Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe
Analysis ID:	800788
MD5:	d0adfd6a3ae38491118d11e6caacd186
SHA1:	6ebe1f86e07fb3fbc79e518bc6d8eb02913b11e1
SHA256:	1e7586126018ff22f443a86f027af1e94cb7746d0acdd4814c4970fe33d82b04
Tags:	exe
Infos:

Detection

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

One or more processes crash

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

PE file contains sections with non-standard names

Detected potential crypto function

Entry point lies outside standard sections

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe (PID: 2104 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe MD5: D0ADFD6A3AE38491118D11E6CAACD186)

WerFault.exe (PID: 604 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 212 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	ReversingLabs: Detection: 38%
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Virustotal: Detection: 31%			Perma Link

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 4x nop then push esi		0_2_0042A972
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 4x nop then mov eax, dword ptr [ecx+0000024Ch]		0_2_00432BBC

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: <Ac@AUIA steamcommunity.comSoftware\Microsoft\Windows\CurrentVersion\Run\steamcommunity_3020.0.0.0 www.steamcommunity.com store.steampowered.com api.steampowered.com discordapp.com dl.discordapp.net status.discordapp.com cdn.discordapp.com media.discordapp.net images-ext-2.discordapp.net images-ext-1.discordapp.net support.discordapp.com twitch.tv www.twitch.tv m.twitch.tv app.twitch.tv music.twitch.tv badges.twitch.tv blog.twitch.tv inspector.twitch.tv stream.twitch.tv dev.twitch.tv platform.twitter.com clips.twitch.tv spade.twitch.tv gql.twitch.tv vod-secure.twitch.tv vod-storyboards.twitch.tv trowel.twitch.tv countess.twitch.tv extension-files.twitch.tv vod-metro.twitch.tv pubster.twitch.tv help.twitch.tv passport.twitch.tv id.twitch.tv link.twitch.tv id-cdn.twitch.tv player.twitch.tv api.twitch.tv cvp.twitch.tv pubsub-edge.twitch.tv clips-media-assets2.twitch.tv client-event-reporter.twitch.tv gds-vhs-drops-campaign-images.twitch.tv us-west-2.uploads-regional.twitch.tv assets.help.twitch.tv discuss.dev.twitch.tv irc-ws.chat.twitch.tv usher.ttvnw.net steamcdn-a.akamaihd.net origin-a.akamaihd.net static3.cdn.ubi.com equals www.twitter.com (Twitter)
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: steamcommunity.comwww.steamcommunity.comstore.steampowered.comapi.steampowered.comdiscordapp.comdl.discordapp.netstatus.discordapp.comcdn.discordapp.commedia.discordapp.netimages-ext-2.discordapp.netimages-ext-1.discordapp.netsupport.discordapp.comtwitch.tvwww.twitch.tvm.twitch.tvapp.twitch.tvmusic.twitch.tvbadges.twitch.tvblog.twitch.tvinspector.twitch.tvstream.twitch.tvdev.twitch.tvplatform.twitter.comclips.twitch.tvspade.twitch.tvgql.twitch.tvvod-secure.twitch.tvvod-storyboards.twitch.tvtrowel.twitch.tvcountess.twitch.tvextension-files.twitch.tvvod-metro.twitch.tvpubster.twitch.tvhelp.twitch.tvpassport.twitch.tvid.twitch.tvlink.twitch.tvid-cdn.twitch.tvplayer.twitch.tvapi.twitch.tvcvp.twitch.tvpubsub-edge.twitch.tvclips-media-assets2.twitch.tvclient-event-reporter.twitch.tvgds-vhs-drops-campaign-images.twitch.tvus-west-2.uploads-regional.twitch.tvassets.help.twitch.tvdiscuss.dev.twitch.tvirc-ws.chat.twitch.tvusher.ttvnw.netsteamcdn-a.akamaihd.netorigin-a.akamaihd.netstatic3.cdn.ubi.com equals www.twitter.com (Twitter)

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: http://cctv4-lh.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: http://hgtv-i.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: http://moviesok-i.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: http://toots-a.akamaihd.net
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: http://usher.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: http://vluki-a.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: http://www.clamav.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://06b67885560f95cbdf0ba34722e8d33c.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://104.16.51.111
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://104.16.52.111
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://104.16.53.111
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://104.16.54.111
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://104.16.55.111
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://104.17.2.37
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://162.159.128.232
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://162.159.129.232
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://162.159.129.233
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://1d23669ea58a590fd66d9204d4301563.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://1da58962a7dd53edd9775f6f74ff14e5.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://1f9e8ace0a1f5bb29e03a418a1decade.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://21fe13a7e38f7c092db817a188a63c79.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://2973c6ca0e111662ed293b57dbae9fbf.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://2f16aa2ed3889461cd1076540300a6b3.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://2f9e9e61f7236db30c1ce0bb9d53581b.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://43658a3dbcfbc284a9030abbc3691c30.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://522c432cc10e237a02fa1d6481d7d247.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://5a895ed07aed1b254ee21cd78958ae0b.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://5bcfae2f38d0e143c888d07ec9733d8c.s
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://5bcfae2f38d0e143c888d07ec9733d8c.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://5dd1e18eb1a29671b73c32e518b37111.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://6d7b94f6a3142075c6e14f949daff580.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://6d859be7aa0440f65c8a940ef5218337.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://7106a273bf3bbce901b765718ecbe69b.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://890c88446f94f25bd32a3f1e0df6c120.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://91b1eb7256ac2992f03fe0c7e7ef998d.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://95df2ea9aba3e1cad7f8f4526047b63b.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://985a89155dd090eacda1b82388e334ed.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://a22ea2da0e1c896a46c16a51f3eb16f4.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://aa88a8ab3fabc0c5d90ca85c9442a948.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://api.steampowered.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://api.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://app.tw
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://app.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://assets.help.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://aws.amazon.com
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://b3a0f6b6d20e3408d1725780186c54d3.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://badges.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://bd4a0c7567edeaa0401463857c28ead7.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://blog.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://c2491d9d37e95faee1c67e314ae9a4bb.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://c3ad68a16f66bff24e2d82595bd240a1.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://c58c9f027b8d0739f6b6d94b831e1010.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://cdn.discordapp.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://client-event-reporter.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://clips-media-assets2.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://clips.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://countess.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://cvp.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://dbc180c27b3635f9e5b006f3a037b87e.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://dev.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://discordapp.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://discordcdn.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://discuss.dev.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://dl.discordapp.net:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://e320c9db4f90dd219ab379f6a5e50dbd.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://e8304b1598fbfa673d2055f0a3342d7a.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://eaassets-a.akam
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://eaassets-a.akama
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://eaassets-a.akamaihd
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://eaassets-a.akamaihd.
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://eaassets-a.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://extension-files.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://fb96613da2b5475079b93f4be2e94cd3.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://fc13c9775f9e169a8677a3a43f121d5c.steam302.xyz
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://gateway.discord.gg
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://gateway.discord.gg:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://gds-vhs-drops-campaign-images.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://gql.twitc
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://gql.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://help.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://humblebundle-a.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://id-cdn.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://id.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://images-ext-1.discordapp.net:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://images-ext-2.discordapp.net:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://inspector.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://irc-ws.chat.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://link.twitch.
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://link.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://m.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://media.discordapp.net:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://music.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://origin-a.akamaihd.net:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://passport.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://platform.twitter.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://player.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://pubster.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://pubsub-edge.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://spade.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://static2.cdn.ubi.com
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://static3.cdn.ubi.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://status.discordapp.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcdn-a.akam
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcdn-a.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcdn-a.akamaihd.net:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcn.com/t419530-1-1
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcommunity-a.akam
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcommunity-a.akamai
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcommunity-a.akamaihd.ne
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcommunity-a.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamcommunity.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steampipe.ak
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steampipe.akamaized.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamstore-a.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://steamuserimages-a.akamaihd.net
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://store.steampowered.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://stream.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://support.discordapp.com:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://trowel.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://us-west-2.uploads-regional.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://usher.ttvnw.net:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://vod-metro.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://vod-secure.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://vod-storyboards.twitch.tv:
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://www.dogfight360.com/blog
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://www.dogfight360.com/blogopenhttps://steamcn.com/t419530-1-10autostart1certificate_newNode
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: https://www.twitch.tv:

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Static PE information: No import functions for PE file found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 212

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_004900E2	0_2_004900E2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00470080	0_2_00470080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_004600B0	0_2_004600B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00472259	0_2_00472259
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0046231B	0_2_0046231B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_004743A0	0_2_004743A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00464520	0_2_00464520
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0046264D	0_2_0046264D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00472716	0_2_00472716
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0046E8B0	0_2_0046E8B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00438980	0_2_00438980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00478980	0_2_00478980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00482980	0_2_00482980
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0047EA60	0_2_0047EA60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00472A01	0_2_00472A01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00484AD0	0_2_00484AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00442B10	0_2_00442B10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00472BB4	0_2_00472BB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00480C90	0_2_00480C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0046EDF0	0_2_0046EDF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0049EE59	0_2_0049EE59
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00494E07	0_2_00494E07
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00472E2E	0_2_00472E2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00440E30	0_2_00440E30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0046AED0	0_2_0046AED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0045AEE5	0_2_0045AEE5

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	ReversingLabs: Detection: 38%
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Virustotal: Detection: 31%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 212

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2104

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CE4.tmp

Jump to behavior

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: /c /add "
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: /c /add "
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	String found in binary or memory: -3\steamcommunityCA.pem" /s /n Steamcommunity302 root /c /add "

Source: classification engine

Classification label: mal60.winEXE@2/6@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Static file information: File size 1221632 > 1048576

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_004060E8 push ds; retf	0_2_00406665
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_00492545 push ecx; ret	0_2_00492558
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Code function: 0_2_0048EDBC push eax; ret	0_2_0048EDDA

Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Static PE information: section name: .clam01
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Static PE information: section name: .clam02
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Static PE information: section name: .clam03
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Static PE information: section name: .clam04
Source: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	Static PE information: section name: .clam05

Source: initial sample

Static PE information: section where entry point is pointing to: .clam01

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Code function: 0_2_0048B8C3 LdrInitializeThunk,

0_2_0048B8C3

Source: Amcache.hve.3.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	38%	ReversingLabs
SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	31%	Virustotal		Browse
SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	100%	Avira	TR/Crypt.XPACK.Gen
SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
0.0.SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://usher.ttvnw.net:	0%	Avira URL Cloud	safe
https://5bcfae2f38d0e143c888d07ec9733d8c.s	0%	Avira URL Cloud	safe
https://95df2ea9aba3e1cad7f8f4526047b63b.steam302.xyz	0%	Avira URL Cloud	safe
https://104.16.52.111	0%	Avira URL Cloud	safe
https://aa88a8ab3fabc0c5d90ca85c9442a948.steam302.xyz	0%	Avira URL Cloud	safe
https://eaassets-a.akam	0%	Avira URL Cloud	safe
https://bd4a0c7567edeaa0401463857c28ead7.steam302.xyz	0%	Avira URL Cloud	safe
https://c58c9f027b8d0739f6b6d94b831e1010.steam302.xyz	0%	Avira URL Cloud	safe
https://5a895ed07aed1b254ee21cd78958ae0b.steam302.xyz	0%	Avira URL Cloud	safe
https://104.16.54.111	0%	Avira URL Cloud	safe
https://steamcommunity-a.akamaihd.ne	0%	Avira URL Cloud	safe
https://c2491d9d37e95faee1c67e314ae9a4bb.steam302.xyz	0%	Avira URL Cloud	safe
https://link.twitch.	0%	Avira URL Cloud	safe
https://104.17.2.37	0%	Avira URL Cloud	safe
https://6d7b94f6a3142075c6e14f949daff580.steam302.xyz	0%	Avira URL Cloud	safe
https://2f16aa2ed3889461cd1076540300a6b3.steam302.xyz	0%	Avira URL Cloud	safe
https://gql.twitc	0%	Avira URL Cloud	safe
https://06b67885560f95cbdf0ba34722e8d33c.steam302.xyz	0%	Avira URL Cloud	safe
https://1da58962a7dd53edd9775f6f74ff14e5.steam302.xyz	0%	Avira URL Cloud	safe
http://usher.steam302.xyz	0%	Avira URL Cloud	safe
https://162.159.129.232	0%	Avira URL Cloud	safe
https://162.159.129.233	0%	Avira URL Cloud	safe
https://gateway.discord.gg:	0%	Avira URL Cloud	safe
https://2973c6ca0e111662ed293b57dbae9fbf.steam302.xyz	0%	Avira URL Cloud	safe
https://6d859be7aa0440f65c8a940ef5218337.steam302.xyz	0%	Avira URL Cloud	safe
https://gateway.discord.gg	0%	Avira URL Cloud	safe
https://steamcommunity-a.akam	0%	Avira URL Cloud	safe
https://2f9e9e61f7236db30c1ce0bb9d53581b.steam302.xyz	0%	Avira URL Cloud	safe
https://steamcommunity-a.akamai	0%	Avira URL Cloud	safe
https://104.16.51.111	0%	Avira URL Cloud	safe
https://7106a273bf3bbce901b765718ecbe69b.steam302.xyz	0%	Avira URL Cloud	safe
https://890c88446f94f25bd32a3f1e0df6c120.steam302.xyz	0%	Avira URL Cloud	safe
https://b3a0f6b6d20e3408d1725780186c54d3.steam302.xyz	0%	Avira URL Cloud	safe
https://eaassets-a.akamaihd	0%	Avira URL Cloud	safe
https://fb96613da2b5475079b93f4be2e94cd3.steam302.xyz	0%	Avira URL Cloud	safe
https://43658a3dbcfbc284a9030abbc3691c30.steam302.xyz	0%	Avira URL Cloud	safe
https://104.16.53.111	0%	Avira URL Cloud	safe
https://e320c9db4f90dd219ab379f6a5e50dbd.steam302.xyz	0%	Avira URL Cloud	safe
https://steampipe.ak	0%	Avira URL Cloud	safe
https://985a89155dd090eacda1b82388e334ed.steam302.xyz	0%	Avira URL Cloud	safe
https://dbc180c27b3635f9e5b006f3a037b87e.steam302.xyz	0%	Avira URL Cloud	safe
https://104.16.55.111	0%	Avira URL Cloud	safe
https://5dd1e18eb1a29671b73c32e518b37111.steam302.xyz	0%	Avira URL Cloud	safe
https://91b1eb7256ac2992f03fe0c7e7ef998d.steam302.xyz	0%	Avira URL Cloud	safe
https://e8304b1598fbfa673d2055f0a3342d7a.steam302.xyz	0%	Avira URL Cloud	safe
https://1d23669ea58a590fd66d9204d4301563.steam302.xyz	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://images-ext-1.discordapp.net:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://5bcfae2f38d0e143c888d07ec9733d8c.s	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://www.dogfight360.com/blog	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://countess.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://eaassets-a.akam	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://c58c9f027b8d0739f6b6d94b831e1010.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://cvp.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://status.discordapp.com:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://dev.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://passport.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://bd4a0c7567edeaa0401463857c28ead7.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://gds-vhs-drops-campaign-images.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://id-cdn.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://usher.ttvnw.net:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://104.16.52.111	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://aa88a8ab3fabc0c5d90ca85c9442a948.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://discordapp.com:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://steamuserimages-a.akamaihd.net	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://95df2ea9aba3e1cad7f8f4526047b63b.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://5a895ed07aed1b254ee21cd78958ae0b.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://c2491d9d37e95faee1c67e314ae9a4bb.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://vod-metro.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://api.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
http://www.clamav.net	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://origin-a.akamaihd.net:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://steamcommunity-a.akamaihd.ne	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://link.twitch.	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://id.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://link.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://eaassets-a.akamaihd.net	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://104.16.54.111	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://clips.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://aws.amazon.com	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://104.17.2.37	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://2f16aa2ed3889461cd1076540300a6b3.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://pubsub-edge.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://6d7b94f6a3142075c6e14f949daff580.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://gql.twitc	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://06b67885560f95cbdf0ba34722e8d33c.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://us-west-2.uploads-regional.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://steamcn.com/t419530-1-1	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://1da58962a7dd53edd9775f6f74ff14e5.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://dl.discordapp.net:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
http://usher.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://steamcdn-a.akamaihd.net:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://music.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://steamstore-a.akamaihd.net	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://player.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://www.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://162.159.129.233	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://162.159.129.232	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://clips-media-assets2.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://m.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://gateway.discord.gg:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://2973c6ca0e111662ed293b57dbae9fbf.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://6d859be7aa0440f65c8a940ef5218337.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://gateway.discord.gg	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://images-ext-2.discordapp.net:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://vod-storyboards.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
http://vluki-a.akamaihd.net	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://steamcommunity-a.akam	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://irc-ws.chat.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://2f9e9e61f7236db30c1ce0bb9d53581b.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://app.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://steamcommunity-a.akamai	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://104.16.51.111	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://7106a273bf3bbce901b765718ecbe69b.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://platform.twitter.com:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://890c88446f94f25bd32a3f1e0df6c120.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://blog.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://b3a0f6b6d20e3408d1725780186c54d3.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://gql.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://extension-files.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://eaassets-a.akamaihd	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://fb96613da2b5475079b93f4be2e94cd3.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://43658a3dbcfbc284a9030abbc3691c30.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://client-event-reporter.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://104.16.53.111	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://inspector.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
http://cctv4-lh.akamaihd.net	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://e320c9db4f90dd219ab379f6a5e50dbd.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://dbc180c27b3635f9e5b006f3a037b87e.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://static2.cdn.ubi.com	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://steampipe.ak	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
http://toots-a.akamaihd.net	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://spade.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://media.discordapp.net:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
http://hgtv-i.akamaihd.net	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://support.discordapp.com:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://trowel.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://985a89155dd090eacda1b82388e334ed.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
https://104.16.55.111	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://help.twitch.tv:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false		high
http://upx.sf.net	Amcache.hve.3.dr	false		high
https://5dd1e18eb1a29671b73c32e518b37111.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://91b1eb7256ac2992f03fe0c7e7ef998d.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://e8304b1598fbfa673d2055f0a3342d7a.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown
https://1d23669ea58a590fd66d9204d4301563.steam302.xyz	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800788
Start date and time:	2023-02-07 19:54:38 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe
Detection:	MAL
Classification:	mal60.winEXE@2/6@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.5% (good quality ratio 0.3%) Quality average: 20.4% Quality standard deviation: 14.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_204454340d62a71d08cbd555255239a29f2fb7_7335685e_02342cf2\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6782657487282481
Encrypted:	false
SSDEEP:	96:mEkFn35WV+zyXr9hMyoI7JfepXIQcQvc6QcEDMcw3DpzBzz+HbHg6ZAXGng5FMTe:mFNpo3+HBUZMXojE/u7s0S274Ith
MD5:	528FBDC062172E34FF6D8689B37CDDFD
SHA1:	BA294D3FFEFACFCF2C53B29824C0C80689F794CD
SHA-256:	903D23E82946BB703C47CDEAE888745AC9A63A00D12146138C95CA7964D97748
SHA-512:	AC405014990A76920B5690D97C6E675394B20F7CF82B010FF48C9BD4DDB22A662EB5194E66ABF820DFA4C8F8AF382A3EA02810088B966E9C332D07B71898007A
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.0.3.0.2.1.3.6.0.1.6.2.4.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.0.3.0.2.1.3.7.2.1.9.3.6.2.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.f.f.2.b.1.f.f.-.0.f.3.6.-.4.9.e.e.-.8.3.2.6.-.1.4.f.c.9.b.e.a.8.9.a.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.2.0.1.1.9.5.-.0.1.4.4.-.4.4.c.6.-.8.b.0.1.-.e.a.f.8.0.2.a.5.3.f.c.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...T.r.o.j.a.n...P.S.E...1.G.8.0.G.6.X...7.2.1.6...1.5.0.7.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.3.8.-.0.0.0.1.-.0.0.1.a.-.c.e.a.5.-.3.8.3.2.7.1.3.b.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.4.7.8.2.b.f.d.1.f.a.1.4.2.1.4.7.4.1.a.3.d.a.c.5.8.7.c.3.e.c.9.0.0.0.0.f.f.f.f.!.0.0.0.0.6.e.b.e.1.f.8.6.e.0.7.f.b.3.f.b.c.7.9.e.5.1.8.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CE4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Feb 8 03:55:36 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	18032
Entropy (8bit):	2.185069166593249
Encrypted:	false
SSDEEP:	96:5Zlt8in8Q/1v2GRE6F8oi7knvEXKuh7khvwZ1ckBf9IE5FWInWIX4I4jV9YabV:fl2iL1+A1TOWcZ1zBf975qjVSuV
MD5:	0AF9AAC29E895BFE177F2FEBB9737130
SHA1:	93A3C614BBA89260923CFB7372F32DA8B8E2DF0D
SHA-256:	467190DA3C4E3CAC7165DB7967A96F7BCA19D12C6BFF9283FBD12BB97972017E
SHA-512:	861F13B73C78832DBC520F952E54E86A77FD85142DF1A27A3137F83624474972A8F8F25EE9A43461CA2362785AEC420B1614836091283B85D69DD9C574D96C1D
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......8..c............4........... ...<.......d...h...........T.......8...........T................=..........\...........H....................................................................U...........B..............GenuineIntelW...........T.......8...6..c.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E1E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8480
Entropy (8bit):	3.708051027120721
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNipU7604SZ6YAeSU4GYgmf0XSHCprm89bd9sfdfm:RrlsNiG60L6YpSU/YgmfcS4d2fI
MD5:	7B4035284266865A60FB7680BB259E22
SHA1:	4CC193D3B12B8F1EFD01407BEF2D246E5BCA18D1
SHA-256:	990AA97F93147DE99DAF4CA3605CDD3C58802105328AA76B5E7CE2ACCD242681
SHA-512:	B6678BB219B8CF1AA3C6F0AFE333592B58C69F1121DEBD0070AA11BD631D5E3970ED2E2A790BFEAF61F34968E5D35CAAA31477C48EB3F3F5D41E398F72F8F17D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.1.0.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EAB.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4813
Entropy (8bit):	4.598769267046853
Encrypted:	false
SSDEEP:	48:cvIwSD8zs/JgtWI9GehWgc8sqYj+a8fm8M4JOvZFX+q8tfSR+Nwd:uITfhhpgrsqY6vJcjySR+Nwd
MD5:	5BEBADB9C659A226B7C59175D758B728
SHA1:	A9FA57FD17BDEC306C21A4EB268FC0E1000F0BE5
SHA-256:	2C5BF620A47986FB77F651FA88A5FC82A6D147F1802190198FF55C1ACC5D9976
SHA-512:	0AC28DE47189AFFB32E53676499B0351BFF148804E37C358278685EFE066DF65FDB394FC65E8407B7CF258A0ECB426BCA68DB8DBB0D21B159CB33E28A6BD96DA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1903026" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.286715662604264
Encrypted:	false
SSDEEP:	12288:nm3iuNTtf9FRGoG5O/S7gd65CS6mcz658Xm4+9FJE544VRXr5P:mSuNTtf9FRGoG5v686Q
MD5:	5C8AD2DA10D37316DB724545A8AD4B3F
SHA1:	8C45CCEF31C99F13815C5789D8522FC1048EBDF1
SHA-256:	1BA676771BF07CC6B00E63E30F706DDD8ED13B8799D9C3DD62110590E3E64ACE
SHA-512:	71E5151B9EE398DD79368836F873C5F4C53DBBC8FEB9234F675089C27AC35917149E8FC3573D7E11827BA2E10966EEB55DE8E5A61A452A834C2AC06CC280D9CD
Malicious:	false
Reputation:	low
Preview:	regf^...^...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmVm.2q;..............................................................................................................................................................................................................................................................................................................................................g.o........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.8840481463366556
Encrypted:	false
SSDEEP:	384:OWaJ53EbxxkhRu3JvMRnw9SaPBSptQqY6XadJQYzZK/LtkqYwq1:MX3uxkDu31MRQSaPUptQq3XadjZK/eq8
MD5:	E01D01116FFD9019EFF90DCE91DE578E
SHA1:	8E90BD90DD49DE45D0C0886AD49902B11BF6360C
SHA-256:	B7486C3CC8AE5EE4485A9AAEB392213AB41693E509EE37B929C4D3B4F49545CA
SHA-512:	77130C48B055FA6E25AEE0C67E5D1451058134E48E560B042199A8BC3EEEC4BBE5410A10948B2F76C62327F4357C40F3E7407B74899DA7DD8CBA3B423B6A174D
Malicious:	false
Reputation:	low
Preview:	regf]...]...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmVm.2q;..............................................................................................................................................................................................................................................................................................................................................a.oHvLE.^......]...........3h..p.6......'.1.................0........... ..hbin................p.\..,..........nk,.Tm.2q;......P........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .Tm.2q;...... ...........8~.............. .......Z.......................Root........lf......Root....nk .Tm.2q;................................. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.690323528890668
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe
File size:	1221632
MD5:	d0adfd6a3ae38491118d11e6caacd186
SHA1:	6ebe1f86e07fb3fbc79e518bc6d8eb02913b11e1
SHA256:	1e7586126018ff22f443a86f027af1e94cb7746d0acdd4814c4970fe33d82b04
SHA512:	7ad4b2265159e6438cc8602430691029e700a7dbb8e476bafc3312fca4f3b1dfe42dee1b99ebb7bbbbe97f67e46a43250c5d20766e3b505cd0163caf74aa6daa
SSDEEP:	24576:8HrUZK3kA2VJT8TwnQCSPRI23bkmb5tSdaqOQgn9MX2R2XB4kVyigqlSiAClS9oD:84llE9o9GjBraKQ1
TLSH:	0545AE72F78208E1D3101678C9FF2339DEB877960A25CD6B6694DD741E7A130BE26392
File Content Preview:	MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM...................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x48b8c3
Entrypoint Section:	.clam01
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, BYTES_REVERSED_LO, 32BIT_MACHINE, DEBUG_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
call 00007F314DD81973h
jmp 00007F314D688073h
mov eax, 00493234h
mov dword ptr [004E45F0h], eax
mov dword ptr [004E45F4h], 0049292Ah
mov dword ptr [004E45F8h], 004928DEh
mov dword ptr [004E45FCh], 00492917h
mov dword ptr [004E4600h], 00492880h
mov dword ptr [004E4604h], eax
mov dword ptr [004E4608h], 004931ACh
mov dword ptr [004E460Ch], 0049289Ch
mov dword ptr [004E4610h], 004927FEh
mov dword ptr [004E4614h], 0049278Ah
ret
mov edi, edi
push ebp
mov ebp, esp
call 00007F314D69F773h
cmp dword ptr [ebp+08h], 00000000h
je 00007F3144C12F57h
call 00007F314DE3A473h
fnclex
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
cmp dword ptr [00509CC8h], 00000000h
je 00007F3144C12FDDh
sub esp, 08h
stmxcsr dword ptr [esp+04h]
mov eax, dword ptr [esp+04h]
and eax, 00007F80h
cmp eax, 00001F80h
jne 00007F3144C12F61h
fstcw word ptr [esp]
mov ax, word ptr [esp]
and ax, 007Fh
cmp ax, 007Fh
lea esp, dword ptr [esp+08h]
jne 00007F3144C12FACh

Data Directories

Name	Virtual Address	Virtual Size
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.clam01	0x1000	0xb1000	0xb1000	False	0.4473925229519774	data	6.649028182656562	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.clam02	0xb2000	0x24000	0x24000	False	0.3477376302083333	data	5.185351349669696	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.clam03	0xd6000	0x35000	0x35000	False	0.10202774911556604	data	2.060003423850223	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.clam04	0x10b000	0xc000	0xc000	False	0.0074462890625	data	0.06664922320641793	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.clam05	0x117000	0x14000	0x14000	False	0.29237060546875	data	3.9663953584370155	IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_LNK_NRELOC_OVFL, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_NOT_CACHED, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exePID: 2104, Parent PID: 3320

General

Target ID:	0
Start time:	19:55:34
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe
Imagebase:	0x400000
File size:	1221632 bytes
MD5 hash:	D0ADFD6A3AE38491118D11E6CAACD186
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Target ID:	3
Start time:	19:55:35
Start date:	07/02/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 212
Imagebase:	0xb90000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	1
Total number of Limit Nodes:	0

Executed Functions

Function 0048B8C3 Relevance: 1.5, APIs: 1, Instructions: 2
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0048B8C3

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9e5837a9b5b5e3b4a4c93183ea69d42f6d9758d6be260b7f7375af14aa4c7735
Instruction ID: 1dacef987c27c7ced679bb5fd0491ebd07f54a7d0dba31caf58c3c50cd67f924
Opcode Fuzzy Hash: 9e5837a9b5b5e3b4a4c93183ea69d42f6d9758d6be260b7f7375af14aa4c7735
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00464520 Relevance: 8.0, Strings: 6, Instructions: 536COMMON

Download Yara Rule

Strings

lost rgb to gray, xrefs: 00464550
unexpected compose, xrefs: 00464564
unknown interlace type, xrefs: 004645B7
lost/gained channels, xrefs: 00464580
unexpected 8-bit transformation, xrefs: 00464599
unexpected bit depth, xrefs: 004645F3

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: lost rgb to gray$lost/gained channels$unexpected 8-bit transformation$unexpected bit depth$unexpected compose$unknown interlace type
API String ID: 0-3614292578
Opcode ID: 17252c129fac60db3391b6e6c9d9bbf034fd84b061caab5a46156c1c29628426
Instruction ID: 0588eae751ea6828e08e1a12e62da060cac8ce3c8d6915167bed4e1048d06545
Opcode Fuzzy Hash: 17252c129fac60db3391b6e6c9d9bbf034fd84b061caab5a46156c1c29628426
Instruction Fuzzy Hash: 9412C5757083418FCB58DF28C88066AB7E2FBC9314F04453EE99987385E739E945CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00438980 Relevance: 7.8, Strings: 6, Instructions: 279COMMON

Download Yara Rule

Strings

66, xrefs: 00438AD3, 00438B27
rE, xrefs: 00438D01
<7, xrefs: 004389A5
P;, xrefs: 00438B77, 00438B8E, 00438C54
.7, xrefs: 004389EF
l9, xrefs: 004389DA

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: .7$66$<7$P;$l9$rE
API String ID: 0-1116864076
Opcode ID: d72353c32a8653624bef67e62825b3645a403b89a8e04e37d2191299d3abf0d5
Instruction ID: c55559a06a9bbe95809e91bfd6637674e54a3ebd7e2b27b3349288437245810f
Opcode Fuzzy Hash: d72353c32a8653624bef67e62825b3645a403b89a8e04e37d2191299d3abf0d5
Instruction Fuzzy Hash: EBB14BB02007029BC724EF68C994BABF7E5BF48300F50592EF5AA87291DF34B945CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0046264D Relevance: 6.7, Strings: 5, Instructions: 405COMMON

Download Yara Rule

Strings

rgb color-map: too few entries, xrefs: 0046285C
rgb+alpha color-map: too few entries, xrefs: 00462897
rgb[gray] color-map: too few entries, xrefs: 004626CF
rgb-alpha color-map: too few entries, xrefs: 00462952
rgb[ga] color-map: too few entries, xrefs: 00462694

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: rgb color-map: too few entries$rgb+alpha color-map: too few entries$rgb-alpha color-map: too few entries$rgb[ga] color-map: too few entries$rgb[gray] color-map: too few entries
API String ID: 0-1563483223
Opcode ID: bf602d38870dcdeb7714331d3ceac6f6d6e91b2111a7c4d3c9d3bbb8cfc48aba
Instruction ID: feda99ae4799dad88a070c761110f108cc6e31adc909ae684f47fea141a861f1
Opcode Fuzzy Hash: bf602d38870dcdeb7714331d3ceac6f6d6e91b2111a7c4d3c9d3bbb8cfc48aba
Instruction Fuzzy Hash: 09D12372A14341ABE394DF14CC81B6BB7D9EFD4304F04062EF8999B381E6B8D945C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0046E8B0 Relevance: 5.5, Strings: 4, Instructions: 485COMMON

Download Yara Rule

Strings

internal row size calculation error, xrefs: 0046E92B
internal row width error, xrefs: 0046E93D
internal row logic error, xrefs: 0046E8F5
invalid user transform pixel depth, xrefs: 0046EB29

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: internal row logic error$internal row size calculation error$internal row width error$invalid user transform pixel depth
API String ID: 0-64619857
Opcode ID: 0a6ab6bfc22e8ab8a5b0e4497cb143ff38d30f1c337fc8e55e5bb1bda7b4cbe8
Instruction ID: 76e15c1a1b1eb35fe2d37eb0fbe6a667e866ce2269ccd05b3ab0bbefbb1d78b1
Opcode Fuzzy Hash: 0a6ab6bfc22e8ab8a5b0e4497cb143ff38d30f1c337fc8e55e5bb1bda7b4cbe8
Instruction Fuzzy Hash: B2F128396083968FCB24CE29D9902BFBBD1AFD6310F58456FD88587342F6299C09C797

Uniqueness

Uniqueness Score: -1.00%

Function 0046231B Relevance: 5.2, Strings: 4, Instructions: 230COMMON

Download Yara Rule

Strings

gray+alpha color-map: too few entries, xrefs: 00462334
ga-alpha color-map: too few entries, xrefs: 00462387
gray-alpha color-map: too few entries, xrefs: 004625A5
L, xrefs: 00462486

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$ga-alpha color-map: too few entries$gray+alpha color-map: too few entries$gray-alpha color-map: too few entries
API String ID: 0-2470002146
Opcode ID: 5906b32e23beff4a6aa64285cc64be11c239928e552f909aa1833f72f8c0bb1e
Instruction ID: 62f01a12492dfa869cd397b2507294639afccb373d6d74304e823ff8c7480bd4
Opcode Fuzzy Hash: 5906b32e23beff4a6aa64285cc64be11c239928e552f909aa1833f72f8c0bb1e
Instruction Fuzzy Hash: D081D2B1A183419BD348CF24CD51B2BBBE5EBC9304F04492DF48597391E7B8D945CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00478980 Relevance: 4.8, Strings: 3, Instructions: 1089COMMON

Download Yara Rule

Strings

invalid bit length repeat, xrefs: 00479441
invalid stored block lengths, xrefs: 00479207
too many length or distance symbols, xrefs: 00479353

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid stored block lengths$too many length or distance symbols
API String ID: 0-949635641
Opcode ID: 25676f3fcd3356e4984382619c54d99da01b2bf6944592414eb10acee4d99569
Instruction ID: 4d3e969fb4d6d5f9f8319c259846e108de9592ec70fdee39f80b9bb47bdfff80
Opcode Fuzzy Hash: 25676f3fcd3356e4984382619c54d99da01b2bf6944592414eb10acee4d99569
Instruction Fuzzy Hash: 53926CB5A043018FCB08CF19D88496ABBE6FFC9310F14C96EE8998B355E735E845CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004600B0 Relevance: 4.0, Strings: 3, Instructions: 200COMMON

Download Yara Rule

Strings

out-of-date sRGB profile with no signature, xrefs: 004602A6
copyright violation: edited ICC profile ignored, xrefs: 00460247
known incorrect sRGB profile, xrefs: 0046028E

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: copyright violation: edited ICC profile ignored$known incorrect sRGB profile$out-of-date sRGB profile with no signature
API String ID: 0-1307623137
Opcode ID: e76078544bb7ee8edcca9579bf3414809b6abb8d494789d66cecc048c4982bf9
Instruction ID: 42f3d611448b0275e273ecff4b3305303ae3f9a48b05122ba9f682646459eb36
Opcode Fuzzy Hash: e76078544bb7ee8edcca9579bf3414809b6abb8d494789d66cecc048c4982bf9
Instruction Fuzzy Hash: 6D512AB27087910BDB68CE394C6176BBBE25FC5204F19C8ADD4D9C7341F564E805CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00470080 Relevance: 3.3, Strings: 2, Instructions: 788COMMON

Download Yara Rule

Strings

libpng does not support gamma+background+rgb_to_gray, xrefs: 0047050C
invalid background gamma type, xrefs: 0047088C

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: invalid background gamma type$libpng does not support gamma+background+rgb_to_gray
API String ID: 0-3995106164
Opcode ID: 9235b0badd2f5d9e4da63bfd41724ff6eebb3928c8685bede69d91f75369c6b9
Instruction ID: 85c680dfe23e7247d366d1d5602f0e909fce567e8974a160dab72b5a841b0a0b
Opcode Fuzzy Hash: 9235b0badd2f5d9e4da63bfd41724ff6eebb3928c8685bede69d91f75369c6b9
Instruction Fuzzy Hash: F0623A75509B818AD331DB34CC407F7BBE1AF5A300F08896ED9EE8B352E639A805C759

Uniqueness

Uniqueness Score: -1.00%

Function 00480C90 Relevance: 3.0, Strings: 2, Instructions: 503COMMON

Download Yara Rule

Strings

invalid distance code, xrefs: 0048127E
invalid literal/length code, xrefs: 00481230

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid literal/length code
API String ID: 0-1393003055
Opcode ID: 6c142de8fa9efb285cc736fb40da0ea2058503b448a43c3af60b5a8eb9d56be6
Instruction ID: 0d996b808d37d9fb1560db2424a5e58ced5e96494e0da0c1d6c0f15b501d8dc6
Opcode Fuzzy Hash: 6c142de8fa9efb285cc736fb40da0ea2058503b448a43c3af60b5a8eb9d56be6
Instruction Fuzzy Hash: 351258B46087028FC708DF29D594A2ABBE1FF88304F148A6EE48AC7761D734E945CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00484AD0 Relevance: 2.8, Strings: 2, Instructions: 334COMMON

Download Yara Rule

Strings

invalid distance code, xrefs: 00484D52
invalid literal/length code, xrefs: 00484E16

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid literal/length code
API String ID: 0-1393003055
Opcode ID: b10f619bdcd75913c505a87fd725d5e1212f6363886cc4dc518ce88159715903
Instruction ID: 55791b7ac13836943b68ca230673b722c2b8044447d960702a6510d855cf006a
Opcode Fuzzy Hash: b10f619bdcd75913c505a87fd725d5e1212f6363886cc4dc518ce88159715903
Instruction Fuzzy Hash: 94C19E71A087528FC718CF2DD59022AFBE1FBC8310F194A6EE89A93751C734A915CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0045AEE5 Relevance: 2.4, Strings: 1, Instructions: 1183COMMON

Download Yara Rule

Strings

nB, xrefs: 0045BC62

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: nB
API String ID: 0-32927234
Opcode ID: c3f438e7413b494f9e64cc422ec919d2407a64d0328df5ad01ef1d9afc7ec801
Instruction ID: 323820abb24e42190adfa5e6b97caaa551677407b196d5f4b41bf9282b7e5629
Opcode Fuzzy Hash: c3f438e7413b494f9e64cc422ec919d2407a64d0328df5ad01ef1d9afc7ec801
Instruction Fuzzy Hash: 35925971604B418FD329CF29C4906A7BBE2EF99304F14892ED9DB87B62D734B849CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00442B10 Relevance: 1.9, Strings: 1, Instructions: 638COMMON

Download Yara Rule

Strings

l9, xrefs: 00442DD1

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: l9
API String ID: 0-3468237393
Opcode ID: 0f9900cbc7de7e7fcc5340ab8a586c5dd7e4c3f7dae1bf7fed7f7ff19c80f756
Instruction ID: 951c45336bd2b557e226944d09572ce0ed0e94f806c3851ff3b07677d7fecb78
Opcode Fuzzy Hash: 0f9900cbc7de7e7fcc5340ab8a586c5dd7e4c3f7dae1bf7fed7f7ff19c80f756
Instruction Fuzzy Hash: 9132C371E00205DFDB14DFA8C980BAEB7B1FF48310F64466AE516A7381EB74AE41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00482980 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ed40b535bfd85424a3774b3b801a78386c4496290a75cf025380b8a8204e12
Instruction ID: 7e2708285872ee3a53fac2836899f8cd2628ab1709ae66ad3c9f0056a7ada428
Opcode Fuzzy Hash: c6ed40b535bfd85424a3774b3b801a78386c4496290a75cf025380b8a8204e12
Instruction Fuzzy Hash: 5DF1BF725092808FC3098F18D9989E27BE2FFA8314B1F46FAD4499B363D7729841CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00472259 Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5c7539a240e086dfba9989f9b8ae11b68798fc306046cb1f2a4c0655f8c5cd
Instruction ID: f1dbd1427686f1efc237b3d6bcb85e2bac897381a059fa1f9fad7d118279a35e
Opcode Fuzzy Hash: 0e5c7539a240e086dfba9989f9b8ae11b68798fc306046cb1f2a4c0655f8c5cd
Instruction Fuzzy Hash: F8B19D2634A2828BDB125A3C91603F77FA0EB96311F6C94BED9DE87342D15E890DD315

Uniqueness

Uniqueness Score: -1.00%

Function 0046EDF0 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7578390f5192414ea4b6ac327700755684f52da1fada117f4d5f0319c97742
Instruction ID: ccd4cd7ab3aa88afb96e15f64a7dc93d6d7a30a46a0691cda251f490ac2bb7b8
Opcode Fuzzy Hash: 2a7578390f5192414ea4b6ac327700755684f52da1fada117f4d5f0319c97742
Instruction Fuzzy Hash: 62D1AD76A097468FC708CF18D49036BBBE1FBD9314F544A2EE8D587350E335A90ACB86

Uniqueness

Uniqueness Score: -1.00%

Function 004900E2 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d4a36210166feda4cf28356dbb3628b9fab61bd3178ff5c50805f6e688b126d
Instruction ID: 35e6b89db8f1f1d3472e7355e2773c4b26c8db828c7f88a7ab974cfe3f84aaf1
Opcode Fuzzy Hash: 3d4a36210166feda4cf28356dbb3628b9fab61bd3178ff5c50805f6e688b126d
Instruction Fuzzy Hash: 00C16E73D1E5B24A8F36462D041823FEE626F91B4435FC7B2DCD03F28AC62AAD1596D4

Uniqueness

Uniqueness Score: -1.00%

Function 00440E30 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb8eae065287abe230e8812b167e1d0d8cc05524fb6861910b2a871f80fa556
Instruction ID: 42d4e81c0c9150a6f0a0833112c3390663a1276f6a3d1dc3ae307dcdc21d4f40
Opcode Fuzzy Hash: cdb8eae065287abe230e8812b167e1d0d8cc05524fb6861910b2a871f80fa556
Instruction Fuzzy Hash: E5C1D0316086844FE735CF08C0647ABB7E2AF95740F58892FE6C147366D77C98A9CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00472E2E Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a3533514cedc7d03b5159d59b8045bc02726dcd8b3dd6cf900803b1865555f5
Instruction ID: a256fd90512e74eb3187dd02a94522a0e6586886368a7f71360d0fb5a15d8125
Opcode Fuzzy Hash: 4a3533514cedc7d03b5159d59b8045bc02726dcd8b3dd6cf900803b1865555f5
Instruction Fuzzy Hash: 12C1BE3520D7824BC729DB3894A55FBBFE2AFAA300B1DD5BDD48A8B3A7D9215409C740

Uniqueness

Uniqueness Score: -1.00%

Function 00472BB4 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c44b79c17cf8662aea1247097181a5e4331f8e07f9f1b4761d484fb33f2d86
Instruction ID: f97bf71761986a3705888cadf55a363403b459df62e4d9fac26cc9015fc53eb2
Opcode Fuzzy Hash: 34c44b79c17cf8662aea1247097181a5e4331f8e07f9f1b4761d484fb33f2d86
Instruction Fuzzy Hash: 0771142520D7C24FC72A9B2888A42F6BFD1AFA7301F5C95FDD8DA4F392C5165409C721

Uniqueness

Uniqueness Score: -1.00%

Function 0047EA60 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction ID: 8e2b79259746a34fdd145293c15a79e5c810a86f9892c90c0be6b628b3e56c45
Opcode Fuzzy Hash: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction Fuzzy Hash: 6E81E73954A7819FC711CF29C0D04A6FFE2BF9E204F5C999DE9D50B316C231A91ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00472A01 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 375203ff4340e4f34b6c1ec64bbd7a73d7c14454166c216670612afb07d480e4
Instruction ID: f7b871beb6d0e634f27bae58c39fc50c5bb7bc8d25b216e39388cce35efd1805
Opcode Fuzzy Hash: 375203ff4340e4f34b6c1ec64bbd7a73d7c14454166c216670612afb07d480e4
Instruction Fuzzy Hash: FD4129363192838BC7299E3CC5512F6FBA1EF9A300F5887BEC4D9C7742D619A50AD750

Uniqueness

Uniqueness Score: -1.00%

Function 00472716 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c27889d51f487b201adba72a386df83b8ac4b76ef92a9fc20cd27d85f323ea
Instruction ID: b5fbcc907fa8f4c186584c0d646149e0c27d562293e78a8e386b16a7ce80cfbb
Opcode Fuzzy Hash: a8c27889d51f487b201adba72a386df83b8ac4b76ef92a9fc20cd27d85f323ea
Instruction Fuzzy Hash: A151AB2920DBD14AC71A973854A96F7FFE29F6B301B4ED1EEC4DA8B323C5160008C761

Uniqueness

Uniqueness Score: -1.00%

Function 004743A0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16108e6fb8a8680c0b9cc817721781ec995235c408a0f13871d28ea10d1e559
Instruction ID: 38831739de5920f7e85f78d86d2547de0a7cba0e08f3be0e7fa5b778c0b764c7
Opcode Fuzzy Hash: a16108e6fb8a8680c0b9cc817721781ec995235c408a0f13871d28ea10d1e559
Instruction Fuzzy Hash: 2641A5727019414BC778CA2AE9A02FBB7D3DBC6311B28C46FC29ECB725D6356444CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0046AED0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5601f85b3d8cc4091a0d1b4f797139fb28ac3643c65f7a0dbf4a36fa40fd9f
Instruction ID: 10d75487e991485edefa14e650b99c9380800a8b50fd9d0e515e832c3cd39f81
Opcode Fuzzy Hash: cf5601f85b3d8cc4091a0d1b4f797139fb28ac3643c65f7a0dbf4a36fa40fd9f
Instruction Fuzzy Hash: 5631C4227B909207D394CEBD9C80637FA9397CB346B6CC678D584C7A1AE43AE8078614

Uniqueness

Uniqueness Score: -1.00%

Function 0042A972 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c277d1b3e6441810da322548f46808cd6d3fa52c04a69bbc29e72e95db3fa5b1
Instruction ID: 641adfcaff3aee0ada2c74227a75322786566ba7a1e7e93b60fd8a08a3c85f1f
Opcode Fuzzy Hash: c277d1b3e6441810da322548f46808cd6d3fa52c04a69bbc29e72e95db3fa5b1
Instruction Fuzzy Hash: 57F037B5500B108FC3A5DF24AA85696BBF0EB513043009C6EC586DBA02E7B8E9498B88

Uniqueness

Uniqueness Score: -1.00%

Function 00432BBC Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.319811658.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.319797645.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.319811658.0000000000517000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92d7b7eb6cce31aece1a3d390e38b81342838b125368d3b8b9c44ef1de64b77b
Instruction ID: 292e9a3d19aa165e15a831e2e604a2cff8fda1b34bb039bada11ccc36658f6e1
Opcode Fuzzy Hash: 92d7b7eb6cce31aece1a3d390e38b81342838b125368d3b8b9c44ef1de64b77b
Instruction Fuzzy Hash: F9E012317000209BC7008F14D918BADB7E0EF48B04F2101A8EA0A9F282CB66E9828B88

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_204454340d62a71d08cbd555255239a29f2fb7_7335685e_02342cf2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CE4.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E1E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EAB.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exePID: 2104, Parent PID: 3320

General

Chronological Activities

Analysis Process: WerFault.exePID: 604, Parent PID: 2104

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan.PSE.1G80G6X.7216.15072.exe

Function 0048B8C3 Relevance: 1.5, APIs: 1, Instructions: 2
libraryCOMMON