Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe
Analysis ID:	800788
MD5:	d0adfd6a3ae38491118d11e6caacd186
SHA1:	6ebe1f86e07fb3fbc79e518bc6d8eb02913b11e1
SHA256:	1e7586126018ff22f443a86f027af1e94cb7746d0acdd4814c4970fe33d82b04
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

One or more processes crash

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

PE file contains sections with non-standard names

Detected potential crypto function

Entry point lies outside standard sections

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe (PID: 2368 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe MD5: D0ADFD6A3AE38491118D11E6CAACD186)

WerFault.exe (PID: 2328 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 212 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	ReversingLabs: Detection: 38%
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Virustotal: Detection: 31%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 4x nop then push esi	0_2_0042A972
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 4x nop then mov eax, dword ptr [ecx+0000024Ch]	0_2_00432BBC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 4x nop then sub esp, 2Ch	0_2_004330CF

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: <Ac@AUIA steamcommunity.comSoftware\Microsoft\Windows\CurrentVersion\Run\steamcommunity_3020.0.0.0 www.steamcommunity.com store.steampowered.com api.steampowered.com discordapp.com dl.discordapp.net status.discordapp.com cdn.discordapp.com media.discordapp.net images-ext-2.discordapp.net images-ext-1.discordapp.net support.discordapp.com twitch.tv www.twitch.tv m.twitch.tv app.twitch.tv music.twitch.tv badges.twitch.tv blog.twitch.tv inspector.twitch.tv stream.twitch.tv dev.twitch.tv platform.twitter.com clips.twitch.tv spade.twitch.tv gql.twitch.tv vod-secure.twitch.tv vod-storyboards.twitch.tv trowel.twitch.tv countess.twitch.tv extension-files.twitch.tv vod-metro.twitch.tv pubster.twitch.tv help.twitch.tv passport.twitch.tv id.twitch.tv link.twitch.tv id-cdn.twitch.tv player.twitch.tv api.twitch.tv cvp.twitch.tv pubsub-edge.twitch.tv clips-media-assets2.twitch.tv client-event-reporter.twitch.tv gds-vhs-drops-campaign-images.twitch.tv us-west-2.uploads-regional.twitch.tv assets.help.twitch.tv discuss.dev.twitch.tv irc-ws.chat.twitch.tv usher.ttvnw.net steamcdn-a.akamaihd.net origin-a.akamaihd.net static3.cdn.ubi.com equals www.twitter.com (Twitter)
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: steamcommunity.comwww.steamcommunity.comstore.steampowered.comapi.steampowered.comdiscordapp.comdl.discordapp.netstatus.discordapp.comcdn.discordapp.commedia.discordapp.netimages-ext-2.discordapp.netimages-ext-1.discordapp.netsupport.discordapp.comtwitch.tvwww.twitch.tvm.twitch.tvapp.twitch.tvmusic.twitch.tvbadges.twitch.tvblog.twitch.tvinspector.twitch.tvstream.twitch.tvdev.twitch.tvplatform.twitter.comclips.twitch.tvspade.twitch.tvgql.twitch.tvvod-secure.twitch.tvvod-storyboards.twitch.tvtrowel.twitch.tvcountess.twitch.tvextension-files.twitch.tvvod-metro.twitch.tvpubster.twitch.tvhelp.twitch.tvpassport.twitch.tvid.twitch.tvlink.twitch.tvid-cdn.twitch.tvplayer.twitch.tvapi.twitch.tvcvp.twitch.tvpubsub-edge.twitch.tvclips-media-assets2.twitch.tvclient-event-reporter.twitch.tvgds-vhs-drops-campaign-images.twitch.tvus-west-2.uploads-regional.twitch.tvassets.help.twitch.tvdiscuss.dev.twitch.tvirc-ws.chat.twitch.tvusher.ttvnw.netsteamcdn-a.akamaihd.netorigin-a.akamaihd.netstatic3.cdn.ubi.com equals www.twitter.com (Twitter)

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: http://cctv4-lh.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: http://hgtv-i.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: http://moviesok-i.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: http://toots-a.akamaihd.net
Source: Amcache.hve.2.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: http://usher.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: http://vluki-a.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: http://www.clamav.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://06b67885560f95cbdf0ba34722e8d33c.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://104.16.51.111
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://104.16.52.111
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://104.16.53.111
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://104.16.54.111
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://104.16.55.111
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://104.17.2.37
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://162.159.128.232
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://162.159.129.232
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://162.159.129.233
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://1d23669ea58a590fd66d9204d4301563.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://1da58962a7dd53edd9775f6f74ff14e5.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://1f9e8ace0a1f5bb29e03a418a1decade.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://21fe13a7e38f7c092db817a188a63c79.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://2973c6ca0e111662ed293b57dbae9fbf.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://2f16aa2ed3889461cd1076540300a6b3.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://2f9e9e61f7236db30c1ce0bb9d53581b.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://43658a3dbcfbc284a9030abbc3691c30.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://522c432cc10e237a02fa1d6481d7d247.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://5a895ed07aed1b254ee21cd78958ae0b.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://5bcfae2f38d0e143c888d07ec9733d8c.s
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://5bcfae2f38d0e143c888d07ec9733d8c.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://5dd1e18eb1a29671b73c32e518b37111.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://6d7b94f6a3142075c6e14f949daff580.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://6d859be7aa0440f65c8a940ef5218337.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://7106a273bf3bbce901b765718ecbe69b.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://890c88446f94f25bd32a3f1e0df6c120.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://91b1eb7256ac2992f03fe0c7e7ef998d.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://95df2ea9aba3e1cad7f8f4526047b63b.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://985a89155dd090eacda1b82388e334ed.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://a22ea2da0e1c896a46c16a51f3eb16f4.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://aa88a8ab3fabc0c5d90ca85c9442a948.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://api.steampowered.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://api.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://app.tw
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://app.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://assets.help.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://aws.amazon.com
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://b3a0f6b6d20e3408d1725780186c54d3.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://badges.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://bd4a0c7567edeaa0401463857c28ead7.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://blog.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://c2491d9d37e95faee1c67e314ae9a4bb.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://c3ad68a16f66bff24e2d82595bd240a1.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://c58c9f027b8d0739f6b6d94b831e1010.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://cdn.discordapp.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://client-event-reporter.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://clips-media-assets2.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://clips.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://countess.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://cvp.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://dbc180c27b3635f9e5b006f3a037b87e.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://dev.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://discordapp.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://discordcdn.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://discuss.dev.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://dl.discordapp.net:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://e320c9db4f90dd219ab379f6a5e50dbd.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://e8304b1598fbfa673d2055f0a3342d7a.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://eaassets-a.akam
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://eaassets-a.akama
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://eaassets-a.akamaihd
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://eaassets-a.akamaihd.
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://eaassets-a.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://extension-files.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://fb96613da2b5475079b93f4be2e94cd3.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://fc13c9775f9e169a8677a3a43f121d5c.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://gateway.discord.gg
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://gateway.discord.gg:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://gds-vhs-drops-campaign-images.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://gql.twitc
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://gql.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://help.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://humblebundle-a.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://id-cdn.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://id.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://images-ext-1.discordapp.net:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://images-ext-2.discordapp.net:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://inspector.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://irc-ws.chat.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://link.twitch.
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://link.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://m.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://media.discordapp.net:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://music.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://origin-a.akamaihd.net:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://passport.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://platform.twitter.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://player.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://pubster.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://pubsub-edge.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://spade.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://static2.cdn.ubi.com
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://static3.cdn.ubi.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://status.discordapp.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcdn-a.akam
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcdn-a.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcdn-a.akamaihd.net:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcn.com/t419530-1-1
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcommunity-a.akam
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcommunity-a.akamai
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcommunity-a.akamaihd.ne
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcommunity-a.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcommunity.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steampipe.ak
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steampipe.akamaized.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamstore-a.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamuserimages-a.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://store.steampowered.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://stream.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://support.discordapp.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://trowel.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://us-west-2.uploads-regional.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://usher.ttvnw.net:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://vod-metro.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://vod-secure.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://vod-storyboards.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://www.dogfight360.com/blog
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://www.dogfight360.com/blogopenhttps://steamcn.com/t419530-1-10autostart1certificate_newNode
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://www.twitch.tv:

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe, 00000000.00000002.277417054.0000000000850000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Static PE information: No import functions for PE file found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 212

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_004900E2	0_2_004900E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00470080	0_2_00470080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_004600B0	0_2_004600B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00472259	0_2_00472259
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0046231B	0_2_0046231B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_004743A0	0_2_004743A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00464520	0_2_00464520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0046264D	0_2_0046264D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00472716	0_2_00472716
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0046E8B0	0_2_0046E8B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00438980	0_2_00438980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00478980	0_2_00478980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00482980	0_2_00482980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0047EA60	0_2_0047EA60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00472A01	0_2_00472A01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00484AD0	0_2_00484AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00442B10	0_2_00442B10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00472BB4	0_2_00472BB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00480C90	0_2_00480C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0046EDF0	0_2_0046EDF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0049EE59	0_2_0049EE59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00494E07	0_2_00494E07
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00472E2E	0_2_00472E2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00440E30	0_2_00440E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0046AED0	0_2_0046AED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0045AEE5	0_2_0045AEE5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00482F00	0_2_00482F00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0044F050	0_2_0044F050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0045D080	0_2_0045D080

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	ReversingLabs: Detection: 38%
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Virustotal: Detection: 31%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 212

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2368

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER172A.tmp

Jump to behavior

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: /c /add "
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: /c /add "
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: -3\steamcommunityCA.pem" /s /n Steamcommunity302 root /c /add "

Source: classification engine

Classification label: mal60.winEXE@2/6@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Static file information: File size 1221632 > 1048576

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_004060E8 push ds; retf	0_2_00406665
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00492545 push ecx; ret	0_2_00492558
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0048EDBC push eax; ret	0_2_0048EDDA

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Static PE information: section name: .clam01
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Static PE information: section name: .clam02
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Static PE information: section name: .clam03
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Static PE information: section name: .clam04
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Static PE information: section name: .clam05

Source: initial sample

Static PE information: section where entry point is pointing to: .clam01

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.2.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Code function: 0_2_0048B8C3 LdrInitializeThunk,

0_2_0048B8C3

Source: Amcache.hve.2.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: procexp.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Virtualization/Sandbox Evasion	1 Input Capture	21 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	38%	ReversingLabs
SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	31%	Virustotal		Browse
SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	100%	Avira	TR/Crypt.XPACK.Gen
SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
0.0.SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://5bcfae2f38d0e143c888d07ec9733d8c.s	0%	Avira URL Cloud	safe
https://usher.ttvnw.net:	0%	Avira URL Cloud	safe
https://bd4a0c7567edeaa0401463857c28ead7.steam302.xyz	0%	Avira URL Cloud	safe
https://eaassets-a.akam	0%	Avira URL Cloud	safe
https://c58c9f027b8d0739f6b6d94b831e1010.steam302.xyz	0%	Avira URL Cloud	safe
https://usher.ttvnw.net:	0%	Virustotal		Browse
https://104.16.52.111	0%	Avira URL Cloud	safe
https://aa88a8ab3fabc0c5d90ca85c9442a948.steam302.xyz	0%	Avira URL Cloud	safe
https://95df2ea9aba3e1cad7f8f4526047b63b.steam302.xyz	0%	Avira URL Cloud	safe
https://5a895ed07aed1b254ee21cd78958ae0b.steam302.xyz	0%	Avira URL Cloud	safe
https://steamcommunity-a.akamaihd.ne	0%	Avira URL Cloud	safe
https://link.twitch.	0%	Avira URL Cloud	safe
https://c2491d9d37e95faee1c67e314ae9a4bb.steam302.xyz	0%	Avira URL Cloud	safe
https://104.16.54.111	0%	Avira URL Cloud	safe
https://2f16aa2ed3889461cd1076540300a6b3.steam302.xyz	0%	Avira URL Cloud	safe
https://6d7b94f6a3142075c6e14f949daff580.steam302.xyz	0%	Avira URL Cloud	safe
https://104.17.2.37	0%	Avira URL Cloud	safe
https://gql.twitc	0%	Avira URL Cloud	safe
https://06b67885560f95cbdf0ba34722e8d33c.steam302.xyz	0%	Avira URL Cloud	safe
http://usher.steam302.xyz	0%	Avira URL Cloud	safe
https://1da58962a7dd53edd9775f6f74ff14e5.steam302.xyz	0%	Avira URL Cloud	safe
https://162.159.129.233	0%	Avira URL Cloud	safe
https://162.159.129.232	0%	Avira URL Cloud	safe
https://gateway.discord.gg:	0%	Avira URL Cloud	safe
https://2973c6ca0e111662ed293b57dbae9fbf.steam302.xyz	0%	Avira URL Cloud	safe
https://6d859be7aa0440f65c8a940ef5218337.steam302.xyz	0%	Avira URL Cloud	safe
https://steamcommunity-a.akam	0%	Avira URL Cloud	safe
https://2f9e9e61f7236db30c1ce0bb9d53581b.steam302.xyz	0%	Avira URL Cloud	safe
https://steamcommunity-a.akamai	0%	Avira URL Cloud	safe
https://104.16.51.111	0%	Avira URL Cloud	safe
https://7106a273bf3bbce901b765718ecbe69b.steam302.xyz	0%	Avira URL Cloud	safe
https://b3a0f6b6d20e3408d1725780186c54d3.steam302.xyz	0%	Avira URL Cloud	safe
https://890c88446f94f25bd32a3f1e0df6c120.steam302.xyz	0%	Avira URL Cloud	safe
https://fb96613da2b5475079b93f4be2e94cd3.steam302.xyz	0%	Avira URL Cloud	safe
https://gateway.discord.gg	0%	Avira URL Cloud	safe
https://eaassets-a.akamaihd	0%	Avira URL Cloud	safe
https://43658a3dbcfbc284a9030abbc3691c30.steam302.xyz	0%	Avira URL Cloud	safe
https://dbc180c27b3635f9e5b006f3a037b87e.steam302.xyz	0%	Avira URL Cloud	safe
https://e320c9db4f90dd219ab379f6a5e50dbd.steam302.xyz	0%	Avira URL Cloud	safe
https://104.16.53.111	0%	Avira URL Cloud	safe
https://steampipe.ak	0%	Avira URL Cloud	safe
https://104.16.55.111	0%	Avira URL Cloud	safe
https://985a89155dd090eacda1b82388e334ed.steam302.xyz	0%	Avira URL Cloud	safe
https://5dd1e18eb1a29671b73c32e518b37111.steam302.xyz	0%	Avira URL Cloud	safe
https://e8304b1598fbfa673d2055f0a3342d7a.steam302.xyz	0%	Avira URL Cloud	safe
https://91b1eb7256ac2992f03fe0c7e7ef998d.steam302.xyz	0%	Avira URL Cloud	safe
https://1d23669ea58a590fd66d9204d4301563.steam302.xyz	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://images-ext-1.discordapp.net:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://5bcfae2f38d0e143c888d07ec9733d8c.s	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://www.dogfight360.com/blog	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://countess.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://eaassets-a.akam	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://c58c9f027b8d0739f6b6d94b831e1010.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://cvp.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://status.discordapp.com:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://dev.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://passport.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://bd4a0c7567edeaa0401463857c28ead7.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://gds-vhs-drops-campaign-images.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://id-cdn.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://usher.ttvnw.net:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://104.16.52.111	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://aa88a8ab3fabc0c5d90ca85c9442a948.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://discordapp.com:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://steamuserimages-a.akamaihd.net	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://95df2ea9aba3e1cad7f8f4526047b63b.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://5a895ed07aed1b254ee21cd78958ae0b.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://c2491d9d37e95faee1c67e314ae9a4bb.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://vod-metro.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://api.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
http://www.clamav.net	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://origin-a.akamaihd.net:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://steamcommunity-a.akamaihd.ne	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://link.twitch.	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://id.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://link.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://eaassets-a.akamaihd.net	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://104.16.54.111	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://clips.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://aws.amazon.com	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://104.17.2.37	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://2f16aa2ed3889461cd1076540300a6b3.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://pubsub-edge.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://6d7b94f6a3142075c6e14f949daff580.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://gql.twitc	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://06b67885560f95cbdf0ba34722e8d33c.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://us-west-2.uploads-regional.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://steamcn.com/t419530-1-1	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://1da58962a7dd53edd9775f6f74ff14e5.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://dl.discordapp.net:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
http://usher.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://steamcdn-a.akamaihd.net:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://music.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://steamstore-a.akamaihd.net	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://player.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://www.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://162.159.129.233	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://162.159.129.232	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://clips-media-assets2.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://m.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://gateway.discord.gg:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://2973c6ca0e111662ed293b57dbae9fbf.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://6d859be7aa0440f65c8a940ef5218337.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://gateway.discord.gg	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://images-ext-2.discordapp.net:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://vod-storyboards.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
http://vluki-a.akamaihd.net	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://steamcommunity-a.akam	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://irc-ws.chat.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://2f9e9e61f7236db30c1ce0bb9d53581b.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://app.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://steamcommunity-a.akamai	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://104.16.51.111	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://7106a273bf3bbce901b765718ecbe69b.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://platform.twitter.com:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://890c88446f94f25bd32a3f1e0df6c120.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://blog.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://b3a0f6b6d20e3408d1725780186c54d3.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://gql.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://extension-files.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://eaassets-a.akamaihd	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://fb96613da2b5475079b93f4be2e94cd3.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://43658a3dbcfbc284a9030abbc3691c30.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://client-event-reporter.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://104.16.53.111	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://inspector.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
http://cctv4-lh.akamaihd.net	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://e320c9db4f90dd219ab379f6a5e50dbd.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://dbc180c27b3635f9e5b006f3a037b87e.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://static2.cdn.ubi.com	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://steampipe.ak	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
http://toots-a.akamaihd.net	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://spade.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://media.discordapp.net:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
http://hgtv-i.akamaihd.net	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://support.discordapp.com:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://trowel.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://985a89155dd090eacda1b82388e334ed.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://104.16.55.111	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://help.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
http://upx.sf.net	Amcache.hve.2.dr	false		high
https://5dd1e18eb1a29671b73c32e518b37111.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://91b1eb7256ac2992f03fe0c7e7ef998d.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://e8304b1598fbfa673d2055f0a3342d7a.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://1d23669ea58a590fd66d9204d4301563.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800788
Start date and time:	2023-02-07 19:46:54 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe
Detection:	MAL
Classification:	mal60.winEXE@2/6@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.2% (good quality ratio 0.1%) Quality average: 12.4% Quality standard deviation: 15.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
19:48:02	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_8b8aab2d3044b37bde8ae2665b0819910cdd8be_7335685e_095836a8\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6771188638551645
Encrypted:	false
SSDEEP:	96:VoFnPWV+zyQer9hMyoI7Jf/pXIQcQvc6QcEDMcw3DOWz+HbHg6ZAXGng5FMTPSkH:udo3ZHBUZMXAjE/u7sTS274Itk
MD5:	855206006F7DEE78BCE1AEA6CAD5982E
SHA1:	819FAAAB152AC17DEE80D375E9C7B3AECB15D878
SHA-256:	6E3344F79D2ACD5523E32711D9EECDCF4E3BC4D15FAC65BB9F90DDB7D4D292A6
SHA-512:	9A6602885CBAB2D09F5A0EF3D4D39B1B097DB970F2C05B6788C182ACD7C2B75B4187629B47BB637A73556A00235C3AEED42B92AEADA9215EB55342058D5DE6D8
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.0.3.0.1.6.7.4.1.1.2.5.8.3.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.0.3.0.1.6.7.4.6.2.8.1.9.1.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.8.e.b.5.4.4.-.7.a.0.7.-.4.2.9.0.-.b.f.e.2.-.7.2.e.4.b.6.3.2.5.d.8.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.7.1.f.8.e.0.-.6.2.5.b.-.4.1.2.5.-.9.9.9.2.-.e.d.4.3.b.2.e.0.a.8.a.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...T.r.o.j.a.n...P.S.E...1.G.8.0.G.6.X...7.2.1.6...1.5.0.7.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.4.0.-.0.0.0.1.-.0.0.1.f.-.3.9.3.8.-.1.1.1.f.7.0.3.b.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.4.7.8.2.b.f.d.1.f.a.1.4.2.1.4.7.4.1.a.3.d.a.c.5.8.7.c.3.e.c.9.0.0.0.0.f.f.f.f.!.0.0.0.0.6.e.b.e.1.f.8.6.e.0.7.f.b.3.f.b.c.7.9.e.5.1.8.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER172A.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Feb 8 03:47:54 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	18032
Entropy (8bit):	2.1922587903575153
Encrypted:	false
SSDEEP:	96:5F8i48Q/Nbv7vvk/oi7knzlXzdSWMZS5JizwsyVe3WInWIX4I4uVIZa6G:AiM1DvsAOWdSWDbsyUwuVGnG
MD5:	AE621C78C119E91FC27977FD52858EAB
SHA1:	80086FC7E8599F7B90316C6927CA465015DFB714
SHA-256:	2121254F7BE9044CDF106E8BFFEEBB78E650919FA10A4C085F4FA35D4C6D5E8B
SHA-512:	6D387EFAE5C72E5EF96AA039C8018D7753C70B1F5DB0338A206C0138606B2CCC72198B95C22E1EE08B427B01F469E9509CAB791551BA200C6840D014AA8929B2
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......j..c............4........... ...<.......d...h...........T.......8...........T................=..........\...........H....................................................................U...........B..............GenuineIntelW...........T.......@...h..c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER17F6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8480
Entropy (8bit):	3.7105401924660883
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiSd60QwolP6Yq5SUEy1gmf0MS+Cprj89bissf42m:RrlsNiI60QlP6YESUn1gmfHSii/fw
MD5:	70256A99F1DD8CBE33B9CE8F02AD6EEE
SHA1:	E20F8414A11357B3CB7D0578634508BDF83014FE
SHA-256:	CFF841143B8D66CE50B3D473DDCA12C8F37A761FD8FBF6E8E4DC0D9486896C37
SHA-512:	1127DDC2B7DBDECE4E4B3987499B684602ECCBC22E25D6DE0471004A3C9D105D5F80E7419648F90BDAD9DF4E8CA95345F64EC872033A9F9EC61C1A90A6E69D08
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.3.6.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1864.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4813
Entropy (8bit):	4.602194128745111
Encrypted:	false
SSDEEP:	48:cvIwSD8zs6JgtWI93nj7Wgc8sqYj18fm8M4JO2ZFBU+q8tm0zR+Nfd:uITfIunjKgrsqYOJ9tUTAR+Nfd
MD5:	35C2E153841B86E09B989B4768A096C5
SHA1:	E19118841CFBB1A6212E6C1E6AF8B6CD26B528A6
SHA-256:	A2BCB5F5262B99458F405976AED5C4473470EB313895199C99111E1B96665BE6
SHA-512:	8A05A252E2964B5848B7B818EA0849D4C9BE0E14D993BD32620D0A1628A2CEAB70325355E950876ADF4FCDD81455FDD289CF9466847F9BB504D4D31B2E645BB2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1903018" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.290622696417638
Encrypted:	false
SSDEEP:	12288:EJh78rBX4yWceTfEhlCThx3oQKikNn2uetWVzF16HkTWlsVdd55lqKo:S78rBX4yWceTfE0nc
MD5:	9E47AC22D77BC441C069E1E2C2C4623C
SHA1:	397EA6F12E1162D9AA4E40FFAC8402B6DC6681AE
SHA-256:	B1292BCD55E4F41DE36CDD321C17DDDC8E9C33F172E28832E92B34CD9E020626
SHA-512:	5B68E0F0633B76BF9CD0883F59734BB0EF9580ECE06CA9DC8A19D14069B838402A1A59D33601C37782304DD03311E2A42A9E1368942119D27052E924322590FD
Malicious:	false
Reputation:	low
Preview:	regfj...j...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.DR.p;................................................................................................................................................................................................................................................................................................................................................[B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	3.8182749306146797
Encrypted:	false
SSDEEP:	768:20DRftx1oJ4J3HNAJfAqpGpjkqIoSC9O4MYrWoE:hGWnTW
MD5:	4AC3F5994E3E77991C767220F1110171
SHA1:	A016E8F7BFD3E94F49C37CEEFA507A21CDD21E69
SHA-256:	B3A39D9A7FD3DAFA6802F4001BE77449DDECD4BFB4F5A364B4ED039E11D0A37D
SHA-512:	57E1707C2C43DC692F7EB69E13B20C29046EAE251E1BF1515811BA9882BAEB306465B8DA9692891B003E80BA7B35168144191CACC70EB01ED13B1D664824CB11
Malicious:	false
Preview:	regfi...i...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.DR.p;................................................................................................................................................................................................................................................................................................................................................[BHvLE.n......i................-.../...tB..........0...................0..hbin................p.\..,..........nk,.$.T.p;.................................. ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .$.T.p;...... ........................... .......Z.......................Root........lf......Root....nk .$.T.p;...................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.690323528890668
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe
File size:	1221632
MD5:	d0adfd6a3ae38491118d11e6caacd186
SHA1:	6ebe1f86e07fb3fbc79e518bc6d8eb02913b11e1
SHA256:	1e7586126018ff22f443a86f027af1e94cb7746d0acdd4814c4970fe33d82b04
SHA512:	7ad4b2265159e6438cc8602430691029e700a7dbb8e476bafc3312fca4f3b1dfe42dee1b99ebb7bbbbe97f67e46a43250c5d20766e3b505cd0163caf74aa6daa
SSDEEP:	24576:8HrUZK3kA2VJT8TwnQCSPRI23bkmb5tSdaqOQgn9MX2R2XB4kVyigqlSiAClS9oD:84llE9o9GjBraKQ1
TLSH:	0545AE72F78208E1D3101678C9FF2339DEB877960A25CD6B6694DD741E7A130BE26392
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM...................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x48b8c3
Entrypoint Section:	.clam01
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
call 00007FF711FAAFD3h
jmp 00007FF7118B16D3h
mov eax, 00493234h
mov dword ptr [004E45F0h], eax
mov dword ptr [004E45F4h], 0049292Ah
mov dword ptr [004E45F8h], 004928DEh
mov dword ptr [004E45FCh], 00492917h
mov dword ptr [004E4600h], 00492880h
mov dword ptr [004E4604h], eax
mov dword ptr [004E4608h], 004931ACh
mov dword ptr [004E460Ch], 0049289Ch
mov dword ptr [004E4610h], 004927FEh
mov dword ptr [004E4614h], 0049278Ah
ret
mov edi, edi
push ebp
mov ebp, esp
call 00007FF7118C8DD3h
cmp dword ptr [ebp+08h], 00000000h
je 00007FF708E3C5B7h
call 00007FF712063AD3h
fnclex
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
cmp dword ptr [00509CC8h], 00000000h
je 00007FF708E3C63Dh
sub esp, 08h
stmxcsr dword ptr [esp+04h]
mov eax, dword ptr [esp+04h]
and eax, 00007F80h
cmp eax, 00001F80h
jne 00007FF708E3C5C1h
fstcw word ptr [esp]
mov ax, word ptr [esp]
and ax, 007Fh
cmp ax, 007Fh
lea esp, dword ptr [esp+08h]
jne 00007FF708E3C60Ch

Data Directories

Name	Virtual Address	Virtual Size
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.clam01	0x1000	0xb1000	0xb1000	False	0.4473925229519774	data	6.649028182656562	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.clam02	0xb2000	0x24000	0x24000	False	0.3477376302083333	data	5.185351349669696	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.clam03	0xd6000	0x35000	0x35000	False	0.10202774911556604	data	2.060003423850223	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.clam04	0x10b000	0xc000	0xc000	False	0.0074462890625	data	0.06664922320641793	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.clam05	0x117000	0x14000	0x14000	False	0.29237060546875	data	3.9663953584370155	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Target ID:	0
Start time:	19:47:52
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe
Imagebase:	0x400000
File size:	1221632 bytes
MD5 hash:	D0ADFD6A3AE38491118D11E6CAACD186
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	2
Start time:	19:47:53
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 212
Imagebase:	0x340000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	1
Total number of Limit Nodes:	0

Executed Functions

Function 0048B8C3 Relevance: 1.5, APIs: 1, Instructions: 2
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0048B8C3

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9e5837a9b5b5e3b4a4c93183ea69d42f6d9758d6be260b7f7375af14aa4c7735
Instruction ID: 1dacef987c27c7ced679bb5fd0491ebd07f54a7d0dba31caf58c3c50cd67f924
Opcode Fuzzy Hash: 9e5837a9b5b5e3b4a4c93183ea69d42f6d9758d6be260b7f7375af14aa4c7735
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00464520 Relevance: 8.0, Strings: 6, Instructions: 536COMMON

Download Yara Rule

Strings

unexpected compose, xrefs: 00464564
unknown interlace type, xrefs: 004645B7
unexpected bit depth, xrefs: 004645F3
unexpected 8-bit transformation, xrefs: 00464599
lost rgb to gray, xrefs: 00464550
lost/gained channels, xrefs: 00464580

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: lost rgb to gray$lost/gained channels$unexpected 8-bit transformation$unexpected bit depth$unexpected compose$unknown interlace type
API String ID: 0-3614292578
Opcode ID: 17252c129fac60db3391b6e6c9d9bbf034fd84b061caab5a46156c1c29628426
Instruction ID: 0588eae751ea6828e08e1a12e62da060cac8ce3c8d6915167bed4e1048d06545
Opcode Fuzzy Hash: 17252c129fac60db3391b6e6c9d9bbf034fd84b061caab5a46156c1c29628426
Instruction Fuzzy Hash: 9412C5757083418FCB58DF28C88066AB7E2FBC9314F04453EE99987385E739E945CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00438980 Relevance: 7.8, Strings: 6, Instructions: 279COMMON

Download Yara Rule

Strings

66, xrefs: 00438AD3, 00438B27
<7, xrefs: 004389A5
P;, xrefs: 00438B77, 00438B8E, 00438C54
.7, xrefs: 004389EF
rE, xrefs: 00438D01
l9, xrefs: 004389DA

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: .7$66$<7$P;$l9$rE
API String ID: 0-1116864076
Opcode ID: d72353c32a8653624bef67e62825b3645a403b89a8e04e37d2191299d3abf0d5
Instruction ID: c55559a06a9bbe95809e91bfd6637674e54a3ebd7e2b27b3349288437245810f
Opcode Fuzzy Hash: d72353c32a8653624bef67e62825b3645a403b89a8e04e37d2191299d3abf0d5
Instruction Fuzzy Hash: EBB14BB02007029BC724EF68C994BABF7E5BF48300F50592EF5AA87291DF34B945CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0046264D Relevance: 6.7, Strings: 5, Instructions: 405COMMON

Download Yara Rule

Strings

rgb[ga] color-map: too few entries, xrefs: 00462694
rgb color-map: too few entries, xrefs: 0046285C
rgb-alpha color-map: too few entries, xrefs: 00462952
rgb+alpha color-map: too few entries, xrefs: 00462897
rgb[gray] color-map: too few entries, xrefs: 004626CF

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: rgb color-map: too few entries$rgb+alpha color-map: too few entries$rgb-alpha color-map: too few entries$rgb[ga] color-map: too few entries$rgb[gray] color-map: too few entries
API String ID: 0-1563483223
Opcode ID: bf602d38870dcdeb7714331d3ceac6f6d6e91b2111a7c4d3c9d3bbb8cfc48aba
Instruction ID: feda99ae4799dad88a070c761110f108cc6e31adc909ae684f47fea141a861f1
Opcode Fuzzy Hash: bf602d38870dcdeb7714331d3ceac6f6d6e91b2111a7c4d3c9d3bbb8cfc48aba
Instruction Fuzzy Hash: 09D12372A14341ABE394DF14CC81B6BB7D9EFD4304F04062EF8999B381E6B8D945C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0044F050 Relevance: 6.5, Strings: 4, Instructions: 1494COMMON

Download Yara Rule

Strings

t:, xrefs: 0044F722, 0044F8B1, 0044FC0D, 00450333
^;, xrefs: 0044F230, 0044F2CE, 0044F36E, 0044F717, 0044F86B, 0044FC02, 00450328
@, xrefs: 0044F8EC, 0044FDB8
?, xrefs: 0044F271, 0044F30F, 0044F3AF, 0044F73F, 0044FA97, 0044FC69, 0044FCD4, 00450350

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ^;$t:$?$@
API String ID: 0-2577415547
Opcode ID: 66f7ac5bc4db995fd09aab24949f2852657e91fa7f3abcb33735c9eaed0a1e13
Instruction ID: 89c635632eff76bf2ab10b85ecd58ea55021e45c48c71791736b475f80bf4dd3
Opcode Fuzzy Hash: 66f7ac5bc4db995fd09aab24949f2852657e91fa7f3abcb33735c9eaed0a1e13
Instruction Fuzzy Hash: B7D248752083859FD324DF64C994FAFB7E9FBC8704F004A1EE58A83251DB74A909CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0046E8B0 Relevance: 5.5, Strings: 4, Instructions: 485COMMON

Download Yara Rule

Strings

internal row logic error, xrefs: 0046E8F5
internal row width error, xrefs: 0046E93D
invalid user transform pixel depth, xrefs: 0046EB29
internal row size calculation error, xrefs: 0046E92B

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: internal row logic error$internal row size calculation error$internal row width error$invalid user transform pixel depth
API String ID: 0-64619857
Opcode ID: 0a6ab6bfc22e8ab8a5b0e4497cb143ff38d30f1c337fc8e55e5bb1bda7b4cbe8
Instruction ID: 76e15c1a1b1eb35fe2d37eb0fbe6a667e866ce2269ccd05b3ab0bbefbb1d78b1
Opcode Fuzzy Hash: 0a6ab6bfc22e8ab8a5b0e4497cb143ff38d30f1c337fc8e55e5bb1bda7b4cbe8
Instruction Fuzzy Hash: B2F128396083968FCB24CE29D9902BFBBD1AFD6310F58456FD88587342F6299C09C797

Uniqueness

Uniqueness Score: -1.00%

Function 0046231B Relevance: 5.2, Strings: 4, Instructions: 230COMMON

Download Yara Rule

Strings

L, xrefs: 00462486
gray+alpha color-map: too few entries, xrefs: 00462334
ga-alpha color-map: too few entries, xrefs: 00462387
gray-alpha color-map: too few entries, xrefs: 004625A5

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$ga-alpha color-map: too few entries$gray+alpha color-map: too few entries$gray-alpha color-map: too few entries
API String ID: 0-2470002146
Opcode ID: 5906b32e23beff4a6aa64285cc64be11c239928e552f909aa1833f72f8c0bb1e
Instruction ID: 62f01a12492dfa869cd397b2507294639afccb373d6d74304e823ff8c7480bd4
Opcode Fuzzy Hash: 5906b32e23beff4a6aa64285cc64be11c239928e552f909aa1833f72f8c0bb1e
Instruction Fuzzy Hash: D081D2B1A183419BD348CF24CD51B2BBBE5EBC9304F04492DF48597391E7B8D945CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00478980 Relevance: 4.8, Strings: 3, Instructions: 1089COMMON

Download Yara Rule

Strings

too many length or distance symbols, xrefs: 00479353
invalid stored block lengths, xrefs: 00479207
invalid bit length repeat, xrefs: 00479441

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid stored block lengths$too many length or distance symbols
API String ID: 0-949635641
Opcode ID: 25676f3fcd3356e4984382619c54d99da01b2bf6944592414eb10acee4d99569
Instruction ID: 4d3e969fb4d6d5f9f8319c259846e108de9592ec70fdee39f80b9bb47bdfff80
Opcode Fuzzy Hash: 25676f3fcd3356e4984382619c54d99da01b2bf6944592414eb10acee4d99569
Instruction Fuzzy Hash: 53926CB5A043018FCB08CF19D88496ABBE6FFC9310F14C96EE8998B355E735E845CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004600B0 Relevance: 4.0, Strings: 3, Instructions: 200COMMON

Download Yara Rule

Strings

known incorrect sRGB profile, xrefs: 0046028E
copyright violation: edited ICC profile ignored, xrefs: 00460247
out-of-date sRGB profile with no signature, xrefs: 004602A6

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: copyright violation: edited ICC profile ignored$known incorrect sRGB profile$out-of-date sRGB profile with no signature
API String ID: 0-1307623137
Opcode ID: e76078544bb7ee8edcca9579bf3414809b6abb8d494789d66cecc048c4982bf9
Instruction ID: 42f3d611448b0275e273ecff4b3305303ae3f9a48b05122ba9f682646459eb36
Opcode Fuzzy Hash: e76078544bb7ee8edcca9579bf3414809b6abb8d494789d66cecc048c4982bf9
Instruction Fuzzy Hash: 6D512AB27087910BDB68CE394C6176BBBE25FC5204F19C8ADD4D9C7341F564E805CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00470080 Relevance: 3.3, Strings: 2, Instructions: 788COMMON

Download Yara Rule

Strings

libpng does not support gamma+background+rgb_to_gray, xrefs: 0047050C
invalid background gamma type, xrefs: 0047088C

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: invalid background gamma type$libpng does not support gamma+background+rgb_to_gray
API String ID: 0-3995106164
Opcode ID: 9235b0badd2f5d9e4da63bfd41724ff6eebb3928c8685bede69d91f75369c6b9
Instruction ID: 85c680dfe23e7247d366d1d5602f0e909fce567e8974a160dab72b5a841b0a0b
Opcode Fuzzy Hash: 9235b0badd2f5d9e4da63bfd41724ff6eebb3928c8685bede69d91f75369c6b9
Instruction Fuzzy Hash: F0623A75509B818AD331DB34CC407F7BBE1AF5A300F08896ED9EE8B352E639A805C759

Uniqueness

Uniqueness Score: -1.00%

Function 00480C90 Relevance: 3.0, Strings: 2, Instructions: 503COMMON

Download Yara Rule

Strings

invalid distance code, xrefs: 0048127E
invalid literal/length code, xrefs: 00481230

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid literal/length code
API String ID: 0-1393003055
Opcode ID: 6c142de8fa9efb285cc736fb40da0ea2058503b448a43c3af60b5a8eb9d56be6
Instruction ID: 0d996b808d37d9fb1560db2424a5e58ced5e96494e0da0c1d6c0f15b501d8dc6
Opcode Fuzzy Hash: 6c142de8fa9efb285cc736fb40da0ea2058503b448a43c3af60b5a8eb9d56be6
Instruction Fuzzy Hash: 351258B46087028FC708DF29D594A2ABBE1FF88304F148A6EE48AC7761D734E945CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00484AD0 Relevance: 2.8, Strings: 2, Instructions: 334COMMON

Download Yara Rule

Strings

invalid distance code, xrefs: 00484D52
invalid literal/length code, xrefs: 00484E16

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid literal/length code
API String ID: 0-1393003055
Opcode ID: b10f619bdcd75913c505a87fd725d5e1212f6363886cc4dc518ce88159715903
Instruction ID: 55791b7ac13836943b68ca230673b722c2b8044447d960702a6510d855cf006a
Opcode Fuzzy Hash: b10f619bdcd75913c505a87fd725d5e1212f6363886cc4dc518ce88159715903
Instruction Fuzzy Hash: 94C19E71A087528FC718CF2DD59022AFBE1FBC8310F194A6EE89A93751C734A915CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0045AEE5 Relevance: 2.4, Strings: 1, Instructions: 1183COMMON

Download Yara Rule

Strings

nB, xrefs: 0045BC62

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: nB
API String ID: 0-32927234
Opcode ID: c3f438e7413b494f9e64cc422ec919d2407a64d0328df5ad01ef1d9afc7ec801
Instruction ID: 323820abb24e42190adfa5e6b97caaa551677407b196d5f4b41bf9282b7e5629
Opcode Fuzzy Hash: c3f438e7413b494f9e64cc422ec919d2407a64d0328df5ad01ef1d9afc7ec801
Instruction Fuzzy Hash: 35925971604B418FD329CF29C4906A7BBE2EF99304F14892ED9DB87B62D734B849CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00442B10 Relevance: 1.9, Strings: 1, Instructions: 638COMMON

Download Yara Rule

Strings

l9, xrefs: 00442DD1

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: l9
API String ID: 0-3468237393
Opcode ID: 0f9900cbc7de7e7fcc5340ab8a586c5dd7e4c3f7dae1bf7fed7f7ff19c80f756
Instruction ID: 951c45336bd2b557e226944d09572ce0ed0e94f806c3851ff3b07677d7fecb78
Opcode Fuzzy Hash: 0f9900cbc7de7e7fcc5340ab8a586c5dd7e4c3f7dae1bf7fed7f7ff19c80f756
Instruction Fuzzy Hash: 9132C371E00205DFDB14DFA8C980BAEB7B1FF48310F64466AE516A7381EB74AE41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0045D080 Relevance: .9, Instructions: 903COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8937737782dd732adfbf5f63d54c62413bf8484e4ffb5465f29f998c3a275fda
Instruction ID: 223a8ddf371ce32102f216223ab4a58cdf014d6d28c3136330d70551d33a8b48
Opcode Fuzzy Hash: 8937737782dd732adfbf5f63d54c62413bf8484e4ffb5465f29f998c3a275fda
Instruction Fuzzy Hash: 2252C9767447095BD308CE9ACC9159EF3E3ABC8304F498A3CE955C3346EEB8ED0A8655

Uniqueness

Uniqueness Score: -1.00%

Function 00482980 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ed40b535bfd85424a3774b3b801a78386c4496290a75cf025380b8a8204e12
Instruction ID: 7e2708285872ee3a53fac2836899f8cd2628ab1709ae66ad3c9f0056a7ada428
Opcode Fuzzy Hash: c6ed40b535bfd85424a3774b3b801a78386c4496290a75cf025380b8a8204e12
Instruction Fuzzy Hash: 5DF1BF725092808FC3098F18D9989E27BE2FFA8314B1F46FAD4499B363D7729841CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00472259 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5c7539a240e086dfba9989f9b8ae11b68798fc306046cb1f2a4c0655f8c5cd
Instruction ID: f1dbd1427686f1efc237b3d6bcb85e2bac897381a059fa1f9fad7d118279a35e
Opcode Fuzzy Hash: 0e5c7539a240e086dfba9989f9b8ae11b68798fc306046cb1f2a4c0655f8c5cd
Instruction Fuzzy Hash: F8B19D2634A2828BDB125A3C91603F77FA0EB96311F6C94BED9DE87342D15E890DD315

Uniqueness

Uniqueness Score: -1.00%

Function 0046EDF0 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7578390f5192414ea4b6ac327700755684f52da1fada117f4d5f0319c97742
Instruction ID: ccd4cd7ab3aa88afb96e15f64a7dc93d6d7a30a46a0691cda251f490ac2bb7b8
Opcode Fuzzy Hash: 2a7578390f5192414ea4b6ac327700755684f52da1fada117f4d5f0319c97742
Instruction Fuzzy Hash: 62D1AD76A097468FC708CF18D49036BBBE1FBD9314F544A2EE8D587350E335A90ACB86

Uniqueness

Uniqueness Score: -1.00%

Function 004900E2 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4a36210166feda4cf28356dbb3628b9fab61bd3178ff5c50805f6e688b126d
Instruction ID: 35e6b89db8f1f1d3472e7355e2773c4b26c8db828c7f88a7ab974cfe3f84aaf1
Opcode Fuzzy Hash: 3d4a36210166feda4cf28356dbb3628b9fab61bd3178ff5c50805f6e688b126d
Instruction Fuzzy Hash: 00C16E73D1E5B24A8F36462D041823FEE626F91B4435FC7B2DCD03F28AC62AAD1596D4

Uniqueness

Uniqueness Score: -1.00%

Function 00440E30 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb8eae065287abe230e8812b167e1d0d8cc05524fb6861910b2a871f80fa556
Instruction ID: 42d4e81c0c9150a6f0a0833112c3390663a1276f6a3d1dc3ae307dcdc21d4f40
Opcode Fuzzy Hash: cdb8eae065287abe230e8812b167e1d0d8cc05524fb6861910b2a871f80fa556
Instruction Fuzzy Hash: E5C1D0316086844FE735CF08C0647ABB7E2AF95740F58892FE6C147366D77C98A9CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00472E2E Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a3533514cedc7d03b5159d59b8045bc02726dcd8b3dd6cf900803b1865555f5
Instruction ID: a256fd90512e74eb3187dd02a94522a0e6586886368a7f71360d0fb5a15d8125
Opcode Fuzzy Hash: 4a3533514cedc7d03b5159d59b8045bc02726dcd8b3dd6cf900803b1865555f5
Instruction Fuzzy Hash: 12C1BE3520D7824BC729DB3894A55FBBFE2AFAA300B1DD5BDD48A8B3A7D9215409C740

Uniqueness

Uniqueness Score: -1.00%

Function 00482F00 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 286b1845b7c796346df4e1769172e010bf606ca66de5c951622ac822a8b6a901
Instruction ID: a6c611765e9f7fc8f4b9793c17d4ba928557c3a464aa36f19986e23a70c6cad9
Opcode Fuzzy Hash: 286b1845b7c796346df4e1769172e010bf606ca66de5c951622ac822a8b6a901
Instruction Fuzzy Hash: 3FD189712082518FC319CF18E9D88E67BE1BFA8740F0E46F9C98A9B323D7729941CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00472BB4 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c44b79c17cf8662aea1247097181a5e4331f8e07f9f1b4761d484fb33f2d86
Instruction ID: f97bf71761986a3705888cadf55a363403b459df62e4d9fac26cc9015fc53eb2
Opcode Fuzzy Hash: 34c44b79c17cf8662aea1247097181a5e4331f8e07f9f1b4761d484fb33f2d86
Instruction Fuzzy Hash: 0771142520D7C24FC72A9B2888A42F6BFD1AFA7301F5C95FDD8DA4F392C5165409C721

Uniqueness

Uniqueness Score: -1.00%

Function 0047EA60 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction ID: 8e2b79259746a34fdd145293c15a79e5c810a86f9892c90c0be6b628b3e56c45
Opcode Fuzzy Hash: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction Fuzzy Hash: 6E81E73954A7819FC711CF29C0D04A6FFE2BF9E204F5C999DE9D50B316C231A91ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00472A01 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375203ff4340e4f34b6c1ec64bbd7a73d7c14454166c216670612afb07d480e4
Instruction ID: f7b871beb6d0e634f27bae58c39fc50c5bb7bc8d25b216e39388cce35efd1805
Opcode Fuzzy Hash: 375203ff4340e4f34b6c1ec64bbd7a73d7c14454166c216670612afb07d480e4
Instruction Fuzzy Hash: FD4129363192838BC7299E3CC5512F6FBA1EF9A300F5887BEC4D9C7742D619A50AD750

Uniqueness

Uniqueness Score: -1.00%

Function 00472716 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c27889d51f487b201adba72a386df83b8ac4b76ef92a9fc20cd27d85f323ea
Instruction ID: b5fbcc907fa8f4c186584c0d646149e0c27d562293e78a8e386b16a7ce80cfbb
Opcode Fuzzy Hash: a8c27889d51f487b201adba72a386df83b8ac4b76ef92a9fc20cd27d85f323ea
Instruction Fuzzy Hash: A151AB2920DBD14AC71A973854A96F7FFE29F6B301B4ED1EEC4DA8B323C5160008C761

Uniqueness

Uniqueness Score: -1.00%

Function 004743A0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16108e6fb8a8680c0b9cc817721781ec995235c408a0f13871d28ea10d1e559
Instruction ID: 38831739de5920f7e85f78d86d2547de0a7cba0e08f3be0e7fa5b778c0b764c7
Opcode Fuzzy Hash: a16108e6fb8a8680c0b9cc817721781ec995235c408a0f13871d28ea10d1e559
Instruction Fuzzy Hash: 2641A5727019414BC778CA2AE9A02FBB7D3DBC6311B28C46FC29ECB725D6356444CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0046AED0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5601f85b3d8cc4091a0d1b4f797139fb28ac3643c65f7a0dbf4a36fa40fd9f
Instruction ID: 10d75487e991485edefa14e650b99c9380800a8b50fd9d0e515e832c3cd39f81
Opcode Fuzzy Hash: cf5601f85b3d8cc4091a0d1b4f797139fb28ac3643c65f7a0dbf4a36fa40fd9f
Instruction Fuzzy Hash: 5631C4227B909207D394CEBD9C80637FA9397CB346B6CC678D584C7A1AE43AE8078614

Uniqueness

Uniqueness Score: -1.00%

Function 0042A972 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c277d1b3e6441810da322548f46808cd6d3fa52c04a69bbc29e72e95db3fa5b1
Instruction ID: 641adfcaff3aee0ada2c74227a75322786566ba7a1e7e93b60fd8a08a3c85f1f
Opcode Fuzzy Hash: c277d1b3e6441810da322548f46808cd6d3fa52c04a69bbc29e72e95db3fa5b1
Instruction Fuzzy Hash: 57F037B5500B108FC3A5DF24AA85696BBF0EB513043009C6EC586DBA02E7B8E9498B88

Uniqueness

Uniqueness Score: -1.00%

Function 004330CF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fa36f88e1ecb59efc60f7bc9b848c5bd5bd5235d40c5faab76d0020e8a314b
Instruction ID: 3d0bf82bd9458d42cc8d83d19f1d29ce9efdfe78b32bb5d975044b2b67f4d008
Opcode Fuzzy Hash: f6fa36f88e1ecb59efc60f7bc9b848c5bd5bd5235d40c5faab76d0020e8a314b
Instruction Fuzzy Hash: F2F030B1909305AFC350DF38D58056BBBF5EF89710F409E1EF59897351E630D8098B86

Uniqueness

Uniqueness Score: -1.00%

Function 00432BBC Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.277148963.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.277143838.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.277148963.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d7b7eb6cce31aece1a3d390e38b81342838b125368d3b8b9c44ef1de64b77b
Instruction ID: 292e9a3d19aa165e15a831e2e604a2cff8fda1b34bb039bada11ccc36658f6e1
Opcode Fuzzy Hash: 92d7b7eb6cce31aece1a3d390e38b81342838b125368d3b8b9c44ef1de64b77b
Instruction Fuzzy Hash: F9E012317000209BC7008F14D918BADB7E0EF48B04F2101A8EA0A9F282CB66E9828B88

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_8b8aab2d3044b37bde8ae2665b0819910cdd8be_7335685e_095836a8\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER172A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER17F6.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1864.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exePID: 2368, Parent PID: 3452

General

Chronological Activities

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Function 0048B8C3 Relevance: 1.5, APIs: 1, Instructions: 2
libraryCOMMON