Edit tour

Windows Analysis Report
SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe

Overview

General Information

Sample name:	SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe
Analysis ID:	1431442
MD5:	316b0ac873282268974444a2f61fab9a
SHA1:	8de255463c78fba2c45d9d0193b38ba4246a88d8
SHA256:	860ce0f9ea887a41d1240608dccbfa2dbfbc2fc2772b455156833254d8089067
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Detected potential crypto function

Entry point lies outside standard sections

Found potential string decryption / allocating functions

One or more processes crash

PE file contains sections with non-standard names

PE file does not import any functions

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe (PID: 6532 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe" MD5: 316B0AC873282268974444A2F61FAB9A)

WerFault.exe (PID: 2220 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 232 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe

Virustotal: Detection: 32%

Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI

Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	String found in binary or memory: http://www.clamav.net

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_004462EC		0_2_004462EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_0044B4B8		0_2_0044B4B8

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: String function: 0040439C appears 69 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: String function: 00406434 appears 61 times

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 232

Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe

Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI

Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe

Static PE information: Section .clam01

Source: classification engine

Classification label: mal60.winEXE@2/5@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6532

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3725e3de-ade6-4aa1-bb6e-2707e5319200

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe

Virustotal: Detection: 32%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 232

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe

Section loaded: apphelp.dll

Jump to behavior

Source: initial sample

Static PE information: section where entry point is pointing to: .clam01

Source: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe

Static PE information: section name: .clam01

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00424084 push 004240B0h; ret	0_2_004240A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00426168 push 004261ABh; ret	0_2_004261A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_0041610C push ecx; mov dword ptr [esp], edx	0_2_0041610E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_004261CC push 00426218h; ret	0_2_00426210
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00406198 push 004061C4h; ret	0_2_004061BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_0042627C push 004262A8h; ret	0_2_004262A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00406210 push 0040623Ch; ret	0_2_00406234
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00426224 push 0042626Fh; ret	0_2_00426267
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00422298 push 004222C4h; ret	0_2_004222BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_0042238C push 004223B8h; ret	0_2_004223B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_004263B4 push 0042642Ah; ret	0_2_00426422
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_0042C49C push 0042C4C8h; ret	0_2_0042C4C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_0042C604 push 0042C630h; ret	0_2_0042C628
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00410846 push 004108BEh; ret	0_2_004108B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00410848 push 004108BEh; ret	0_2_004108B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00440824 push 00440850h; ret	0_2_00440848
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_004108C0 push 00410968h; ret	0_2_00410960
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_0041A932 push 0041A9DFh; ret	0_2_0041A9D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_0041A934 push 0041A9DFh; ret	0_2_0041A9D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_0041A9E4 push 0041AA74h; ret	0_2_0041AA6C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00410A6C push 00410A98h; ret	0_2_00410A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00424A78 push 00424AA4h; ret	0_2_00424A9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00424A08 push 00424A57h; ret	0_2_00424A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00424AE8 push 00424B14h; ret	0_2_00424B0C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00424AB0 push 00424ADCh; ret	0_2_00424AD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00422B4C push 00422B78h; ret	0_2_00422B70
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00424B58 push 00424B84h; ret	0_2_00424B7C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00422B0C push 00422B38h; ret	0_2_00422B30
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00424B20 push 00424B4Ch; ret	0_2_00424B44
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00424BC8 push 00424BF4h; ret	0_2_00424BEC
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	Code function: 0_2_00412BE4 push ecx; mov dword ptr [esp], edx	0_2_00412BE9

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe

Code function: 0_2_00406154 LdrInitializeThunk,

0_2_00406154

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	32%	Virustotal		Browse
SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	100%	Avira	TR/Crypt.XPACK.Gen
SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.clamav.net	SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431442
Start date and time:	2024-04-25 05:29:25 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe
Detection:	MAL
Classification:	mal60.winEXE@2/5@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 22
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe, PID 6532 because it is empty

Simulations

Behavior and APIs

Time	Type	Description
05:30:27	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_6bb91ea6b49d6564513997366bf3b187dd686de6_9d3a5af9_3c157071-e92a-468b-9d10-5f2fe579e3cf\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6838333976442724
Encrypted:	false
SSDEEP:	96:jvFschv6CN+ILs/hMyoI7JfdQXIDcQvc6QcEVcw3cE/X+HbHg6ZAX/d5FMT2SlPJ:D9hiERLx0BU/wjEzuiFFZ24IO8L
MD5:	E70AEB071EE09E946BBE6C78888B150A
SHA1:	AF71608C6405BB4CCD8ABD87815B04D80C6CD3E8
SHA-256:	715EE47EE5D8D71F780A4DB8354A9AE56A15BB2BF9FC80E522E74F7E567C7E31
SHA-512:	E65EEED63EBC0CD79D47C3477312783F8E5C63698BAF8377444EA2C59ED6E06F1F61F4C226B5023A77FD8C486587A0E12D7A3082B8A101067D6BF5E8BE6F6709
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.4.8.9.4.1.7.3.1.3.1.5.9.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.4.8.9.4.1.7.7.3.5.0.2.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.c.1.5.7.0.7.1.-.e.9.2.a.-.4.6.8.b.-.9.d.1.0.-.5.f.2.f.e.5.7.9.e.3.c.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.9.8.f.a.8.8.-.a.3.a.f.-.4.f.d.a.-.9.9.8.e.-.c.7.b.1.f.0.6.b.d.5.2.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.3.2...S.-.9.0.9.c.a.2.9.9...E.l.d.o.r.a.d.o...1.3.4.7.8...2.6.6.5.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.8.4.-.0.0.0.1.-.0.0.1.4.-.7.8.9.a.-.2.e.e.4.c.0.9.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.7.f.9.d.a.7.8.0.5.8.b.e.4.7.e.7.1.e.9.e.a.f.d.f.4.f.f.c.d.6.c.0.0.0.0.f.f.f.f.!.0.0.0.0.8.d.e.2.5.5.4.6.3.c.7.8.f.b.a.2.c.4.5.d.9.d.0.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE983.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Apr 25 03:30:17 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	18604
Entropy (8bit):	1.9543626367297435
Encrypted:	false
SSDEEP:	96:5Vt8ZE3U1v1/SFDi7nCV4R/FDzkf70uqy6WIkWIaII4CJca:T2mFDOQoBxuLBCJca
MD5:	EB2384C5FC59B607CFA0CB33CC972E9B
SHA1:	E96285736818EFEE5AAE4761C3E7754A3E564658
SHA-256:	8EB04A2F1A7758AE6BB9CE1BA0E9161EE7AAE7B2891A79456EC14CF9762E1571
SHA-512:	A00DE1749F2E28B0C58D6D000D25BAADF5D3357623F55AABF17362DB205A76FF56B91571B3787107E7CFFBB0A6C6DF5FC9A06EE008E183C30DCA748E80A65343
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......I.)f............4...............<.......T...............T.......8...........T................?......................................................................................................eJ......L.......GenuineIntel............T...........H.)f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9E2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8492
Entropy (8bit):	3.7031811788178386
Encrypted:	false
SSDEEP:	192:R6l7wVeJpk64q6YEIoSUvgSqLgmfuCmprQ89b7/sfnpm:R6lXJq636YEHSUoSqLgmfLe7kfE
MD5:	EC803B3A4B1753EFC632E23AC05C207C
SHA1:	811821243212C972D4228E9E3849429F429B9C0A
SHA-256:	DB7560D2C9C7526F9DC93CFFE9046CAB299B4AB5163BFE18AECFE52CF8543C24
SHA-512:	35CC1338DB89A71E6C4C250090AF2180CA4732D36A2695F864E87DF0C60B2D26665E4C0884F7B6F0873C2D7543EF2063A2E14F7F75A232B10CAF8ADA790A9081
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA50.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4829
Entropy (8bit):	4.581932689496914
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+Jg77aI9yFWpW8VYHYm8M4JKgFfE+q8NPi38+13d:uIjf0I7U07VnJJEyw8+13d
MD5:	C97AA3193EB4D496AAD0B21A8F5AEFF5
SHA1:	24489B273F2BDC76C264B115981A3BD5956CCB1A
SHA-256:	FED956ABF9E67FFA4D7A9F832EDF1CF94AB62B0DA5D6CC4ECC734FAA9CB80A31
SHA-512:	676337E4B1F29F14AF89E64A8ECFEE6AFFB33EEBDBABFA3CB795E1B2F9844715EA0AB447207F1C27A2AC8113CC52ACA7601C2EAEC38C72B1999C13D158E0433C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="294872" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421768233965082
Encrypted:	false
SSDEEP:	6144:bSvfpi6ceLP/9skLmb0OThWSPHaJG8nAgeMZMMhA2fX4WABlEnNZ0uhiTw:GvloThW+EZMM6DFyv03w
MD5:	E448F1B8F998757C45F994C1F6624B1C
SHA1:	F15FAC13F167E6C45DE28D89224AE83C191CBB56
SHA-256:	BFC435AA16CD7974D4CCF2251B061A5AC52859CAE0215993BF13EC934CAAF2A0
SHA-512:	D8BC854AAE4BF6042F6BC8D0D09B5FB8526FCB7DF56B29B4691F362E1FE8CC9CB40B732FC1F80F94F554BE0D42CE3698A2918A60A346664E515ACD837E789586
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.N..................................................................................................................................................................................................................................................................................................................................................`...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.880976850364517
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe
File size:	453'120 bytes
MD5:	316b0ac873282268974444a2f61fab9a
SHA1:	8de255463c78fba2c45d9d0193b38ba4246a88d8
SHA256:	860ce0f9ea887a41d1240608dccbfa2dbfbc2fc2772b455156833254d8089067
SHA512:	8b37d6016d22b1f4f37222efe6f132cc758c890ef549c42c618fda45ff0277e826e576e088834850d7074153f25e2d96af3727561c935afd498591213aed847a
SSDEEP:	6144:uxryrBmiceElDaLv1w/aasFlUC5//BIy92kvo1yheOk9CuFea29NruSvolle:gyrEFeEl+225Imo160ea2Xrf+
TLSH:	4EA45D37F2E08437C1732A399C5B8A689D25BEA17D3868493BF81E4C5F3978175262D3
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM.............................A.....

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4541d0
Entrypoint Section:	.clam01
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00453FE0h
call 00007F775D34A419h
mov eax, dword ptr [0045647Ch]
mov eax, dword ptr [eax]
call 00007F775D396049h
mov eax, dword ptr [0045647Ch]
mov eax, dword ptr [eax]
mov edx, 00454230h
call 00007F775D395C48h
mov ecx, dword ptr [00456560h]
mov eax, dword ptr [0045647Ch]
mov eax, dword ptr [eax]
mov edx, dword ptr [004535D0h]
call 00007F775D396038h
mov eax, dword ptr [0045647Ch]
mov eax, dword ptr [eax]
call 00007F775D3960ACh
call 00007F775D34852Bh
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.clam01	0x1000	0x6e66a	0x6e66a	123040e8b677911ee8801f4eea762c44	False	0.43804538679616634	data	5.886269191675616	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exePID: 6532, Parent PID: 1028

General

Target ID:	0
Start time:	05:30:16
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe"
Imagebase:	0x400000
File size:	453'120 bytes
MD5 hash:	316B0AC873282268974444A2F61FAB9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 2220, Parent PID: 6532

General

Target ID:	4
Start time:	05:30:17
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6532 -s 232
Imagebase:	0xaf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exePID: 6532, Parent PID: 1028COMMON

Executed Functions

Function 00406154 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0cbe52df49395de3d3cd7432bdbcaab07620b0db0696e8a836d9a2aef632cb5
Instruction ID: 62ce44b97c69d2a7200a98096c38ac5dcf526c02cb508de68539ff18366c78b0
Opcode Fuzzy Hash: c0cbe52df49395de3d3cd7432bdbcaab07620b0db0696e8a836d9a2aef632cb5
Instruction Fuzzy Hash: B1E0B6B1601B008BC380DF79ACA172A7AE1B709712B91883AE609DB3A3E334D4108B58

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004462EC Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc80dc788cfdd44a5ca846ef098faecb1ffda272d13dc4d785ea5355b7c72c94
Instruction ID: fb2c2a5ffc4aee9f7e2f48fac736e04ce525269a346227131eba611d4af6844a
Opcode Fuzzy Hash: cc80dc788cfdd44a5ca846ef098faecb1ffda272d13dc4d785ea5355b7c72c94
Instruction Fuzzy Hash: DDE17C74A00209DFEB10DFA9C48199EF7F5FF49308B22856AE805A7726C638ED41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0044B4B8 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869d0592934ac82ef97810436a38bffd26b7794565e8a27fb179d763717e010d
Instruction ID: f0b655a36dab33e5fc7444d2e341fca3e15008bfde0644bf1bbd1a069812567e
Opcode Fuzzy Hash: 869d0592934ac82ef97810436a38bffd26b7794565e8a27fb179d763717e010d
Instruction Fuzzy Hash: C5B17274A00244EFEB14EF69C885AAEB7F9EB48304F2544A6F404A7361C738EE41DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042427C Relevance: 60.3, Strings: 48, Instructions: 266COMMON

Download Yara Rule

Strings

DrawThemeEdge, xrefs: 00424388
GetThemeRect, xrefs: 00424460
DrawThemeParentBackground, xrefs: 004245EC
DrawThemeText, xrefs: 004242F8
GetThemeEnumValue, xrefs: 0042442A
IsThemeActive, xrefs: 0042454A
8zE, xrefs: 00424281
GetThemeMetric, xrefs: 004243E2
IsAppThemed, xrefs: 0042455C
GetWindowTheme, xrefs: 0042456E
uxtheme.dll, xrefs: 004242AD
GetThemeSysColor, xrefs: 004244CC
GetThemeSysBool, xrefs: 004244F0
EnableThemeDialogTexture, xrefs: 00424580
HitTestThemeBackground, xrefs: 00424376
GetThemeInt, xrefs: 00424418
GetThemeSysInt, xrefs: 00424538
IsThemeBackgroundPartiallyTransparent, xrefs: 004243BE
GetThemeFilename, xrefs: 004244BA
GetThemeSysSize, xrefs: 00424502
SetThemeAppProperties, xrefs: 004245B6
IsThemePartDefined, xrefs: 004243AC
GetThemeAppProperties, xrefs: 004245A4
GetCurrentThemeName, xrefs: 004245C8
GetThemeTextExtent, xrefs: 00424340
GetThemeMargins, xrefs: 00424472
GetThemePartSize, xrefs: 0042432E
CloseThemeData, xrefs: 004242D4
GetThemeSysColorBrush, xrefs: 004244DE
IsThemeDialogTextureEnabled, xrefs: 00424592
GetThemeSysString, xrefs: 00424526
OpenThemeData, xrefs: 004242C2
DrawThemeIcon, xrefs: 0042439A
GetThemeDocumentationProperty, xrefs: 004245DA
GetThemeSysFont, xrefs: 00424514
GetThemeFont, xrefs: 0042444E
GetThemeBackgroundRegion, xrefs: 00424364
GetThemeString, xrefs: 004243F4
GetThemePropertyOrigin, xrefs: 00424496
GetThemeTextMetrics, xrefs: 00424352
EnableTheming, xrefs: 004245FE
GetThemeColor, xrefs: 004243D0
GetThemeBackgroundContentRect, xrefs: 0042430A, 0042431C
DrawThemeBackground, xrefs: 004242E6
GetThemeBool, xrefs: 00424406
SetWindowTheme, xrefs: 004244A8
GetThemeIntList, xrefs: 00424484
GetThemePosition, xrefs: 0042443C

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 8zE$CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 0-68392574
Opcode ID: 6af2ab8a0fb0387d24efab394fec4b5f1250d1011f9f7dfbb8204ac38fe113b9
Instruction ID: 67d0ad17e0e3918f0375831235b0137101ca6a04351fdcc6d0d2f4358158ea67
Opcode Fuzzy Hash: 6af2ab8a0fb0387d24efab394fec4b5f1250d1011f9f7dfbb8204ac38fe113b9
Instruction Fuzzy Hash: 6BA1FDB0A46760AFEB00EBB9BC82A6537E8EB467013D1057AB401DF296D67CD811CF1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040DBDC Relevance: 28.9, Strings: 23, Instructions: 141COMMON

Download Yara Rule

Strings

VarBoolFromStr, xrefs: 0040DD7F
oleaut32.dll, xrefs: 0040DBE0
VarXor, xrefs: 0040DCE5
VarCyFromStr, xrefs: 0040DD69
VarR4FromStr, xrefs: 0040DD27
VariantChangeTypeEx, xrefs: 0040DBF3
VarBstrFromDate, xrefs: 0040DDAB
VarOr, xrefs: 0040DCCF
VarAnd, xrefs: 0040DCB9
VarSub, xrefs: 0040DC4B
VarIdiv, xrefs: 0040DC8D
VarMod, xrefs: 0040DCA3
VarNeg, xrefs: 0040DC09
VarBstrFromCy, xrefs: 0040DD95
VarDateFromStr, xrefs: 0040DD53
VarNot, xrefs: 0040DC1F
VarCmp, xrefs: 0040DCFB
VarDiv, xrefs: 0040DC77
VarMul, xrefs: 0040DC61
VarBstrFromBool, xrefs: 0040DDC1
VarI4FromStr, xrefs: 0040DD11
VarR8FromStr, xrefs: 0040DD3D
VarAdd, xrefs: 0040DC35

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 0-1918263038
Opcode ID: 01a010803551719040b24db39c83f5d75586717e012e41b937c19a63bcb71c7a
Instruction ID: 9fc4f0efae6fff1aecd3e44ef762eb1d6cd231c85c6ca41e6d06e1779c4d8979
Opcode Fuzzy Hash: 01a010803551719040b24db39c83f5d75586717e012e41b937c19a63bcb71c7a
Instruction Fuzzy Hash: AA411861E083041BD7047BEEB81182777E9DA897203A0C07BB804BB7D6DB38FC49866D

Uniqueness

Uniqueness Score: -1.00%

Function 0043D824 Relevance: 17.6, Strings: 14, Instructions: 95COMMON

Download Yara Rule

Strings

ImmReleaseContext, xrefs: 0043D8B6
ImmSetOpenStatus, xrefs: 0043D8F5
ImmGetConversionStatus, xrefs: 0043D8CB
ImmSetCompositionFontA, xrefs: 0043D91F
@wE, xrefs: 0043D829
ImmSetConversionStatus, xrefs: 0043D8E0
WINNLSEnableIME, xrefs: 0043D868
ImmSetCompositionWindow, xrefs: 0043D90A
ImmGetContext, xrefs: 0043D8A1
USER32, xrefs: 0043D85C
ImmGetCompositionStringA, xrefs: 0043D934
imm32.dll, xrefs: 0043D885
ImmNotifyIME, xrefs: 0043D95E
ImmIsIME, xrefs: 0043D949

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @wE$ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
API String ID: 0-890834701
Opcode ID: ffdb966b2594165f0bc27abfa11d3eeb90424997bfe4f07367229758c8d16bb4
Instruction ID: dc5a97c28e8674898aafd10f2af9df38d6a6cf0f592f415fe9381749edc25def
Opcode Fuzzy Hash: ffdb966b2594165f0bc27abfa11d3eeb90424997bfe4f07367229758c8d16bb4
Instruction Fuzzy Hash: B73150B0D05700AFD700EFB5BD5AA253798EB08715B91147BB1019B2A3D6BCE910CF1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C830 Relevance: 7.7, Strings: 6, Instructions: 201COMMON

Download Yara Rule

Strings

:mm, xrefs: 0040CA99
AMPM , xrefs: 0040CA89
mmmm d, yyyy, xrefs: 0040C962
AMPM, xrefs: 0040CA7A
:mm:ss, xrefs: 0040CAB6
m/d/yy, xrefs: 0040C935

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 0-2493093252
Opcode ID: d9978c889cad73681f16d7c5bc10798bde23b206e45648e328e9ffed6f28e191
Instruction ID: 9f33d18317c746421f5e0abd13ea7276c9e249d069864919ba45b4ad295b60f2
Opcode Fuzzy Hash: d9978c889cad73681f16d7c5bc10798bde23b206e45648e328e9ffed6f28e191
Instruction Fuzzy Hash: 5E614F307042489BD700EBA9E892B9F76B6DB88304F50953BB900BB2D7DA3DDD05979C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E734 Relevance: 7.7, Strings: 6, Instructions: 152COMMON

Download Yara Rule

Strings

@, xrefs: 0040E85B
X@, xrefs: 0040E80F
PQE, xrefs: 0040E901
o@, xrefs: 0040E933
@, xrefs: 0040E7DF
y@, xrefs: 0040E942

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @$PQE$X@$o@$y@$@
API String ID: 0-3757838185
Opcode ID: 68988c2835b0af838599ecc37f20ce68e668baa5feec317c1c589138f076d3c1
Instruction ID: 566dba8f58dbddacc2c36c5d3b3df02abd1fd3ad95d7ffa5acb89d1c30cd08f1
Opcode Fuzzy Hash: 68988c2835b0af838599ecc37f20ce68e668baa5feec317c1c589138f076d3c1
Instruction Fuzzy Hash: 1A514F756042059FD704FB6BD881AAE77A5EB44308F50493BE900B73E2CA3DAD14DB6E

Uniqueness

Uniqueness Score: -1.00%

Function 0043DC20 Relevance: 7.6, Strings: 6, Instructions: 103COMMON

Download Yara Rule

Strings

Delphi%.8X, xrefs: 0043DC52
{E, xrefs: 0043DC5F
USER32, xrefs: 0043DD5A
ControlOfs%.8X%.8X, xrefs: 0043DCA3
AnimateWindow, xrefs: 0043DD6A
${E, xrefs: 0043DCB0

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: {E$${E$AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 0-1241122679
Opcode ID: c726b4f5a20483aff7d934df9b9c44e26c0938125d54ed96cec5de19495133fb
Instruction ID: 9058436392f4cf167185d80e1b4893d1f2bfe9b39304905fc72e6ef992cb999a
Opcode Fuzzy Hash: c726b4f5a20483aff7d934df9b9c44e26c0938125d54ed96cec5de19495133fb
Instruction Fuzzy Hash: C6415DB4A042448FC700FFB9E88299E77B5AB48308B51947BF501E73A3DB39A904CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040BEE8 Relevance: 7.5, Strings: 6, Instructions: 28COMMON

Download Yara Rule

Strings

r@, xrefs: 0040BEF0
lw@, xrefs: 0040BF07
(pE, xrefs: 0040BF61
pE, xrefs: 0040BF54
r@, xrefs: 0040BF31
Lo@, xrefs: 0040BEFF

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: pE$ r@$(pE$Lo@$lw@$r@
API String ID: 0-1730518854
Opcode ID: 9390c8ee92a1f73f0f13ab63f173fe82f8cc1f7037022c64ce77b75b9f2e544b
Instruction ID: defeda593ae285fc9a1f1910fb6a337bdfee94b8e7298079819a04e21750d255
Opcode Fuzzy Hash: 9390c8ee92a1f73f0f13ab63f173fe82f8cc1f7037022c64ce77b75b9f2e544b
Instruction Fuzzy Hash: 7B0145B86053008FC701EF18E9808087BE1EB4A30678281B6EC08AB3B6D775A844CF9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040A421 Relevance: 6.4, Strings: 5, Instructions: 128COMMON

Download Yara Rule

Strings

A/P, xrefs: 0040A469
AAAA, xrefs: 0040A4EF
AMPM, xrefs: 0040A4A6
AAA, xrefs: 0040A536
AM/PM, xrefs: 0040A42C

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: A/P$AAA$AAAA$AM/PM$AMPM
API String ID: 0-3831542625
Opcode ID: db4e144e257894da7d182c18e758fab6214be4e64e9bd7c169f2527a4bde25b6
Instruction ID: 9a37f083ad99cef0e8e23554ea075262d03d8bbc820e3a2e4becc2b72f0e222b
Opcode Fuzzy Hash: db4e144e257894da7d182c18e758fab6214be4e64e9bd7c169f2527a4bde25b6
Instruction Fuzzy Hash: 6C41C0717042049FDB41EB59E905A9E37B9AB09324F24807BF448BB2C2CB7DDE81974E

Uniqueness

Uniqueness Score: -1.00%

Function 00453864 Relevance: 6.4, Strings: 5, Instructions: 116COMMON

Download Yara Rule

Strings

File not found or cannot open file ! Fichier proteg en criture ou en cours d'utilisation !, xrefs: 004538E3
{E, xrefs: 0045392C
CRC check failed Wrongversion or already patched !reinstall the v5.3.1.4, xrefs: 00453957
Exit, xrefs: 00453900, 00453981, 00453A19
Cracking done... target file: CloneCD.exe succcessfully cracked !, xrefs: 00453A02

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Cracking done... target file: CloneCD.exe succcessfully cracked !$ File not found or cannot open file ! Fichier proteg en criture ou en cours d'utilisation !$CRC check failed Wrongversion or already patched !reinstall the v5.3.1.4$Exit${E
API String ID: 0-1892052650
Opcode ID: d4096637713db42e0d8ce3a76cc4259c4968aa93a996fd2c6d819d039ad91355
Instruction ID: 4ce4a3fbd74ed0397f88bbcdbdb9c24cbc0313cd230e956122188193be8c0d1d
Opcode Fuzzy Hash: d4096637713db42e0d8ce3a76cc4259c4968aa93a996fd2c6d819d039ad91355
Instruction Fuzzy Hash: 6241A230604A448BC711EF36CD4668AB7E5EF88306F10847BE8499B357DBB8BF458B48

Uniqueness

Uniqueness Score: -1.00%

Function 00410244 Relevance: 6.3, Strings: 5, Instructions: 85COMMON

Download Yara Rule

Strings

Array , xrefs: 00410334
Any, xrefs: 004102AE
PQE, xrefs: 0041031C
String, xrefs: 00410296
ByRef , xrefs: 00410347

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: Any$Array $ByRef $PQE$String
API String ID: 0-762633177
Opcode ID: 12e3f295f4e67983140775fcbf34bc8984b15812c067c7a0817542fe5ad56444
Instruction ID: 23178b1026979146d2df5f638456d0c06cce7cb261f924775d1662cec3aea027
Opcode Fuzzy Hash: 12e3f295f4e67983140775fcbf34bc8984b15812c067c7a0817542fe5ad56444
Instruction Fuzzy Hash: 0B212C70700218CBD724FA59C8416DA73E5EB89300F9041BBBE64933D2DAFC9DC18A9D

Uniqueness

Uniqueness Score: -1.00%

Function 00406D5C Relevance: 6.3, Strings: 5, Instructions: 61COMMON

Download Yara Rule

Strings

MSWHEEL_ROLLMSG, xrefs: 00406D7B
MSH_SCROLL_LINES_MSG, xrefs: 00406D96
Magellan MSWHEEL, xrefs: 00406D6A
MSH_WHEELSUPPORT_MSG, xrefs: 00406D8A
MouseZ, xrefs: 00406D6F

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 0-3736581797
Opcode ID: dd76d9d20e560f3e3aab8c94fb1162e2a8a8500f82ab6dab0c6e168da5fc6ed7
Instruction ID: b821ce7a7ed6cfb08a074b6e912e75c56a92fe779b0087037b8161484c2bdfbe
Opcode Fuzzy Hash: dd76d9d20e560f3e3aab8c94fb1162e2a8a8500f82ab6dab0c6e168da5fc6ed7
Instruction Fuzzy Hash: A7112175340305AFE710AF55CC81B66B7E8EF45710F26803AB846BB3C1D7B99D609BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00453E1C Relevance: 6.3, Strings: 5, Instructions: 52COMMON

Download Yara Rule

Strings

CloneCD does not install correctly on this computer ! on this computer !, xrefs: 00453E8C
Exit, xrefs: 00453E9C
#,,, xrefs: 00453E4E
#,,, xrefs: 00453E3B
Target file: file not found !, xrefs: 00453EC2

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: CloneCD does not install correctly on this computer ! on this computer !$#,,$#,,$Exit$Target file: file not found !
API String ID: 0-1825946143
Opcode ID: 201719572b2abd94714b83050d889d208f2084e18f434abbd804b1349a8ff58c
Instruction ID: 3ac4d1a63fe09d7d124f00a8c158568a0aa852d3aa442e6a20fa797ea3749cdc
Opcode Fuzzy Hash: 201719572b2abd94714b83050d889d208f2084e18f434abbd804b1349a8ff58c
Instruction Fuzzy Hash: BD1158302046049FC702EF16C983A9677E5EF4C745F5540B6FC048F767CB74AE158A58

Uniqueness

Uniqueness Score: -1.00%

Function 00453D0C Relevance: 6.3, Strings: 5, Instructions: 49COMMON

Download Yara Rule

Strings

B.T.K, xrefs: 00453D28
Software\SlySoft\CloneCD, xrefs: 00453D54
Install_Dir, xrefs: 00453D63
\CloneCD.exe, xrefs: 00453D72
|\B, xrefs: 00453D3A

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: B.T.K$Install_Dir$Software\SlySoft\CloneCD$\CloneCD.exe$|\B
API String ID: 0-875973912
Opcode ID: 953c76e0bc62b01ea79a7f05d1c6d94d2676461077ddd905a8f35d4429c462a0
Instruction ID: 7673cb6d2e6594ffdb644a8d56688e7d40b3a175d5dfa1a5f138fed769f5e778
Opcode Fuzzy Hash: 953c76e0bc62b01ea79a7f05d1c6d94d2676461077ddd905a8f35d4429c462a0
Instruction Fuzzy Hash: DA01E134310204AFD310EF26D48295AB3F4EF88745FE0847AF8409B756CB79AE088B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041A932 Relevance: 6.3, Strings: 5, Instructions: 44COMMON

Download Yara Rule

Strings

HxE, xrefs: 0041A993
`xE, xrefs: 0041A9B6
\xE, xrefs: 0041A989
HxE, xrefs: 0041A9C0
dxE, xrefs: 0041A96F

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HxE$HxE$\xE$`xE$dxE
API String ID: 0-1319554525
Opcode ID: 210726ddcfb806683d06202d960b3941b9f7234dd84f6f4ccf647ae835e251f8
Instruction ID: f259f19afe42c152ba9264000b8cccbb2754fef0dbe7afb5950faa104b36b97d
Opcode Fuzzy Hash: 210726ddcfb806683d06202d960b3941b9f7234dd84f6f4ccf647ae835e251f8
Instruction Fuzzy Hash: F701A270A086005BD701BBBAA8074693792DB4231A351857BF800DE3A3CE7CDC99CA6E

Uniqueness

Uniqueness Score: -1.00%

Function 0041A934 Relevance: 6.3, Strings: 5, Instructions: 43COMMON

Download Yara Rule

Strings

HxE, xrefs: 0041A993
`xE, xrefs: 0041A9B6
\xE, xrefs: 0041A989
HxE, xrefs: 0041A9C0
dxE, xrefs: 0041A96F

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HxE$HxE$\xE$`xE$dxE
API String ID: 0-1319554525
Opcode ID: 596ca388237058fb3c78561e360089c742e84d24846db5f1a960025896725b81
Instruction ID: d61aabb19a4b4b95f583a28b0d57d3680f47e68f8f2dbe85410aa6b67dddbb38
Opcode Fuzzy Hash: 596ca388237058fb3c78561e360089c742e84d24846db5f1a960025896725b81
Instruction Fuzzy Hash: 5B018670A086005BD701BBBBA8175593796DB4231A351857BF8009F3A3CE7CDD99CE6E

Uniqueness

Uniqueness Score: -1.00%

Function 004507C0 Relevance: 5.1, Strings: 4, Instructions: 125COMMON

Download Yara Rule

Strings

MAINICON, xrefs: 00450898
SE, xrefs: 004507E5, 004507F1
,pE, xrefs: 0045089D, 004508CF
4pE, xrefs: 00450945

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ,pE$4pE$MAINICON$SE
API String ID: 0-2180729021
Opcode ID: 4e04b6b37a70d1e5ab04b0abbb82dca533aeb5493f05aacd1604ce70b39e6377
Instruction ID: 93e3c23d2b2550babe586c293246ad3828809204d4ad812c42c12722aad413ae
Opcode Fuzzy Hash: 4e04b6b37a70d1e5ab04b0abbb82dca533aeb5493f05aacd1604ce70b39e6377
Instruction Fuzzy Hash: 745162746042449FD700EF29C8857857BE4AB15309F4481FAEC48DF397DBBAD988CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040B120 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

dq@, xrefs: 0040B1EE
lp@, xrefs: 0040B15A
,q@, xrefs: 0040B1C9
$wE, xrefs: 0040B1AF

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $wE$,q@$dq@$lp@
API String ID: 0-133481261
Opcode ID: df671046670567e60541bf29e6fb485249b87f11957cac94c7efe71c4cc22684
Instruction ID: 5c999fb9a942c63a1d889f20d3a0dbf7754616a815b85444b81d58fb7e6900d9
Opcode Fuzzy Hash: df671046670567e60541bf29e6fb485249b87f11957cac94c7efe71c4cc22684
Instruction Fuzzy Hash: B231D471F005085BD704DA89D881B6E77A9EB88314F25803BFE19EB382D73CAD0587AD

Uniqueness

Uniqueness Score: -1.00%

Function 00440670 Relevance: 5.1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

Strings

ImageList_WriteEx, xrefs: 004406AF
d#A, xrefs: 004406C5
comctl32.dll, xrefs: 00440684
comctl32.dll, xrefs: 0044069F

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ImageList_WriteEx$comctl32.dll$comctl32.dll$d#A
API String ID: 0-1927177028
Opcode ID: f2c4fe994821357b45611ebe528e65c1341bd1fe16ba1be929bcc3fa25dbf077
Instruction ID: 45d9db34793fccfa3db642d5c78c5ce63d6669aaa6914018a9b7d2ff6ce0fa84
Opcode Fuzzy Hash: f2c4fe994821357b45611ebe528e65c1341bd1fe16ba1be929bcc3fa25dbf077
Instruction Fuzzy Hash: 3A219274604300ABE710AF7A9D42A5A36A8AB44749F11413AF915D72A3D77DEC20DA1D

Uniqueness

Uniqueness Score: -1.00%

Function 00416640 Relevance: 5.1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

Strings

-, xrefs: 004166BA
>, xrefs: 004166C0
., xrefs: 004166B4
Owner, xrefs: 0041669D

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: -$.$>$Owner
API String ID: 0-4224991809
Opcode ID: 1c1cbefd210aa84e40c7ff8627c4bef0a50127445840a110ee4b93177c7fd134
Instruction ID: b862d1e138fa6bd89ed74e196e06d098dad9c64127146a6bf1c64264d7e365d3
Opcode Fuzzy Hash: 1c1cbefd210aa84e40c7ff8627c4bef0a50127445840a110ee4b93177c7fd134
Instruction Fuzzy Hash: 2A110375A042605FDB228E7488907EF7BD99B46724F1702BBD8409B381D63CCC81C28D

Uniqueness

Uniqueness Score: -1.00%

Function 004179EC Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

nil, xrefs: 00417A8A
False, xrefs: 00417A6E
Null, xrefs: 00417A98
True, xrefs: 00417A7C

Memory Dump Source

Source File: 00000000.00000002.2160974499.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2160959331.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2160974499.0000000000464000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: False$Null$True$nil
API String ID: 0-1063864068
Opcode ID: 2c7c49befd27b0ce419012511cfcbf29b5df560d51a1632760911dc143d971bd
Instruction ID: b8bb53496f6115ebf0915d03633ea96d3be7a3dab0cb17f4914a40601762b881
Opcode Fuzzy Hash: 2c7c49befd27b0ce419012511cfcbf29b5df560d51a1632760911dc143d971bd
Instruction Fuzzy Hash: 48014B7932C05047C60876AE28520EE26B59FC8398724947FB24AD7347C93CCA8253AF

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_6bb91ea6b49d6564513997366bf3b187dd686de6_9d3a5af9_3c157071-e92a-468b-9d10-5f2fe579e3cf\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE983.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9E2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREA50.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exePID: 6532, Parent PID: 1028

General

Chronological Activities

Analysis Process: WerFault.exePID: 2220, Parent PID: 6532

General

Chronological Activities

Windows Analysis Report
SecuriteInfo.com.W32.S-909ca299.Eldorado.13478.26653.exe