Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exe

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exe
Analysis ID:1266034
MD5:276da269917b96163da34a47c9115bff
SHA1:cbdcc8e312e55b70debca799abf3a75e56d7b595
SHA256:531230ec5fe046bb3a79cf89bf840a8db6978f356a793292149e1f7774f1bb94
Tags:exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
One or more processes crash
PE file contains an invalid checksum
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Entry point lies outside standard sections
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exe (PID: 6740 cmdline: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exe MD5: 276DA269917B96163DA34A47C9115BFF)
    • conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WerFault.exe (PID: 6964 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Compliance
  • Networking
  • Key, Mouse, Clipboard, Microphone and Screen Capturing
  • System Summary
  • Data Obfuscation
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeAvira: detected
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeReversingLabs: Detection: 18%
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeJoe Sandbox ML: detected
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeString found in binary or memory: http://www.clamav.net
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exe, 00000000.00000002.428337643.000000000074A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeStatic PE information: No import functions for PE file found
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 244
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeStatic PE information: Section .section
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeReversingLabs: Detection: 18%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 244
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6740
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FC2.tmpJump to behavior
Source: classification engineClassification label: mal60.winEXE@3/6@0/0
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeStatic PE information: real checksum: 0x125d7 should be: 0x12b41
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeCode function: 0_2_00405FB0 push eax; ret 0_2_00405FDE
Source: SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeStatic PE information: section name: .section
Source: initial sampleStatic PE information: section where entry point is pointing to: .section
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.4.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: VMware7,1
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.me
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware-42 35 44 6e 75 85 11 47-bd a2 bb ed 21 43 9f 89
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exeCode function: 0_2_00402848 EntryPoint,LdrInitializeThunk,0_2_00402848
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection		1
Virtualization/Sandbox Evasion		1
Input Capture		21
Security Software Discovery		Remote Services1
Input Capture		Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
Remote System Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1266034 Sample: SecuriteInfo.com.Trojan.TR.... Startdate: 03/07/2023 Architecture: WINDOWS Score: 60 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 16 Machine Learning detection for sample 2->16 6 SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exe 1 2->6         started        process3 process4 8 WerFault.exe 24 9 6->8         started        10 conhost.exe 6->10         started       

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exe19%ReversingLabs
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exe100%AviraTR/Crypt.XPACK.Gen
SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://www.clamav.netSecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exefalse
    		high
    http://upx.sf.netAmcache.hve.4.drfalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:38.0.0 Beryl
      Analysis ID:1266034
      Start date and time:2023-07-03 17:48:40 +02:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 7m 29s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Run name:Run with higher sleep bypass
      Number of analysed new started processes analysed:8
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample file name:SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exe
      Detection:MAL
      Classification:mal60.winEXE@3/6@0/0
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:
      • Successful, ratio: 100% (good quality ratio 82.4%)
      • Quality average: 71.5%
      • Quality standard deviation: 37.9%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 1
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 20.189.173.20
      • Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
      • Not all processes where analyzed, report is missing behavior information

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9277ff23dce22535ba73b0bbaaf59d16a0787f42_93e316b6_1b653a8e\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.6802638759969519
      Encrypted:false
      SSDEEP:384:EeLPLOQfgBUZMXUCWjE/u7suX4It6j+Y:EfBUiIjE/u7suX4It
      MD5:DE88D30114D9C8B503D0A7892F5B7C3B
      SHA1:02232BB81A5DDECFD9C27AB414718201325108C8
      SHA-256:A55A85D4D30B8BCACBD00C203A59C8C02EE013BC386098C8447E75AC02B652C2
      SHA-512:9AEEEC4C32FB8D9956C93ECD72D452A12B0688567010F254E259ACEC287FE0CDC4615D57FB93187C9840277C031EDD9836D5E08C0A72BCCA2CE80618707915DA
      Malicious:false
      Reputation:low
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.3.2.9.0.5.3.8.2.9.3.5.1.4.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.3.2.9.0.5.3.8.3.7.3.2.0.1.6.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.5.f.d.3.d.5.-.c.a.b.d.-.4.e.4.c.-.a.b.1.c.-.2.0.a.f.a.9.f.d.7.7.0.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.7.f.7.c.f.9.6.-.f.1.f.1.-.4.9.e.1.-.b.f.7.e.-.d.d.2.4.1.d.b.a.d.8.0.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...T.R...C.r.y.p.t...X.P.A.C.K...G.e.n...2.4.2.8.2...9.8.7.3...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.5.4.-.0.0.0.1.-.0.0.1.a.-.7.d.a.4.-.d.f.6.a.1.1.a.e.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.5.4.5.1.5.9.8.9.0.4.c.d.c.6.8.2.a.b.7.7.f.2.1.3.2.e.c.5.1.7.1.0.0.0.0.f.f.f.f.!.0.0.0.0.c.b.d.c.c.8.e.3.1.2.e.5.5.b.7.0.d.e.b.c.a.7.9.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FC2.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Tue Jul 4 00:49:43 2023, 0x1205a4 type
      Category:dropped
      Size (bytes):18332
      Entropy (8bit):2.2077851926261602
      Encrypted:false
      SSDEEP:96:5Y8iYQ88D/JARrizF7Lai7k3n/C+Jt+v9pthSXRIAWInWIH3KAI3+j41ny/:9i/JW2Z7LaOM/Cst+vJhMRzK3+E1ny/
      MD5:B6215FFA7DE2417659B39FF189EB5A8F
      SHA1:31C290E3EC0229E3EF2B20FC0503B69B5E2B421C
      SHA-256:8D78981933D9275843C0C731CE3E4C4AE6E66FFFCD772906912AFA08703E8A58
      SHA-512:19787A3073611324FDF1D7E0D9888E4D685707750EC1A8C2A050C106A7FF0F7F2DAF81A68CB44BC9605369AF0EDC9449202D1DAE99D0F3F22253CD4745ACF562
      Malicious:false
      Reputation:low
      Preview:MDMP....... ........l.d............4........... ...<.......T...j...........T.......8...........T................>..........\...........H....................................................................U...........B..............GenuineIntelW...........T.......T....l.d.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER20EC.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8482
      Entropy (8bit):3.711545260872399
      Encrypted:false
      SSDEEP:192:Rrl7r3GLNi7dw6C6YAkSUgRgmf9dXS4Cpr+89boAsfsYm:RrlsNi766C6YTSU8gmf99SXoTfy
      MD5:B59C04E4888A6DD6EC5B165518C267E2
      SHA1:F8947A0AC7BB7C3149B202ED4560529A1509B3AD
      SHA-256:5ED746C51CBDE20AEF99A439030014F8EF054B0BCED97F3F9AC341B7989A1A28
      SHA-512:5E56EAAA0ED33691D80DACA2FED885F30B3133E163101E187C746AA78C1171FD35A15632A4D7EA76E78F468344A272028E2EA0D88CC915582EB973688D005797
      Malicious:false
      Reputation:low
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.4.0.<./.P.i.d.>.......

      C:\ProgramData\Microsoft\Windows\WER\Temp\WER215B.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4822
      Entropy (8bit):4.6110034555903825
      Encrypted:false
      SSDEEP:48:cvIwSD8zspJgtWI9U/SWgc8sqYjg8fm8M4JIvZFnTk+q8cfWFVKJ+7jd:uITf7v/zgrsqYxJuMrWFm+7jd
      MD5:32EAAE87FE5577A89D80A34FBE42B49B
      SHA1:83CBB6278DDE12A6BA95A2F07580DD776D2842D5
      SHA-256:F8C0DEFFA82CD11E69B1198D388CCF5980A1BD924C11C4945D7DE01A8F444FDF
      SHA-512:F6A2D2D988709701FE1650B508D577F7FB9CC2D3BE74105DAD69B77F12C6A09ADAF1C9068CC83EABC097FC4FE2E7AACDD3540705FE90B0429F9BE07EBA869E73
      Malicious:false
      Reputation:low
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2113080" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

      C:\Windows\appcompat\Programs\Amcache.hve

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):1572864
      Entropy (8bit):4.281869795510021
      Encrypted:false
      SSDEEP:12288:w6CTjgaAq08hFIOV3UHsJbHAXK98Zi6oF+fVzk8Q9kZdwwSOop:FijgaAq08hFIOVBhV9G
      MD5:17F129F8E6DE00C25CD528E0D16BC168
      SHA1:F6569C058D6C356C678E1F3221EE22E9B168991D
      SHA-256:F7641787D38AE7BD7D458E49407DE490D0D6B40DBE95765A835769AA0AD61E98
      SHA-512:42B1AD644C39218A3AAD4CAB397A5AECFD9EC2D85DA0B3F37A0DFF8F1B3D9F3B25782CB65D4EF09A104F50B465465578C0D9478E16F32CF640EBC16BE9A0C63F
      Malicious:false
      Reputation:low
      Preview:regf^...^...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmR.ek..................................................................................................................................................................................................................................................................................................................................................o6........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Windows\appcompat\Programs\Amcache.hve.LOG1

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):24576
      Entropy (8bit):3.87856479442937
      Encrypted:false
      SSDEEP:384:0+c53E0xxkIRu3svSRnc9SaPJSptQqg6XadgQYzZK/Ec05jYwq3:5q3Lxkku3qSRcSaPcptQq/XadgZK/4j8
      MD5:7FEB9C560789913B1DA4D98C092567C3
      SHA1:E276451B355F9FD6A730C501E4F6A92FBDFDDE93
      SHA-256:2C492747D011D32814EB4E343C1E8C11B96547A3E6C5F95EF4794F6C47DEABFA
      SHA-512:9EA328F57519E79BEDFAF7589D4BDE2F9A77716B30CC4B0B211C8E7919830AE40DCA86F8A9D9F6A2B247EB299F890C0421DEAB7176CD8CF7D06C6D7D8AC82B85
      Malicious:false
      Reputation:low
      Preview:regf]...]...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmR.ek..................................................................................................................................................................................................................................................................................................................................................o6HvLE.^......].............Fw.J>...&.P.Xr.................0........... ..hbin................p.\..,..........nk,.R.ek.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .R.ek........ ...........8~.............. .......Z.......................Root........lf......Root....nk .R.ek................................... ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

      Static File Info

      General

      File type:PE32 executable (console) Intel 80386, for MS Windows
      Entropy (8bit):4.669136828130387
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exe
      File size:32'768 bytes
      MD5:276da269917b96163da34a47c9115bff
      SHA1:cbdcc8e312e55b70debca799abf3a75e56d7b595
      SHA256:531230ec5fe046bb3a79cf89bf840a8db6978f356a793292149e1f7774f1bb94
      SHA512:be34bf3abf26315ee058c088e77bbe0c5b158c650367a18c9421ba858c063808f9965260ad2835e59659e9a263f38ed79bc968ae91fc899fe147b3c1bdf7a739
      SSDEEP:192:EE93UvKgUC0RQ3z52bT0gaySzw2PAtu+hSn2InP0iSrhMDmaa4y+mZBdZDjk9ZwZ:Gvj0C5QT0/ySzHDCQ8hky+mlp0ba
      TLSH:3DE26C1BBCD14073E981C6B012B2DB1AD77F6A150352AE83DB046A5A2F31DE17D3B25B
      File Content Preview:MZ......................@...............................................!.L.!This file was created by ClamAV for internal use and should not be run...ClamAV - A GPL virus scanner - http://www.clamav.net..$...PE..L...CLAM.................l..........H(.....

      File Icon

      Icon Hash:90cececece8e8eb0

      Static PE Info

      General

      Entrypoint:0x402848
      Entrypoint Section:.section
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows cui
      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      DLL Characteristics:
      Time Stamp:0x4D414C43 [Thu Jan 27 10:43:15 2011 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:
      Instruction
      push ebp
      mov ebp, esp
      push FFFFFFFFh
      push 00401D50h
      push 00404124h
      mov eax, dword ptr fs:[00000000h]
      push eax
      mov dword ptr fs:[00000000h], esp
      sub esp, 10h
      push ebx
      push esi
      push edi
      mov dword ptr [ebp-18h], esp
      call dword ptr [00401038h]
      xor edx, edx
      mov dl, ah
      mov dword ptr [00406264h], edx
      mov ecx, eax
      and ecx, 000000FFh
      mov dword ptr [00406260h], ecx
      shl ecx, 08h
      add ecx, edx
      mov dword ptr [0040625Ch], ecx
      shr eax, 10h
      mov dword ptr [00406258h], eax
      push 00000000h
      call 00007F0CCCAB6CCFh
      pop ecx
      test eax, eax
      jne 00007F0CCCAB558Ah
      push 0000001Ch
      call 00007F0CCCAB561Fh
      pop ecx
      and dword ptr [ebp-04h], 00000000h
      call 00007F0CCCAB5FA7h
      call dword ptr [00401034h]
      mov dword ptr [00406744h], eax
      call 00007F0CCCAB6B77h
      mov dword ptr [00406238h], eax
      call 00007F0CCCAB6920h
      call 00007F0CCCAB6862h
      call 00007F0CCCAB641Ah
      mov eax, dword ptr [00406274h]
      mov dword ptr [00406278h], eax
      push eax
      push dword ptr [0040626Ch]
      push dword ptr [00406268h]
      call 00007F0CCCAB4E99h
      add esp, 0Ch
      mov dword ptr [ebp-1Ch], eax
      push eax
      call 00007F0CCCAB641Fh
      mov eax, dword ptr [ebp-14h]
      mov ecx, dword ptr [eax]
      mov ecx, dword ptr [ecx]
      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x77640x50.section
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x10000xd0.section
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .section0x10000x70000x7000False0.4290248325892857data5.118772479333782IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

      Network Behavior

      No network behavior found

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      • File
      • Registry

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:17:49:41
      Start date:03/07/2023
      Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.TR.Crypt.XPACK.Gen.24282.9873.exe
      Imagebase:0x400000
      File size:32'768 bytes
      MD5 hash:276DA269917B96163DA34A47C9115BFF
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Section Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Memory Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      General

      Target ID:1
      Start time:17:49:41
      Start date:03/07/2023
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff6edaf0000
      File size:625'664 bytes
      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Show Windows behavior

      File Activities

      Show Windows behavior

      Section Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Mutex Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Thread Activities

      Show Windows behavior

      Memory Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Windows UI Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      General

      Target ID:4
      Start time:17:49:42
      Start date:03/07/2023
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 244
      Imagebase:0x900000
      File size:434'592 bytes
      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Show Windows behavior

      File Activities

      Show Windows behavior

      Section Activities

      Show Windows behavior

      Registry Activities

      Show Windows behavior

      Mutex Activities

      Show Windows behavior

      Process Activities

      Show Windows behavior

      Thread Activities

      Show Windows behavior

      Memory Activities

      Show Windows behavior

      System Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      Show Windows behavior

      Windows UI Activities

      Show Windows behavior

      Process Token Activities

      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Disassembly

      Execution Graph

      Execution Coverage

      Dynamic/Packed Code Coverage

      Signature Coverage

      Execution Coverage:0.6%
      Dynamic/Decrypted Code Coverage:100%
      Signature Coverage:100%
      Total number of Nodes:2
      Total number of Limit Nodes:0
      Show Legend
      Hide Nodes/Edges
      execution_graph 2069 402848 LdrInitializeThunk 2070 4028a6 2069->2070

      Callgraph

      Hide Legend
      • Executed
      • Not Executed
      • Opacity -> Relevance
      • Disassembly available
      callgraph 0 Function_00404E40 1 Function_00405042 114 Function_004046B6 1->114 2 Function_00403244 64 Function_004045D5 2->64 2->114 3 Function_00404044 4 Function_00405745 5 Function_00402848 6 Function_0040294C 5->6 15 Function_00403C71 5->15 17 Function_00403775 5->17 37 Function_00402210 5->37 51 Function_00403A34 5->51 67 Function_004032DE 5->67 77 Function_00403FF0 5->77 101 Function_004037A2 5->101 115 Function_00403BB8 5->115 117 Function_00403EBE 5->117 52 Function_00404235 6->52 86 Function_004041FC 6->86 7 Function_0040404C 8 Function_00405D4E 9 Function_00405C50 10 Function_0040575C 11 Function_0040385D 12 Function_00404560 13 Function_0040406E 31 Function_00404102 13->31 14 Function_00402970 21 Function_0040367A 14->21 93 Function_00404388 14->93 34 Function_00403D0A 15->34 46 Function_00402927 15->46 15->93 104 Function_004056A4 15->104 16 Function_00403B75 17->11 18 Function_00403877 18->1 39 Function_00403917 18->39 112 Function_004038B2 18->112 19 Function_00405F78 80 Function_004046F3 19->80 20 Function_00405479 22 Function_0040317B 74 Function_004025EF 22->74 23 Function_0040447B 24 Function_00405D7C 25 Function_00405B7E 25->46 26 Function_0040587E 27 Function_00405900 28 Function_00403A00 29 Function_00404400 30 Function_00405200 32 Function_00406203 33 Function_00402704 33->46 100 Function_004036A0 33->100 35 Function_0040480C 95 Function_00405B90 35->95 36 Function_0040390E 36->39 49 Function_00402130 37->49 111 Function_004021B0 37->111 116 Function_004027BD 37->116 118 Function_004025BE 37->118 38 Function_00405C15 39->18 40 Function_00403219 41 Function_0040291C 41->52 41->86 113 Function_004037B3 41->113 42 Function_0040411C 42->13 42->31 47 Function_0040402C 42->47 43 Function_0040551F 68 Function_00405FDF 43->68 98 Function_00405099 43->98 44 Function_00404124 44->13 44->31 44->47 45 Function_00403226 46->52 46->86 48 Function_00405C2C 50 Function_00404730 51->16 52->29 52->30 76 Function_004051F0 52->76 82 Function_004059F5 52->82 88 Function_00405A80 52->88 53 Function_00403636 53->93 54 Function_00403236 55 Function_00404B37 55->0 79 Function_00404EF1 55->79 56 Function_00402A3A 56->12 56->22 56->23 56->29 56->40 56->45 56->54 71 Function_004031E1 56->71 78 Function_004044F0 56->78 109 Function_004031B0 56->109 57 Function_0040463C 58 Function_004056C0 59 Function_004054C3 60 Function_004037C4 60->11 61 Function_00405EC5 61->57 61->64 61->114 62 Function_004043C6 62->55 63 Function_00405DD0 65 Function_004040D6 66 Function_004058D8 67->46 67->93 68->32 110 Function_00405FB0 68->110 69 Function_004052E0 69->20 69->43 69->59 83 Function_004054F6 69->83 70 Function_004047E1 71->22 72 Function_004041E1 72->13 73 Function_00404FEC 73->19 73->61 73->80 73->112 74->2 74->21 74->53 94 Function_00403489 74->94 75 Function_004060EF 102 Function_004047A3 77->102 80->35 80->70 81 Function_004060F3 81->110 84 Function_004051F7 85 Function_004040F9 86->52 87 Function_004029FD 87->112 89 Function_00405780 90 Function_00401C83 91 Function_00403984 91->98 92 Function_00404788 99 Function_0040439A 93->99 94->2 94->64 96 Function_00405192 97 Function_00405196 98->50 98->110 99->62 99->92 100->50 100->55 100->92 101->60 103 Function_004061A3 104->69 105 Function_004061A7 106 Function_00405DA8 107 Function_004027A9 107->36 107->73 107->80 108 Function_004058AC 109->22 111->74 111->118 112->94 113->60 115->29 115->46 115->76 115->80 115->93 115->104 116->91 117->58 117->80 117->93 118->14 118->56 118->87

      Executed Functions

      Control-flow Graph

      C-Code - Quality: 65%
      			_entry_(void* __ebx, void* __edi, void* __esi) {
				signed int _v8;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				unsigned int _t8;
				intOrPtr _t17;
				signed int _t25;
				void* _t38;
				intOrPtr _t40;

				_t37 = __esi;
				 *[fs:0x0] = _t40;
				_v28 = _t40 - 0x10;
				_t8 =  *0x401038(__edi, __esi, __ebx,  *[fs:0x0], E00404124, 0x401d50, 0xffffffff, _t38); // executed
				 *0x406264 = 0;
				_t25 = _t8 & 0x000000ff;
				 *0x406260 = _t25;
				 *0x40625c = _t25 << 8;
				 *0x406258 = _t8 >> 0x10;
				if(E00403FF0(0) == 0) {
					E0040294C(0x1c);
				}
				_v8 = _v8 & 0x00000000;
				E004032DE();
				 *0x406744 =  *0x401034();
				 *0x406238 = E00403EBE();
				E00403C71();
				E00403BB8();
				E00403775();
				_t17 =  *0x406274; // 0x0
				 *0x406278 = _t17;
				_push(_t17);
				_push( *0x40626c);
				_push( *0x406268);
				_v32 = E00402210();
				E004037A2(_t18);
				_v36 =  *((intOrPtr*)( *_v24));
				return E00403A34(_t37, _v8,  *((intOrPtr*)( *_v24)), _v24);
			}













      0x00402848
      0x0040285e
      0x0040286b
      0x0040286e
      0x00402878
      0x00402880
      0x00402886
      0x00402891
      0x0040289a
      0x004028a9
      0x004028ad
      0x004028b2
      0x004028b3
      0x004028b7
      0x004028c2
      0x004028cc
      0x004028d1
      0x004028d6
      0x004028db
      0x004028e0
      0x004028e5
      0x004028ea
      0x004028eb
      0x004028f1
      0x004028ff
      0x00402903
      0x0040290f
      0x0040291b

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.428318723.0000000000402000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.428305464.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.428313283.0000000000401000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
      Similarity
      • API ID: InitializeThunk
      • String ID:
      • API String ID: 2994545307-0
      • Opcode ID: b587d1db3f3d1c40449642ec3709e7218dae9ab57bbb87a38c2ac70f332eaea1
      • Instruction ID: 584d8760af44662d9ad06d2f2eefa8ef6dab0041c30c9582c7866981a89bf9f9
      • Opcode Fuzzy Hash: b587d1db3f3d1c40449642ec3709e7218dae9ab57bbb87a38c2ac70f332eaea1
      • Instruction Fuzzy Hash: CD11AFB0940201AFEB08BF76DE06B293BB8EB44315F10427EF402B62F1DB3C05508B58
      Uniqueness

      Uniqueness Score: -1.00%