138CA7E8DDEB793787B5C6CD6A11928B9CDE3A81F3ACA770E4EA9F2B46F95AE43
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.4.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C8C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4829
Entropy (8bit):	4.584973161045632
Encrypted:	false
SSDEEP:	48:cvIwWl8zsiJg77aI9IjWpW8VYYYm8M4JegFH+q8vAcNYX+Hydd:uIjfwI7GS7VsJtXqY+Hydd
MD5:	7FB0780C7CD8B7FC2231B009CD7398B7
SHA1:	13B87DCC8BB16F81E92B574C842AC3BFC055418D
SHA-256:	1A414BFD208E329DDA56893299EBD7E18306F3F6B9ADE1C988A844302B497B61
SHA-512:	21E385D818263198D6CD2654EFD1491EB75115B4F120FCEA289A3F0993122F5AD8066893B9C28EF34CC0081B783441A76D02218797C05DB503AF592E065EC540
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="294876" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421754587772051
Encrypted:	false
SSDEEP:	6144:9Svfpi6ceLP/9skLmb0OTIWSPHaJG8nAgeMZMMhA2fX4WABlEnNZ0uhiTw:kvloTIW+EZMM6DFy/03w
MD5:	DCAC20AB6172F333C44A020317D777C5
SHA1:	4C932C6B16DB38E45C1E318666FDC7FF39C48053
SHA-256:	6ACA8C6E6C765D0D13B05E25603D2D1495CFE6AF8CFA9A817BBDEE979FD7B782
SHA-512:	2AC63D7E69D542638147A2FA68C9933E194438199D5E0ED3942A4CA40C023FAFC1FB1E0200594CFCBCD33AB2029F76CDC62E4430D4F2538EEA76D14DFBF36B00
Malicious:	false
Reputation:	low
Preview:	regf?...?....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm._.V................................................................................................................................................................................................................................................................................................................................................}..b........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	1.7540776701958491
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe
File size:	4'091'904 bytes
MD5:	a920ac600a4eece342df14133eb71d2d
SHA1:	7c3a1857cae379e496ea85c2d843de1f2df5ccd0
SHA256:	6584b8ab339ea332ecec21cf168631914ac2a2da631aa8d46c711191f9c0b8f0
SHA512:	3e16610462e909d938e14282b83427e0066b3fdca10d42b8f1772f644f2f0309aab13244f35356c433652576bd3f0dd8796d1190841f4504d1566f8539a2397f
SSDEEP:	12288:uVv5bOYAcpupRWCGJSiEc5wCqRvDys1yr9iPAWzl9OmjVk:I/uMEc5wCq971yr96tzbk
TLSH:	B1169F5A82D7B293E40038707932E3369168CDA11837C5DFB89DFC7F67679E82632661
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM.....................P4............

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4982eb
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 004A36C8h
push 00496CC0h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [004A2174h]
xor edx, edx
mov dl, ah
mov dword ptr [007D9AACh], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [007D9AA8h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [007D9AA4h], ecx
shr eax, 10h
mov dword ptr [007D9AA0h], eax
push 00000001h
call 00007F9DF0F2225Fh
pop ecx
test eax, eax
jne 00007F9DCD6C194Ah
push 0000001Ch
call 00007F9DE1E0225Fh
pop ecx
call 00007F9DF2EF225Fh
test eax, eax
jne 00007F9DCD6C194Ah
push 00000010h
call 00007F9DE1E0225Fh
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F9D65E1225Fh
call dword ptr [004A2184h]
mov dword ptr [007E3324h], eax
call 00007F9DB43C225Fh
mov dword ptr [007D9AF8h], eax
call 00007F9D673A225Fh
call 00007F9DAE39225Fh
call 00007F9E08DB225Fh
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [004A2180h]
call 00007F9D5639225Fh
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F9DCD6C1948h
movzx eax, word ptr [ebp+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa3ff0	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3e4000	0x241c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa2000	0x380	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xa3de8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa1000	0xa1000	a38f8e1abf2050809f8ffac2a9dda4c2	False	0.3275169230395963	data	6.806844075796486	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa2000	0x4000	0x4000	178bdf2fce9e34a4390791e0455b7a2a	False	0.26361083984375	OpenPGP Secret Key	3.657253420062716	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa6000	0x33e000	0x33e000	b695026ce2339198d9f926e859711f6b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3e4000	0x3000	0x3000	0a23c9e18b15b82036ffe3b8a448b6f9	False	0.14013671875	data	1.8840741318249408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exePID: 4440, Parent PID: 1028

General

Target ID:	0
Start time:	05:33:28
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe"
Imagebase:	0x400000
File size:	4'091'904 bytes
MD5 hash:	A920AC600A4EECE342DF14133EB71D2D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6644, Parent PID: 4440

General

Target ID:	3
Start time:	05:33:28
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 232
Imagebase:	0x6b0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 6572, Parent PID: 4440

General

Target ID:	9
Start time:	05:34:11
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 232
Imagebase:	0x6b0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exePID: 4440, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	60%
Total number of Nodes:	5
Total number of Limit Nodes:	0

Executed Functions

Function 00496CC0 Relevance: 1.6, APIs: 1, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(?,000000FF), ref: 00496D67

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6242525c703c092563e8edc55f69b636c3a534808285994ccbe09416206f226c
Instruction ID: ca629ae5be5854c44eb9c10beb595c2d6a026467adbc36cd467683f9b8dafb4b
Opcode Fuzzy Hash: 6242525c703c092563e8edc55f69b636c3a534808285994ccbe09416206f226c
Instruction Fuzzy Hash: EC216572500208ABCB10EF1CD884AA6BB64FB04370F4646A6ED299B285D735F965CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 004982EB Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 00498311

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d0a4ba8214a825be855663f4f0def72e59deaa06656a3c5201b7b5e537cb7ff2
Instruction ID: e306389263dd5a48c8ee539d44adfc898de4e826d81a98afc683e05c10e9107a
Opcode Fuzzy Hash: d0a4ba8214a825be855663f4f0def72e59deaa06656a3c5201b7b5e537cb7ff2
Instruction Fuzzy Hash: 032109B1901704AFDB149FB8DD44AAE7FB4EF41720F10472AEA219A2E0DF394440C754

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041350A Relevance: 15.3, Strings: 12, Instructions: 258
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

The folder where Snes9X saves emulated save RAM files andgame save positions (freeze files) is currently set to aread-only folder.If you do not change the game save folder, Snes9X will beunable to save your progress in this game. Change the folderfrom th, xrefs: 00413795
Snes9X: Unable to save file warning, xrefs: 00413790
@zr, xrefs: 0041374F
Snes9X - DirectDraw(1), xrefs: 004135D9
.---, xrefs: 0041376A
DK, xrefs: 0041371F
Snes9X: Information, xrefs: 00413670
The NetPlay server is requesting you load the following game: '%s', xrefs: 0041365B
@zr, xrefs: 004136B1
.srm, xrefs: 004136A4, 00413742
.cht, xrefs: 004136BC, 0041375A
@zr, xrefs: 004136D3

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: .---$.cht$.srm$@zr$@zr$@zr$DK$Snes9X - DirectDraw(1)$Snes9X: Information$Snes9X: Unable to save file warning$The NetPlay server is requesting you load the following game: '%s'$The folder where Snes9X saves emulated save RAM files andgame save positions (freeze files) is currently set to aread-only folder.If you do not change the game save folder, Snes9X will beunable to save your progress in this game. Change the folderfrom th
API String ID: 0-2609758386
Opcode ID: b49a6b03c8125e038b46e3e3050977e344c53418ab33f9715c100f8a5bda6d36
Instruction ID: ebc3d6e61a31b48977448ea58210eeb2a73178039337825439b45d2c0bd3a821
Opcode Fuzzy Hash: b49a6b03c8125e038b46e3e3050977e344c53418ab33f9715c100f8a5bda6d36
Instruction Fuzzy Hash: 96517EF054130077EA209B3CAC46FEB3764DB11B25F148719F920973E1DA7DD685866E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C990 Relevance: 4.2, Strings: 3, Instructions: 454COMMON

Download Yara Rule

Strings

gfff, xrefs: 0040CC9F
gfff, xrefs: 0040CC57
gfff, xrefs: 0040CC7F

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: gfff$gfff$gfff
API String ID: 0-4275324669
Opcode ID: d2cc927a05916dfa5465b137114eaecb097dfc725daf59a61f098018ce84b236
Instruction ID: 0e89a740fcf8f2116c1f579efd906950f8e5b976cf91f2089c0333385bdbc996
Opcode Fuzzy Hash: d2cc927a05916dfa5465b137114eaecb097dfc725daf59a61f098018ce84b236
Instruction Fuzzy Hash: 0CF1D071A04305CBD724CF2DE8C075A7BE2AB99314F04873FE885E73D1D67998498B8A

Uniqueness

Uniqueness Score: -1.00%

Function 00401570 Relevance: 2.9, Strings: 2, Instructions: 420COMMON

Download Yara Rule

Strings

|tJ, xrefs: 004019BE
LtJ, xrefs: 004015D6, 0040175F, 00401783

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: LtJ$|tJ
API String ID: 0-869692013
Opcode ID: 0c33ae1189467ef0ab29e429bdad42ac7206929ca98113dd202650d3a281e9ea
Instruction ID: c09528dcc5a0b7efceac6f6f6521a1f9159297b4fa9ea1e18ecaf5e1c42dfd57
Opcode Fuzzy Hash: 0c33ae1189467ef0ab29e429bdad42ac7206929ca98113dd202650d3a281e9ea
Instruction Fuzzy Hash: 2CE14B757002058FCF18CF29D990A6B7BE2EF88320B15826AEC15DB396D734EC52CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00403A30 Relevance: 2.3, Strings: 1, Instructions: 1089COMMON

Download Yara Rule

Strings

l`J, xrefs: 004044F1

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: l`J
API String ID: 0-1299720319
Opcode ID: e0c40266971a8da5da73a44a686ee66fde7d87d8a5049073921bc7d83b575287
Instruction ID: b39e0a71335791ea638f5eb1a7c1a4214310a4a32d1c747b418673b148a80ff8
Opcode Fuzzy Hash: e0c40266971a8da5da73a44a686ee66fde7d87d8a5049073921bc7d83b575287
Instruction Fuzzy Hash: F4929EB1A043018FCB08CF19D88052AFBE5FFC9310F148A6EE9999B395E735E945CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004176E0 Relevance: 2.2, Strings: 1, Instructions: 989COMMON

Download Yara Rule

Strings

ws, xrefs: 00417754

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ws
API String ID: 0-1296259883
Opcode ID: 5b3cda99b37657f29b88dbb5cee665fe873e254f6d604ead95966dd196132d33
Instruction ID: a827f2bff55b330beda961880bdf73b50d76521c37f3da7df467ec7bd79f4313
Opcode Fuzzy Hash: 5b3cda99b37657f29b88dbb5cee665fe873e254f6d604ead95966dd196132d33
Instruction Fuzzy Hash: F4829F7160C3058FC724CF18C4C06AEBBF2BB89354F61496EE5958B351EB79D8C58B8A

Uniqueness

Uniqueness Score: -1.00%

Function 0041B890 Relevance: 1.9, Strings: 1, Instructions: 680COMMON

Download Yara Rule

Strings

(zs, xrefs: 0041B897

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: (zs
API String ID: 0-3586359216
Opcode ID: b05346e3965dfc5235f403f39f81a42731d650c2a92f797f9edd3ef6173b8cf4
Instruction ID: a770e2193049fe9c6e5eedcdb22bf463d5ad63b81c6b39b4d9f028f6c5ad04fa
Opcode Fuzzy Hash: b05346e3965dfc5235f403f39f81a42731d650c2a92f797f9edd3ef6173b8cf4
Instruction Fuzzy Hash: 7B5238B16086428BD328CF2CEC90AB57BB1FF15300708C27AD4A587B62D77DA695D798

Uniqueness

Uniqueness Score: -1.00%

Function 00404800 Relevance: 1.8, Strings: 1, Instructions: 503COMMON

Download Yara Rule

Strings

`J, xrefs: 00404DEE

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: `J
API String ID: 0-398809013
Opcode ID: ff0753c2a0ef106ba38f726782c230ee284dcbc21431755cb62eb2098260a611
Instruction ID: bd55899c8a4e9c8b926da1d997d1454b9c04494a86e39f4a10b0ad6bf28c0963
Opcode Fuzzy Hash: ff0753c2a0ef106ba38f726782c230ee284dcbc21431755cb62eb2098260a611
Instruction Fuzzy Hash: 2B2234B46087028FC708CF29D590A2ABBE1BFC8314F148A6EE59AD7791D734E944CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00405570 Relevance: 1.6, Strings: 1, Instructions: 373COMMON

Download Yara Rule

Strings

$aJ, xrefs: 0040580F

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $aJ
API String ID: 0-720028998
Opcode ID: 42327820844bab2bff3760528e8598b904384205cd1136a547da14598e82ab43
Instruction ID: ebad3e67a34e727f5969e2acb876f65569a64e48090647d64e5a7d14bab1c4d0
Opcode Fuzzy Hash: 42327820844bab2bff3760528e8598b904384205cd1136a547da14598e82ab43
Instruction Fuzzy Hash: 39E1D6B5600A018FD734CF19D490A16FBF1EF89320B25CA6ED4AACB7A1D735E846CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00404FD0 Relevance: 1.6, Strings: 1, Instructions: 334COMMON

Download Yara Rule

Strings

`J, xrefs: 00405252

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: `J
API String ID: 0-398809013
Opcode ID: 38e5cce708cbc67bd4d5814dfdc06f771f2f63f16a35893761c7240019591239
Instruction ID: 214f4b911e7bda8903174580c41dbc0fd0ae88d7821cb080f7e5f13d8f831867
Opcode Fuzzy Hash: 38e5cce708cbc67bd4d5814dfdc06f771f2f63f16a35893761c7240019591239
Instruction Fuzzy Hash: 32C182716087518FC718CF28D59016AFBE1FB89310F194A7EE8DAA3791C774A815CF89

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB61 Relevance: .6, Instructions: 582COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79283926ad8258540eaa91e9480e1343af5193c3c553652aecbceaa0b6190994
Instruction ID: 1e1c2540f5953777dd228bd816573ed03fcdd780c0ea0ae1be8bdfce87a41e12
Opcode Fuzzy Hash: 79283926ad8258540eaa91e9480e1343af5193c3c553652aecbceaa0b6190994
Instruction Fuzzy Hash: 283238B250D3828BD328CF1CEC805A93BA2ABA5321719C36FD07543BA2D77C5695C75E

Uniqueness

Uniqueness Score: -1.00%

Function 00424260 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28532d484186746edf3e8c598de620a9788015de28584a2d64f020eb82aa3b11
Instruction ID: d19758be6031c5784cbfa131487ca0a6347e11c909b5f1fad91ed2998d227df6
Opcode Fuzzy Hash: 28532d484186746edf3e8c598de620a9788015de28584a2d64f020eb82aa3b11
Instruction Fuzzy Hash: A122C2B56083918FD328CF18E89062AFBF1FBC9304F58856DE995C7361D738A855CB89

Uniqueness

Uniqueness Score: -1.00%

Function 00423AD0 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f360a98514622a31856ae259ba47153c402640a4e5008e5ef52afb08fe91f03
Instruction ID: 6b950b6758aeef0be1a8ca3aef44665c9542d2c4146805dcbc3cc49545ddea2c
Opcode Fuzzy Hash: 8f360a98514622a31856ae259ba47153c402640a4e5008e5ef52afb08fe91f03
Instruction Fuzzy Hash: 0232D1B56083518FD328CF18E89062AFBF2FBC8305F54866DE9A5C7361D738A945CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00422D10 Relevance: .5, Instructions: 518COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f90edf692e15175710ed5b92f8eff34922816997e87698757fdbb5673665b699
Instruction ID: 93e2b4de30110bdf618fb1f1f62283241889f4d05ea546f5f61c006c1d6f470e
Opcode Fuzzy Hash: f90edf692e15175710ed5b92f8eff34922816997e87698757fdbb5673665b699
Instruction Fuzzy Hash: E422CFB67087418FD328CF18E89066AF7F2BBC8305F58866DE8A5C7351D778A941CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00423410 Relevance: .5, Instructions: 512COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c2f92e94f08c5ba75c47c9e1de4654878d37bfcaf4ed2e835c76a9ca2e608e
Instruction ID: e6955a9b9bee52d6c42e07a52fa0d250a483170489b165990d2f7a0c66179fc9
Opcode Fuzzy Hash: 21c2f92e94f08c5ba75c47c9e1de4654878d37bfcaf4ed2e835c76a9ca2e608e
Instruction Fuzzy Hash: A312AFB5B087418FD318CF18E89066AF7F2BBC8305F58856DE895C7361D738A946CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00402460 Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814f60197bbc476eae26e19a96be2d168fd37c8d305b9f1af688826301b139c8
Instruction ID: 6af55eb07c487789b2bfe0b3d4e565fe904d8a7af3c0a1941b1b9a2449a19b0f
Opcode Fuzzy Hash: 814f60197bbc476eae26e19a96be2d168fd37c8d305b9f1af688826301b139c8
Instruction Fuzzy Hash: B5128A756002018FCB18DF28C9D4A667BA6FF88314B1985BADC199F39BD775EC02CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004221D0 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a80342b54fb9dd7e6b2123bb0da02e8ab62bf29c1444ee40bfada816e1a06a
Instruction ID: c1556e58ef71692509141a129fd6f038a6b88c664a506a3e5a5a75facd66ebd5
Opcode Fuzzy Hash: 83a80342b54fb9dd7e6b2123bb0da02e8ab62bf29c1444ee40bfada816e1a06a
Instruction Fuzzy Hash: 8F02C4B6A087559FD314CF28D98051AFBF2BFC9304F48866EE89487351D3B8E945CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00422770 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b771fcad7875c2235cb4204e1c6a2534f23a1270c60bf28aa76e2c34523bb918
Instruction ID: f349935c3eee994c45d9bdbe8236e3bb92014aec510569be9b84702625c9194b
Opcode Fuzzy Hash: b771fcad7875c2235cb4204e1c6a2534f23a1270c60bf28aa76e2c34523bb918
Instruction Fuzzy Hash: 2202BFB5A083919FD318CF18D99066AFBF2FBC8304F588A2DE49587351D778E845CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 004067A0 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2250f4208e6674d035c28f22ec50b52f5172ea5d2dbe36cab122145d7b332a80
Instruction ID: 4679520d184946e820504d6e0a5ffda97071a73a444ed3702e8413183056464a
Opcode Fuzzy Hash: 2250f4208e6674d035c28f22ec50b52f5172ea5d2dbe36cab122145d7b332a80
Instruction Fuzzy Hash: BAF18B71609B418BD325CF28C9905D3B7F2EF99314B088B2DD4AB83781EB35B546CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00407360 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201e480114e26c853ddd06ef96a019c13385095f3b0dd49ac833cad946959125
Instruction ID: 43846ad2d355814696f3cfa3ee9c050963757dab3031637b84fda78a50440679
Opcode Fuzzy Hash: 201e480114e26c853ddd06ef96a019c13385095f3b0dd49ac833cad946959125
Instruction Fuzzy Hash: 70F1A07250D2408FC3098F18D5989E27BE2FFA8714B1F42F9D4499B3A3D736A841CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00401ED0 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfbcb6b835056755c74208b9bb747b376339eb9649cb388bf4fb5ce38e2ca9b6
Instruction ID: ef5008ad73c67de17c7d3278b20d6794f2e35be23215f47fb257e2b922b615a4
Opcode Fuzzy Hash: dfbcb6b835056755c74208b9bb747b376339eb9649cb388bf4fb5ce38e2ca9b6
Instruction Fuzzy Hash: 85E19E756103498FCB18CF28C9809AAB7A6FF88314F19856EEC19DB391D775ED41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00420A90 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad081010f7bf771969a2a402ddc2067e3d90a766986c90a3ebc1d83f62fee04d
Instruction ID: 660dd3c2b83c40bcef57c195a79f14beaa4f48872884f99320b6b0d87f34ddec
Opcode Fuzzy Hash: ad081010f7bf771969a2a402ddc2067e3d90a766986c90a3ebc1d83f62fee04d
Instruction Fuzzy Hash: 1ED1AEB16193518FD328CF18D88092BBBE6FBC9704F548A1EE49587315D738EC46CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004078E0 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ef72e6566c1221242510f9a789e7a0c7966780e3ee47c6d79036d53151f301
Instruction ID: dccbe54600661fe2e26ba6b4d8acc1f20a0dd6e99c00541dd42d6c808455b681
Opcode Fuzzy Hash: 24ef72e6566c1221242510f9a789e7a0c7966780e3ee47c6d79036d53151f301
Instruction Fuzzy Hash: 7FD17A7560C2518FC319CF28E5D88E27BE1BFA8740B0E42F9D94A9B363D732A941CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004090F0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705e94ab6ccab90b2e27b6b937826f8ff7947966acd399295eaa153aeffeeb4a
Instruction ID: 69cd7b5b51469a9b02e6b24fe4c08cf291c11e24b98fa8e070bff0da3d809f78
Opcode Fuzzy Hash: 705e94ab6ccab90b2e27b6b937826f8ff7947966acd399295eaa153aeffeeb4a
Instruction Fuzzy Hash: 46A126B2A187018FC304CF1DC88055AFBE1FBC8314F598A7EE99997391DA74E945CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00416DC0 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9ed9a8021dabf5122ea3b55602bb0f38363e48b36859bb1a6971ad5d534aa5
Instruction ID: 75e983fb14dc4c62e27ab03b9b81ddaf4d3df437f20692f056809cb28ca534f1
Opcode Fuzzy Hash: af9ed9a8021dabf5122ea3b55602bb0f38363e48b36859bb1a6971ad5d534aa5
Instruction Fuzzy Hash: 56919AB290D2428BD328CF1CEC406E93BB1EB4631171AC17BD86587B60C37C9A96D76D

Uniqueness

Uniqueness Score: -1.00%

Function 00406440 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a2764e49faaa5645787678b2eb93d5a562081fd481c773b7b9db899effc4ab
Instruction ID: 0231081edc72c36f19211d655248ae15791ca54d21f3fecce6a8001c65764ed8
Opcode Fuzzy Hash: f0a2764e49faaa5645787678b2eb93d5a562081fd481c773b7b9db899effc4ab
Instruction Fuzzy Hash: 7DB1287550D1808FC309CF28E9A89E27BE2AFA9310B1E82F9D44A9B777C771D841CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00418540 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18676abf54c9854bc2fc46c0357a72c1a0738de8bf3640d3eeeb7ad2a0c5324e
Instruction ID: 8a853bee02fa75dcabd51a899f8c73ef383d68afafc969a4c1e29748e22b8fd3
Opcode Fuzzy Hash: 18676abf54c9854bc2fc46c0357a72c1a0738de8bf3640d3eeeb7ad2a0c5324e
Instruction Fuzzy Hash: F5A18EB5A0D2428BE32CCF1CECA05A97BB1AB59312764C17EE41187BB1C73C4649DB4E

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6A0 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1797c11ad363f85b464513e10864add8de7a8acaaeb76b9a2133253ccfdc7d0b
Instruction ID: 001960478ef329d67e5973858aa184a0d8a3028657aa36567ee1965da1593cfd
Opcode Fuzzy Hash: 1797c11ad363f85b464513e10864add8de7a8acaaeb76b9a2133253ccfdc7d0b
Instruction Fuzzy Hash: 36617B331001944BCB1DDE3CA6F49FF3B91DA9B3C472992EDC1478B5A6EB266129CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00415940 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 800658c8c9f441e148120c58e691d6e1d33fbd5635ddff12c747ebdc58a9f860
Instruction ID: b3a16b42fcd72581c9ff0d832c761d02fe4253b7e8797345ca5edbb2c21b5975
Opcode Fuzzy Hash: 800658c8c9f441e148120c58e691d6e1d33fbd5635ddff12c747ebdc58a9f860
Instruction Fuzzy Hash: F3413BA571C6C27AF2198B355C204FBFFE65AEB110B0CC799E4F853386D12998148BF6

Uniqueness

Uniqueness Score: -1.00%

Function 00419E10 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6617b1a3225f1660643ded7880b68ae15c3c0b796e53f079b13075e9f06c2bfe
Instruction ID: 5b5a47f7cff2bd2e701dc621dc30679c55bfb3375bea3f9b2a689525d218060a
Opcode Fuzzy Hash: 6617b1a3225f1660643ded7880b68ae15c3c0b796e53f079b13075e9f06c2bfe
Instruction Fuzzy Hash: 6F51F4B46183855BE354DF18FC602B63BA6BB55340B08C129D5868B372EE7D5A27C70D

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
Instruction ID: dc27713cd6a60bc44c0a8ceda9b614b42522f883be77642eb0614ce28c62aec5
Opcode Fuzzy Hash: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
Instruction Fuzzy Hash: BB31603374558203F72DCA2F8CA12BAEBD34FC922872DD47E99C59B366ECBA44564104

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1D0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2784ae666daadd6535c541f4b51335f4f7f59950a7118cff4555d258211feafc
Instruction ID: 2e72119bb0351cd9008d21fe3866894097ff9d0f4279fcf2ed948b7cfe211849
Opcode Fuzzy Hash: 2784ae666daadd6535c541f4b51335f4f7f59950a7118cff4555d258211feafc
Instruction Fuzzy Hash: DD41E336A097814FC308CF19D99056ABBE2EFD9300B19D6ADED849B356C634DC05C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 004149BE Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d45127b75f237a5b28d0219549a0f935243a17c92d874eddf16135ae5773213
Instruction ID: f97c1226944e15970b9fff1ad0dac117c3e71efa7827004b3651910e57bb1190
Opcode Fuzzy Hash: 1d45127b75f237a5b28d0219549a0f935243a17c92d874eddf16135ae5773213
Instruction Fuzzy Hash: 1641EB33A5CB268B8B14DF88DC8005AB3E0AAC4750F4E863DDE6467302E6B4AC55C7DD

Uniqueness

Uniqueness Score: -1.00%

Function 00401130 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ba61773994f9f3d120c5d416ed29446dc2403cddbc3ffcb4919ac174200475d
Instruction ID: 9cdb916d7c5efd04514855035ad0cb870f5427e562a9139f00616d3e3ade3550
Opcode Fuzzy Hash: 5ba61773994f9f3d120c5d416ed29446dc2403cddbc3ffcb4919ac174200475d
Instruction Fuzzy Hash: 8331B5227B909207D354CEBD9C80237BA9397CB346B6CC67CD984CBA5AC47ED8079318

Uniqueness

Uniqueness Score: -1.00%

Function 00408E50 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2768131001.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2768091037.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768210385.00000000004A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004A6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D6000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768232318.00000000004D9000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2768446051.00000000007E4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef180fd61e3038033cc03b93114645d91081318b57e86a63f07ee95a38459e1
Instruction ID: f895f54a6d4a2bf3c280daeb5370146e8ec4e39789d220d8275e72fc8b8ae1b7
Opcode Fuzzy Hash: 6ef180fd61e3038033cc03b93114645d91081318b57e86a63f07ee95a38459e1
Instruction Fuzzy Hash: 12F05471A04659ABCB158F8D99417DAFB74F705760F20476EF524A37C0C37915049B94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_157921775d97238581ed3b366b95cf1c64be916_659c366a_92538246-93df-4565-a726-1d27617655d3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_beab1a24e9683be28b983258c9265328e81ee45_659c366a_7f945e3d-5e31-4c48-903a-f07ec79a8b51\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER398.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D7.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F8.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C1D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C5C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C8C.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
SecuriteInfo.com.W32.Xpack.E.gen.Eldorado.27276.2863.exe

Function 00496CC0 Relevance: 1.6, APIs: 1, Instructions: 73
libraryCOMMON

Function 004982EB Relevance: 1.6, APIs: 1, Instructions: 81
libraryCOMMON

Function 0041350A Relevance: 15.3, Strings: 12, Instructions: 258
COMMON