Edit tour

Windows Analysis Report
SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Overview

General Information

Sample name:	SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
Analysis ID:	1477394
MD5:	c0d645827131ac1166dbe06d45511323
SHA1:	1dfa4d4a7ad6817f3d774ecf1fea7b6730f6cbac
SHA256:	3b0dc5d40dc74076656f303aa3652910d44ac2cf6492a4a405c6652a4e777714
Tags:	exe
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

.NET source code contains potential unpacker

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to delete services

Contains functionality to detect virtual machines (STR)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

Enables driver privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries device information via Setup API

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Execution of Suspicious File Type Extension

Spawns drivers

Stores files to the Windows start menu directory

Too many similar processes found

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe (PID: 5460 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe" MD5: C0D645827131AC1166DBE06D45511323)

setx.exe (PID: 8 cmdline: setx /M IDmelonMode access-key MD5: 5B700BC00E451033B2F9EEF349A91D1C)

conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 2520 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyService "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 1196 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Application "C:\Program Files (x86)\IDmelon\Accesskey"\Service.exe MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 1928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 6908 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 6864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 1700 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 1612 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 1520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 6668 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Description "Coordinates the communications for using IDmelon solution as a roaming authenticator" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 2124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 6864 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdoutCreationDisposition 4 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 1184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 6836 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderrCreationDisposition 4 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 6928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 1432 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateFiles 1 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 6552 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateOnline 0 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 5052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 5004 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateSeconds 14400 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 3732 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateBytes 5000000 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 4476 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Start SERVICE_AUTO_START MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 6552 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" restart AccesskeyService MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 3732 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" status AccesskeyService MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 6668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 1520 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" start AccesskeyService MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

devcon.exe (PID: 3428 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccesskeyHid MD5: 6EA4F64D02AE236A6B60E5E665079A89)

conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

devcon.exe (PID: 2424 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccessKeyFidoVhid MD5: 6EA4F64D02AE236A6B60E5E665079A89)

conhost.exe (PID: 5904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

devcon.exe (PID: 3732 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" install "C:\Program Files (x86)\IDmelon\Accesskey\driver\accesskeyfidovhid.inf" root\AccessKeyFidoVhid MD5: 6EA4F64D02AE236A6B60E5E665079A89)

conhost.exe (PID: 3428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 7600 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyReaderService "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 7608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 7652 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService Application "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 7720 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 7776 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\service_logs.log" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 7824 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\service_logs.log" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 7896 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService Description "IDmelon Accesskey reader service which is responsible for reading Accesskey IDs" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 7952 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStdoutCreationDisposition 4 MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

nssm.exe (PID: 1928 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" MD5: 17DE7869B1B721B3FFF9DBE111CAAFF8)

conhost.exe (PID: 5164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Service.exe (PID: 5064 cmdline: "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe" MD5: 9E99F6F2DC43830D3959E55EDDDDB422)

conhost.exe (PID: 6904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dsregcmd.exe (PID: 7148 cmdline: "C:\Windows\System32\dsregcmd.exe" /status MD5: 866989AA656CF67780143376C12DF510)

svchost.exe (PID: 7236 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

drvinst.exe (PID: 7268 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{e57175bf-8fbc-764b-ad7a-50e1a8f38e0f}\accesskeyfidovhid.inf" "9" "4196477d7" "0000000000000168" "WinSta0\Default" "0000000000000100" "208" "c:\program files (x86)\idmelon\accesskey\driver" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

drvinst.exe (PID: 7416 cmdline: DrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:50ab71fe221ae399:AccessKeyFidoVhid:21.4.53.488:root\accesskeyfidovhid," "4196477d7" "0000000000000168" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

drvinst.exe (PID: 7552 cmdline: DrvInst.exe "1" "0" "HID\HIDCLASS\1&2d595ca7&0&0000" "" "" "4eeb73e57" "0000000000000000" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

WUDFRd.sys (PID: 4 cmdline: MD5: 0B7A5464602DA68DA6BEFC2A1B5BE4C5)

mshidumdf.sys (PID: 4 cmdline: MD5: 9E90FE6DF363D2427A5C773120E7B27D)

WUDFHost.exe (PID: 7484 cmdline: "C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-3ba73f07-7082-44ba-ac25-62d6a3756b80 -SystemEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-0c2aa50f-a6b5-49c5-8b4d-5aa353434dea -IoCancelEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-d4f7a26f-e897-4801-9374-f1c601e77e78 -NonStateChangingEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-ec48fbad-1509-4711-bef9-62c3b1e095c0 -LifetimeId:a4533485-4f57-41b2-936a-ec5cac55ccfb -DeviceGroupId:WudfDefaultDevicePool -HostArg:0 MD5: 00E2EF3D2C9309CA4135195A049CC79C)

cleanup

Sigma Signatures

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\WUDFRd.sys, NewProcessName: C:\Windows\System32\drivers\WUDFRd.sys, OriginalFileName: C:\Windows\System32\drivers\WUDFRd.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: WUDFRd.sys

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, ProcessId: 7236, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	ReversingLabs: Detection: 15%
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Virustotal: Detection: 6%			Perma Link

Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 34.214.245.150:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/src/Grpc.Core.Api/obj/Release/net462/Grpc.Core.Api.pdbSHA256 source: Service.exe, 00000021.00000002.3602077345.0000019D3B362000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: Service.exe, 00000021.00000002.3605184889.0000019D3C312000.00000002.00000001.01000000.00000029.sdmp, SQLitePCLRaw.core.dll.0.dr
Source:	Binary string: /_/csharp/src/Google.Protobuf/obj/Release/net45/Google.Protobuf.pdbSHA256 source: Service.exe, 00000021.00000002.3604634725.0000019D3BBE2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: /_/artifacts/obj/System.Text.Encodings.Web/Release/net462/System.Text.Encodings.Web.pdbSHA256 source: System.Text.Encodings.Web.dll.0.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: Service.exe, 00000021.00000002.3605293993.0000019D3C352000.00000002.00000001.01000000.0000002B.sdmp
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\GrpcClients\obj\Release\GrpcClients.pdb source: GrpcClients.dll.0.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.ValueTuple/net47\System.ValueTuple.pdb62P2 B2_CorDllMainmscoree.dll source: Service.exe, 00000021.00000002.3605243399.0000019D3C332000.00000002.00000001.01000000.0000002A.sdmp, System.ValueTuple.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\IDmelonVirtualHidAPI\obj\Release\IDmelonVirtualHidAPI.pdb source: Service.exe, 00000021.00000002.3601729165.0000019D3B2C2000.00000002.00000001.01000000.00000014.sdmp, IDmelonVirtualHidAPI.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\ServerApi\obj\Release\ServerApi.pdb source: Service.exe, 00000021.00000002.3601786369.0000019D3B2D2000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: /_/src/DeviceId/obj/Release/net40/DeviceId.pdbSHA256 source: Service.exe, 00000021.00000002.3602128842.0000019D3B382000.00000002.00000001.01000000.0000001A.sdmp, DeviceId.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\DB\obj\Release\DB.pdbg_ source: Service.exe, 00000021.00000002.3604875434.0000019D3C292000.00000002.00000001.01000000.00000025.sdmp, DB.dll.0.dr
Source:	Binary string: T:\altsrc\github\grpc\workspace_csharp_ext_windows_x64\cmake\build\x64\grpc_csharp_ext.pdb source: Service.exe, 00000021.00000002.3618132699.00007FFDF63BA000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdbSHA256 source: Service.exe, 00000021.00000002.3605002329.0000019D3C2C2000.00000002.00000001.01000000.00000027.sdmp, SQLitePCLRaw.batteries_v2.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\DB\obj\Release\DB.pdb source: Service.exe, 00000021.00000002.3604875434.0000019D3C292000.00000002.00000001.01000000.00000025.sdmp, DB.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\AccesskeyCli\obj\Release\AccesskeyCli.pdb_ source: AccesskeyCli.exe.0.dr
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: System.Buffers.dll.0.dr
Source:	Binary string: /var/local/git/grpc/src/csharp/Grpc.Core/obj/Release/net45/Grpc.Core.pdbSHA256n source: Service.exe, 00000021.00000002.3604421784.0000019D3BB62000.00000002.00000001.01000000.00000023.sdmp, Grpc.Core.dll.0.dr
Source:	Binary string: C:\Users\Jafar\source\repos\EllipticCurve\EllipticCurve\obj\Release\EllipticCurve.pdb source: EllipticCurve.dll.0.dr
Source:	Binary string: /var/local/git/grpc/src/csharp/Grpc.Core/obj/Release/net45/Grpc.Core.pdb source: Service.exe, 00000021.00000002.3604421784.0000019D3BB62000.00000002.00000001.01000000.00000023.sdmp, Grpc.Core.dll.0.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Numerics.Vectors/net46\System.Numerics.Vectors.pdb source: System.Numerics.Vectors.dll.0.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256N source: Service.exe, 00000021.00000002.3605293993.0000019D3C352000.00000002.00000001.01000000.0000002B.sdmp
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: Service.exe, 00000021.00000002.3602684343.0000019D3B512000.00000002.00000001.01000000.0000001C.sdmp, System.Threading.Tasks.Extensions.dll.0.dr
Source:	Binary string: C:\xcode\envar test\envar release3\Contrib\EnVar\Release Unicode\EnVar.pdbEnvironmentSystem\CurrentControlSet\Control\Session Manager\EnvironmentEnvironment3System\CurrentControlSet\Control\Session Manager\EnvironmentEnvironmentNULLSystem\CurrentControlSet\Control\Session Manager\EnvironmentEnvironment6System\CurrentControlSet\Control\Session Manager\EnvironmentEnvironment033NULL40165056461116063415160path646System\CurrentControlSet\Control\Session Manager\EnvironmentEnvironment06HKCUHKLMHKLM134NULL134160 source: EnVar.dll.0.dr
Source:	Binary string: C:\Users\Jafar\source\repos\EllipticCurve\EllipticCurve\obj\Release\EllipticCurve.pdb~y source: EllipticCurve.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\GrpcProtoCompiler\obj\Release\TagReaderGRPC.pdb source: Service.exe, 00000021.00000002.3601894777.0000019D3B2F2000.00000002.00000001.01000000.00000017.sdmp, TagReaderGRPC.dll.0.dr
Source:	Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v142\plain\arm\e_sqlite3.pdb source: e_sqlite3.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: Service.exe, 00000021.00000002.3604231776.0000019D3BB22000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: c:\dev\sqlite\core\sqlite3.pdb source: sqlite3.dll0.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: Service.exe, 00000021.00000002.3602810988.0000019D3B5D2000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: /home/vsts/work/1/s/src/SocketIO.Serializer.Core/obj/Release/netstandard2.0/SocketIO.Serializer.Core.pdbSHA256w#NtW source: SocketIO.Serializer.Core.dll.0.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdb source: Service.exe, 00000021.00000002.3605002329.0000019D3C2C2000.00000002.00000001.01000000.00000027.sdmp, SQLitePCLRaw.batteries_v2.dll.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: Service.exe, 00000021.00000002.3602810988.0000019D3B5D2000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\Logger\obj\Release\Logger.pdb source: Service.exe, 00000021.00000002.3599331221.0000019D22A92000.00000002.00000001.01000000.00000013.sdmp, Logger.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\Suprema\obj\Release\Suprema.pdb source: Service.exe, 00000021.00000002.3604346724.0000019D3BB52000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: C:\Program Files (x86)\Jenkins\workspace\pcProxAPI-sdk-release-bot\pcProxAPI\runtime\win\x64\Release\USBWejAPI.pdb source: pcProxAPI.dll0.0.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256CM source: Service.exe, 00000021.00000002.3605184889.0000019D3C312000.00000002.00000001.01000000.00000029.sdmp, SQLitePCLRaw.core.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\Service\obj\Release\Service.pdb source: Service.exe, 00000021.00000000.1852944375.0000019D22292000.00000002.00000001.01000000.00000008.sdmp, Service.exe.0.dr
Source:	Binary string: /home/runner/work/RestSharp/RestSharp/src/RestSharp/obj/Release/net471/RestSharp.pdbSHA256 source: Service.exe, 00000021.00000002.3602187574.0000019D3B3C2000.00000002.00000001.01000000.0000001B.sdmp, RestSharp.dll.0.dr
Source:	Binary string: /_/csharp/src/Google.Protobuf/obj/Release/net45/Google.Protobuf.pdb source: Service.exe, 00000021.00000002.3604634725.0000019D3BBE2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: /home/runner/work/RestSharp/RestSharp/src/RestSharp/obj/Release/net471/RestSharp.pdb source: Service.exe, 00000021.00000002.3602187574.0000019D3B3C2000.00000002.00000001.01000000.0000001B.sdmp, RestSharp.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\Fido\obj\Release\Fido.pdb source: Service.exe, 00000021.00000002.3604129531.0000019D3BAF2000.00000002.00000001.01000000.00000020.sdmp, Fido.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\BioKey\obj\Release\BioKey.pdb source: Service.exe, 00000021.00000002.3604923669.0000019D3C2A2000.00000002.00000001.01000000.00000026.sdmp, BioKey.dll.0.dr
Source:	Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v142\plain\x86\e_sqlite3.pdb source: e_sqlite3.dll1.0.dr
Source:	Binary string: C:\projects\websocket-sharp\websocket-sharp\obj\Release\net45\websocket-sharp.pdb source: websocket-sharp.dll.0.dr
Source:	Binary string: devcon.pdb source: devcon.exe, 00000028.00000000.1876422070.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002A.00000000.1878914711.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002A.00000002.1880845418.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002C.00000000.1881554737.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002C.00000002.1922841753.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe.0.dr
Source:	Binary string: /home/vsts/work/1/s/src/SocketIO.Serializer.Core/obj/Release/netstandard2.0/SocketIO.Serializer.Core.pdb source: SocketIO.Serializer.Core.dll.0.dr
Source:	Binary string: /_/src/Grpc.Core.Api/obj/Release/net462/Grpc.Core.Api.pdb source: Service.exe, 00000021.00000002.3602077345.0000019D3B362000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: devcon.pdbGCTL source: devcon.exe, 00000028.00000000.1876422070.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002A.00000000.1878914711.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002A.00000002.1880845418.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002C.00000000.1881554737.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002C.00000002.1922841753.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe.0.dr
Source:	Binary string: C:\projects\websocket-sharp\websocket-sharp\obj\Release\net45\websocket-sharp.pdb* source: websocket-sharp.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\AccesskeyCli\obj\Release\AccesskeyCli.pdb source: AccesskeyCli.exe.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\Encryption\obj\Release\Encryption.pdb source: Service.exe, 00000021.00000002.3601851877.0000019D3B2E2000.00000002.00000001.01000000.00000016.sdmp, Encryption.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\GrpcClients\obj\Release\GrpcClients.pdbAF[F MF_CorDllMainmscoree.dll source: GrpcClients.dll.0.dr
Source:	Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v142\plain\x64\e_sqlite3.pdb source: Service.exe, 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmp, e_sqlite3.dll0.0.dr
Source:	Binary string: C:\xcode\envar test\envar release3\Contrib\EnVar\Release Unicode\EnVar.pdb source: EnVar.dll.0.dr
Source:	Binary string: /_/src/DeviceId/obj/Release/net40/DeviceId.pdb source: Service.exe, 00000021.00000002.3602128842.0000019D3B382000.00000002.00000001.01000000.0000001A.sdmp, DeviceId.dll.0.dr
Source:	Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdb source: Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Json.dll.0.dr
Source:	Binary string: /_/artifacts/obj/System.Text.Encodings.Web/Release/net462/System.Text.Encodings.Web.pdb source: System.Text.Encodings.Web.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\WindowsDriverDevelopment\virtual_hid_fido\driver\umdf2\AccessKey\x64\Release\AccessKeyFidoVhid.pdb source: devcon.exe, 0000002C.00000003.1919797893.000001F54C460000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1897657026.000001BA8BF0A000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1900629553.000001BA8BFA9000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000032.00000003.1917580068.00000255722D8000.00000004.00000020.00020000.00000000.sdmp, WUDFHost.exe, 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmp, SETD2F6.tmp.44.dr, AccessKeyFidoVhid.dll.0.dr, SETDB43.tmp.50.dr
Source:	Binary string: C:\Users\Amini\Downloads\WpfToggleSwitchs\WpfToggleSwitch\CSharp\CSharpControls.Wpf\obj\Release\CSharpControls.Wpf.pdb source: CSharpControls.Wpf.dll.0.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.ValueTuple/net47\System.ValueTuple.pdb source: Service.exe, 00000021.00000002.3605243399.0000019D3C332000.00000002.00000001.01000000.0000002A.sdmp, System.ValueTuple.dll.0.dr
Source:	Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdbSHA256 source: Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Json.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\Suprema\obj\Release\Suprema.pdbqI source: Service.exe, 00000021.00000002.3604346724.0000019D3BB52000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\BioKey\obj\Release\BioKey.pdbo source: Service.exe, 00000021.00000002.3604923669.0000019D3C2A2000.00000002.00000001.01000000.00000026.sdmp, BioKey.dll.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Code function: 0_2_004068D4 FindFirstFileW,FindClose,	0_2_004068D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Code function: 0_2_00405C83 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C83
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Code function: 40_2_00007FF6946169C0 GetWindowsDirectoryW,FindFirstFileW,FindNextFileW,FindClose,	40_2_00007FF6946169C0

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: skm.idmelon.com

Source: unknown

HTTP traffic detected: POST /apis/access-key-cli/v1/apps HTTP/1.1Accept: application/json, text/json, text/x-json, text/javascript, application/xml, text/xmlUser-Agent: RestSharp/110.2.0.0Content-Type: application/jsonHost: skm.idmelon.comContent-Length: 348Expect: 100-continueAccept-Encoding: gzipConnection: Keep-Alive

Source: Grpc.Core.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Grpc.Core.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Grpc.Core.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Grpc.Core.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: pcProxAPI.dll0.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: devcon.exe, 0000002C.00000003.1919797893.000001F54C460000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1897657026.000001BA8BF0A000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1900629553.000001BA8BFA9000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000032.00000003.1917580068.00000255722D8000.00000004.00000020.00020000.00000000.sdmp, Service.exe.0.dr, SETD2F6.tmp.44.dr, AccessKeyFidoVhid.dll.0.dr, SETDB43.tmp.50.dr, accesskey-reader-service.exe.0.dr, AccesskeyCli.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: devcon.exe, 0000002C.00000003.1919797893.000001F54C460000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1897657026.000001BA8BF0A000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1900629553.000001BA8BFA9000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000032.00000003.1917580068.00000255722D8000.00000004.00000020.00020000.00000000.sdmp, Service.exe.0.dr, SETD2F6.tmp.44.dr, AccessKeyFidoVhid.dll.0.dr, SETDB43.tmp.50.dr, accesskey-reader-service.exe.0.dr, AccesskeyCli.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: pcProxAPI.dll0.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: pcProxAPI.dll0.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: pcProxAPI.dll0.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Grpc.Core.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Grpc.Core.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Grpc.Core.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Grpc.Core.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Grpc.Core.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: pcProxAPI.dll0.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: pcProxAPI.dll0.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: pcProxAPI.dll0.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Service.exe, 00000021.00000002.3599633247.0000019D22EA4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://idmelon.com
Source: Service.exe, 00000021.00000000.1852944375.0000019D22292000.00000002.00000001.01000000.00000008.sdmp, Service.exe.0.dr	String found in binary or memory: http://idmelon.com9Failed
Source: Service.exe, 00000021.00000002.3601786369.0000019D3B2D2000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: http://idmelon.comoThe
Source: Service.exe, 00000021.00000002.3602810988.0000019D3B5D2000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: Service.exe, 00000021.00000002.3601954060.0000019D3B312000.00000002.00000001.01000000.00000018.sdmp, log4net.dll.0.dr	String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: Service.exe, 00000021.00000002.3603461570.0000019D3B8FC000.00000004.00000020.00020000.00000000.sdmp, Service.exe, 00000021.00000002.3604421784.0000019D3BB62000.00000002.00000001.01000000.00000023.sdmp, Service.exe, 00000021.00000002.3601327320.0000019D32C23000.00000004.00000800.00020000.00000000.sdmp, Grpc.Core.dll.0.dr	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: nssm.exe, nssm.exe, 00000003.00000000.1816759065.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000005.00000002.1821554597.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000007.00000002.1824056715.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000009.00000002.1826504358.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000000B.00000000.1827718062.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000000D.00000000.1830187905.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000000F.00000002.1835388792.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000011.00000000.1835854085.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000013.00000000.1838414436.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000015.00000002.1842863095.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000017.00000002.1845034170.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000019.00000000.1846041093.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000001B.00000002.1849679192.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000001D.00000000.1850811410.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000001F.00000000.1852024276.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000024.00000002.1871928036.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000026.00000000.1873191186.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000038.00000000.1933180702.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000003A.00000002.1937478499.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000003C.00000000.1938257275.0000000140065000.00000002.00000001.01000000.00000007.sdmp	String found in binary or memory: http://nssm.cc/
Source: pcProxAPI.dll0.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Grpc.Core.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: Grpc.Core.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Grpc.Core.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Grpc.Core.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: devcon.exe, 0000002C.00000003.1919797893.000001F54C460000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1897657026.000001BA8BF0A000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1900629553.000001BA8BFA9000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000032.00000003.1917580068.00000255722D8000.00000004.00000020.00020000.00000000.sdmp, Service.exe.0.dr, SETD2F6.tmp.44.dr, AccessKeyFidoVhid.dll.0.dr, SETDB43.tmp.50.dr, accesskey-reader-service.exe.0.dr, AccesskeyCli.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: devcon.exe, 0000002C.00000003.1919797893.000001F54C460000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1897657026.000001BA8BF0A000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1900629553.000001BA8BFA9000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000032.00000003.1917580068.00000255722D8000.00000004.00000020.00020000.00000000.sdmp, Service.exe.0.dr, SETD2F6.tmp.44.dr, AccessKeyFidoVhid.dll.0.dr, SETDB43.tmp.50.dr, accesskey-reader-service.exe.0.dr, AccesskeyCli.exe.0.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: pcProxAPI.dll0.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: pcProxAPI.dll0.0.dr	String found in binary or memory: http://ocsp.sectigo.com0A
Source: AccesskeyCli.exe.0.dr	String found in binary or memory: http://schemas.fontawesome.io/icons/
Source: Service.exe, 00000021.00000002.3599633247.0000019D22CA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Service.exe, 00000021.00000002.3599633247.0000019D22C43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Service.exe, 00000021.00000002.3599633247.0000019D22CFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: devcon.exe, 0000002C.00000003.1919797893.000001F54C460000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1897657026.000001BA8BF0A000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1900629553.000001BA8BFA9000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000032.00000003.1917580068.00000255722D8000.00000004.00000020.00020000.00000000.sdmp, Service.exe.0.dr, SETD2F6.tmp.44.dr, AccessKeyFidoVhid.dll.0.dr, SETDB43.tmp.50.dr, accesskey-reader-service.exe.0.dr, AccesskeyCli.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: devcon.exe, 0000002C.00000003.1919797893.000001F54C460000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1897657026.000001BA8BF0A000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1900629553.000001BA8BFA9000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000032.00000003.1917580068.00000255722D8000.00000004.00000020.00020000.00000000.sdmp, Service.exe.0.dr, SETD2F6.tmp.44.dr, AccessKeyFidoVhid.dll.0.dr, SETDB43.tmp.50.dr, accesskey-reader-service.exe.0.dr, AccesskeyCli.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: AccesskeyCli.exe.0.dr	String found in binary or memory: http://wpfanimatedgif.codeplex.com
Source: Grpc.Core.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, 00000000.00000002.2061205840.000000000062F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, 00000000.00000003.2060679922.000000000062D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.idmelon.com
Source: sqlite3.dll0.0.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Json.dll.0.dr	String found in binary or memory: https://aka.ms/binaryformatter
Source: System.Text.Json.dll.0.dr	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Json.dll.0.dr	String found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: AccesskeyCli.exe.0.dr	String found in binary or memory: https://authnapi.idmelon.com
Source: AccesskeyCli.exe.0.dr	String found in binary or memory: https://authnapi.idmelon.com/auth/adminiStrator/delegatedAuthenticate
Source: AccesskeyCli.exe.0.dr	String found in binary or memory: https://authnapi.idmelon.com/auth/adminiStrator/delegatedAuthenticate/?redirectUrl=idmelonpt://login
Source: Service.exe, 00000021.00000002.3602810988.0000019D3B5D2000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: SocketIO.Serializer.Core.dll.0.dr	String found in binary or memory: https://github.com/doghappy/socket.io-client-csharp
Source: SocketIO.Serializer.Core.dll.0.dr	String found in binary or memory: https://github.com/doghappy/socket.io-client-csharp&
Source: Service.exe, 00000021.00000002.3605243399.0000019D3C332000.00000002.00000001.01000000.0000002A.sdmp, System.ValueTuple.dll.0.dr, System.Numerics.Vectors.dll.0.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: Service.exe, 00000021.00000002.3605243399.0000019D3C332000.00000002.00000001.01000000.0000002A.sdmp, System.ValueTuple.dll.0.dr, System.Numerics.Vectors.dll.0.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: Service.exe, 00000021.00000002.3604231776.0000019D3BB22000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
Source: Service.exe, 00000021.00000002.3604231776.0000019D3BB22000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
Source: Service.exe, 00000021.00000002.3602684343.0000019D3B512000.00000002.00000001.01000000.0000001C.sdmp, System.Buffers.dll.0.dr, System.Threading.Tasks.Extensions.dll.0.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
Source: Service.exe, 00000021.00000002.3602766191.0000019D3B562000.00000002.00000001.01000000.0000001D.sdmp, Service.exe, 00000021.00000002.3602684343.0000019D3B512000.00000002.00000001.01000000.0000001C.sdmp, System.Buffers.dll.0.dr, System.Threading.Tasks.Extensions.dll.0.dr, System.Runtime.CompilerServices.Unsafe.dll.0.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
Source: Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Json.dll.0.dr	String found in binary or memory: https://github.com/dotnet/roslyn/issues/46646
Source: Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Json.dll.0.dr	String found in binary or memory: https://github.com/dotnet/roslyn/issues/46646~
Source: Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Encodings.Web.dll.0.dr, System.Text.Json.dll.0.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Json.dll.0.dr	String found in binary or memory: https://github.com/dotnet/runtime/issues/73124.
Source: Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Json.dll.0.dr	String found in binary or memory: https://github.com/dotnet/runtime8
Source: Service.exe, 00000021.00000002.3605184889.0000019D3C312000.00000002.00000001.01000000.00000029.sdmp, Service.exe, 00000021.00000002.3605002329.0000019D3C2C2000.00000002.00000001.01000000.00000027.sdmp, Service.exe, 00000021.00000002.3605293993.0000019D3C352000.00000002.00000001.01000000.0000002B.sdmp, SQLitePCLRaw.core.dll.0.dr, SQLitePCLRaw.batteries_v2.dll.0.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.raw
Source: Service.exe, 00000021.00000002.3605293993.0000019D3C352000.00000002.00000001.01000000.0000002B.sdmp	String found in binary or memory: https://github.com/ericsink/SQLitePCL.rawH
Source: Service.exe, 00000021.00000002.3605184889.0000019D3C312000.00000002.00000001.01000000.00000029.sdmp, SQLitePCLRaw.core.dll.0.dr	String found in binary or memory: https://github.com/ericsink/SQLitePCL.rawX
Source: Service.exe, 00000021.00000002.3602077345.0000019D3B362000.00000002.00000001.01000000.00000019.sdmp	String found in binary or memory: https://github.com/grpc/grpc-dotnet.git
Source: Service.exe, 00000021.00000002.3604421784.0000019D3BB62000.00000002.00000001.01000000.00000023.sdmp, Grpc.Core.dll.0.dr	String found in binary or memory: https://github.com/grpc/grpc.git
Source: Service.exe, 00000021.00000002.3604421784.0000019D3BB62000.00000002.00000001.01000000.00000023.sdmp, Grpc.Core.dll.0.dr	String found in binary or memory: https://github.com/grpc/grpc.git6
Source: Service.exe, 00000021.00000002.3618132699.00007FFDF623D000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://github.com/netty/netty/issues/6520.
Source: Service.exe, 00000021.00000002.3618132699.00007FFDF623D000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://github.com/netty/netty/issues/6520.s
Source: Service.exe, 00000021.00000002.3605079178.0000019D3C2D2000.00000002.00000001.01000000.00000028.sdmp	String found in binary or memory: https://github.com/praeclarum/sqlite-net.git
Source: Service.exe, 00000021.00000002.3605079178.0000019D3C2D2000.00000002.00000001.01000000.00000028.sdmp	String found in binary or memory: https://github.com/praeclarum/sqlite-net.git7
Source: Service.exe, 00000021.00000002.3604634725.0000019D3BBE2000.00000002.00000001.01000000.00000024.sdmp	String found in binary or memory: https://github.com/protocolbuffers/protobuf.git
Source: Service.exe, 00000021.00000002.3602187574.0000019D3B3C2000.00000002.00000001.01000000.0000001B.sdmp, RestSharp.dll.0.dr	String found in binary or memory: https://github.com/restsharp/RestSharp.git
Source: AccesskeyCli.exe.0.dr	String found in binary or memory: https://idmp.idmelon.com
Source: Service.exe, 00000021.00000002.3601786369.0000019D3B2D2000.00000002.00000001.01000000.00000015.sdmp, Service.exe, 00000021.00000002.3599633247.0000019D22C01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://idmp.idmelon.com/v2
Source: Service.exe, 00000021.00000000.1852944375.0000019D22292000.00000002.00000001.01000000.00000008.sdmp, Service.exe.0.dr	String found in binary or memory: https://idmp.idmelon.com/v2/Received
Source: pcProxAPI.dll0.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: pcProxAPI.dll0.0.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: Service.exe, 00000021.00000002.3599633247.0000019D22C43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skm.idmelon.com
Source: Service.exe, 00000021.00000002.3599633247.0000019D22FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skm.idmelon.com/apis/access-key
Source: Service.exe, 00000021.00000002.3601786369.0000019D3B2D2000.00000002.00000001.01000000.00000015.sdmp, Service.exe, 00000021.00000002.3599633247.0000019D22C01000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000021.00000000.1852944375.0000019D22292000.00000002.00000001.01000000.00000008.sdmp, Service.exe.0.dr, AccesskeyCli.exe.0.dr	String found in binary or memory: https://skm.idmelon.com/apis/access-key-cli/v1
Source: Service.exe, 00000021.00000002.3599633247.0000019D22C43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skm.idmelon.com/apis/access-key-cli/v1/apps
Source: Service.exe, 00000021.00000002.3599633247.0000019D22FC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skm.idmelon.com/apis/access-key-cli/v18
Source: AccesskeyCli.exe.0.dr	String found in binary or memory: https://test.authnapi.idmelon.com/apis/access-key-cli/v1
Source: Grpc.Core.dll.0.dr	String found in binary or memory: https://www.catcert.net/verarrel
Source: devcon.exe, 0000002C.00000003.1919797893.000001F54C460000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1897657026.000001BA8BF0A000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1900629553.000001BA8BFA9000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000032.00000003.1917580068.00000255722D8000.00000004.00000020.00020000.00000000.sdmp, Service.exe.0.dr, SETD2F6.tmp.44.dr, AccessKeyFidoVhid.dll.0.dr, SETDB43.tmp.50.dr, accesskey-reader-service.exe.0.dr, AccesskeyCli.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Service.exe, 00000021.00000002.3618132699.00007FFDF623D000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.googleapis.com/auth/cloud-platform
Source: Service.exe, 00000021.00000002.3618132699.00007FFDF623D000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.googleapis.com/auth/cloud-platformExternalAccountCredentials
Source: AccesskeyCli.exe.0.dr	String found in binary or memory: https://www.idmelon.com/
Source: Service.exe, 00000021.00000002.3601786369.0000019D3B2D2000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://www.idmelon.com/downloads/pairing_tool/setup.exe?v=
Source: Service.exe, 00000021.00000002.3601786369.0000019D3B2D2000.00000002.00000001.01000000.00000015.sdmp	String found in binary or memory: https://www.idmelon.com/downloads/pairing_tool/version.json
Source: AccesskeyCli.exe.0.dr	String found in binary or memory: https://www.idmelon.com/pairing-tool/
Source: Service.exe, 00000021.00000002.3602810988.0000019D3B5D2000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Service.exe, 00000021.00000002.3602810988.0000019D3B5D2000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 34.214.245.150:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Code function: 0_2_0040573B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040573B

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\wudf.cat	Jump to dropped file
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	File created: C:\Users\user\AppData\Local\Temp\{e57175bf-8fbc-764b-ad7a-50e1a8f38e0f}\SETD337.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	File created: C:\Users\user\AppData\Local\Temp\{e57175bf-8fbc-764b-ad7a-50e1a8f38e0f}\wudf.cat (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}\SETD4FC.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}\wudf.cat (copy)	Jump to dropped file

Source: nssm.exe

Process created: 43

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Code function: 3_2_00000001400133A0 _snwprintf_s,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,

3_2_00000001400133A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Code function: 0_2_00403552 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403552

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\accesskeyfidovhid.inf_amd64_cf0f0293add529ac
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\UMDF\SETDB43.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\UMDF\SETDB43.tmp

Source: C:\Windows\System32\drvinst.exe

File deleted: C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}\SETD4DA.tmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Code function: 0_2_00406DE6	0_2_00406DE6
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Code function: 0_2_004075BD	0_2_004075BD
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_000000014000D2D0	3_2_000000014000D2D0
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_0000000140023864	3_2_0000000140023864
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_0000000140010470	3_2_0000000140010470
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_00000001400070A0	3_2_00000001400070A0
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_0000000140019CB4	3_2_0000000140019CB4
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_00000001400030D0	3_2_00000001400030D0
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_000000014000F500	3_2_000000014000F500
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_0000000140013D10	3_2_0000000140013D10
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_0000000140005D20	3_2_0000000140005D20
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_000000014000DD40	3_2_000000014000DD40
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_0000000140012550	3_2_0000000140012550
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_0000000140022D60	3_2_0000000140022D60
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_000000014001CDD4	3_2_000000014001CDD4
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_0000000140012E00	3_2_0000000140012E00
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_0000000140008E20	3_2_0000000140008E20
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_0000000140020A2C	3_2_0000000140020A2C
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_000000014000EE50	3_2_000000014000EE50
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_0000000140021B40	3_2_0000000140021B40
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_0000000140002B50	3_2_0000000140002B50
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_000000014001ABAC	3_2_000000014001ABAC
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_000000014001DBB8	3_2_000000014001DBB8
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58A20F0	33_2_00007FFDF58A20F0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF582C0E0	33_2_00007FFDF582C0E0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58383B0	33_2_00007FFDF58383B0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58EA3C0	33_2_00007FFDF58EA3C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5927D20	33_2_00007FFDF5927D20
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58BDC60	33_2_00007FFDF58BDC60
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58F1BF0	33_2_00007FFDF58F1BF0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF584A5E0	33_2_00007FFDF584A5E0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5840570	33_2_00007FFDF5840570
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58435D0	33_2_00007FFDF58435D0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58365C0	33_2_00007FFDF58365C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58654F0	33_2_00007FFDF58654F0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF585050F	33_2_00007FFDF585050F
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5849500	33_2_00007FFDF5849500
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5878530	33_2_00007FFDF5878530
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5896520	33_2_00007FFDF5896520
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5879460	33_2_00007FFDF5879460
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58CF460	33_2_00007FFDF58CF460
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF587D480	33_2_00007FFDF587D480
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5852480	33_2_00007FFDF5852480
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58D24D0	33_2_00007FFDF58D24D0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5863840	33_2_00007FFDF5863840
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF585C770	33_2_00007FFDF585C770
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58C0780	33_2_00007FFDF58C0780
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF587F7C0	33_2_00007FFDF587F7C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF583271E	33_2_00007FFDF583271E
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5914680	33_2_00007FFDF5914680
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF587B6D0	33_2_00007FFDF587B6D0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58206C0	33_2_00007FFDF58206C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF588A6C0	33_2_00007FFDF588A6C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF587A210	33_2_00007FFDF587A210
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5836220	33_2_00007FFDF5836220
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF586A250	33_2_00007FFDF586A250
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58D7240	33_2_00007FFDF58D7240
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF592D1A0	33_2_00007FFDF592D1A0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58F20F0	33_2_00007FFDF58F20F0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF586C0E0	33_2_00007FFDF586C0E0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5927080	33_2_00007FFDF5927080
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF584D080	33_2_00007FFDF584D080
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58760A0	33_2_00007FFDF58760A0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58BB0A0	33_2_00007FFDF58BB0A0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF589F0A0	33_2_00007FFDF589F0A0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58370C0	33_2_00007FFDF58370C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58263F0	33_2_00007FFDF58263F0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5856450	33_2_00007FFDF5856450
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5835360	33_2_00007FFDF5835360
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58573B0	33_2_00007FFDF58573B0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58CD3A0	33_2_00007FFDF58CD3A0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF586F3C0	33_2_00007FFDF586F3C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58893C0	33_2_00007FFDF58893C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58B02F0	33_2_00007FFDF58B02F0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5919340	33_2_00007FFDF5919340
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5887330	33_2_00007FFDF5887330
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5894320	33_2_00007FFDF5894320
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5813350	33_2_00007FFDF5813350
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58C1260	33_2_00007FFDF58C1260
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58DDDE0	33_2_00007FFDF58DDDE0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5933DE0	33_2_00007FFDF5933DE0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5894E30	33_2_00007FFDF5894E30
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF593AE50	33_2_00007FFDF593AE50
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58C2DB0	33_2_00007FFDF58C2DB0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58D9DD0	33_2_00007FFDF58D9DD0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF587ACE0	33_2_00007FFDF587ACE0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF586BD00	33_2_00007FFDF586BD00
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5874CC0	33_2_00007FFDF5874CC0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF592DFF0	33_2_00007FFDF592DFF0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5915050	33_2_00007FFDF5915050
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58DB050	33_2_00007FFDF58DB050
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5866F70	33_2_00007FFDF5866F70
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5930F60	33_2_00007FFDF5930F60
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5898F90	33_2_00007FFDF5898F90
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5822FB0	33_2_00007FFDF5822FB0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58B5EF0	33_2_00007FFDF58B5EF0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58CDEF0	33_2_00007FFDF58CDEF0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58E4F00	33_2_00007FFDF58E4F00
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5837EB0	33_2_00007FFDF5837EB0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5850ED0	33_2_00007FFDF5850ED0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58E79E0	33_2_00007FFDF58E79E0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5887A20	33_2_00007FFDF5887A20
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58B6A20	33_2_00007FFDF58B6A20
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5834980	33_2_00007FFDF5834980
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF589B980	33_2_00007FFDF589B980
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58309C0	33_2_00007FFDF58309C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF59309B0	33_2_00007FFDF59309B0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58868F0	33_2_00007FFDF58868F0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5921910	33_2_00007FFDF5921910
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58EA920	33_2_00007FFDF58EA920
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF588F860	33_2_00007FFDF588F860
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5856880	33_2_00007FFDF5856880
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF59358B0	33_2_00007FFDF59358B0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF58718C0	33_2_00007FFDF58718C0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF592EC00	33_2_00007FFDF592EC00
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF585EC10	33_2_00007FFDF585EC10
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5868C00	33_2_00007FFDF5868C00
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF583BC20	33_2_00007FFDF583BC20
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF585FC40	33_2_00007FFDF585FC40
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5828B80	33_2_00007FFDF5828B80
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF5861B80	33_2_00007FFDF5861B80
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Code function: 40_2_00007FF694611A20	40_2_00007FF694611A20
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Code function: 40_2_00007FF694614180	40_2_00007FF694614180
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Code function: 40_2_00007FF694615C80	40_2_00007FF694615C80
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Code function: 40_2_00007FF694612A04	40_2_00007FF694612A04
Source: C:\Windows\System32\WUDFHost.exe	Code function: 54_2_00007FFE1320103C	54_2_00007FFE1320103C
Source: C:\Windows\System32\WUDFHost.exe	Code function: 54_2_00007FFE132027CC	54_2_00007FFE132027CC

Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe

Process token adjusted: Load Driver

Source: C:\Windows\System32\svchost.exe

Process token adjusted: Security

Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: String function: 00007FFDF58261E0 appears 97 times
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: String function: 00007FFDF5835660 appears 246 times
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: String function: 00007FFDF58C7070 appears 79 times
Source: C:\Windows\System32\WUDFHost.exe	Code function: String function: 00007FFE13201768 appears 42 times

Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Static PE information: invalid certificate

Source: unknown

Driver loaded: C:\Windows\System32\drivers\WUDFRd.sys

Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: AccesskeyCli.exe.0.dr, Constants.cs

Base64 encoded string: 'ICBfX18gX19fXyAgICAgICAgICAgICAgICAgXyAgICAgICAgICAgICAgICAgIF8gICAgICAgICAgICAgICAgICAgICAgICAgXyAgICAgICAgICAgICAgCiB8XyBffCAgXyBcIF8gX18gX19fICAgX19ffCB8IF9fXyAgXyBfXyAgICAgIC8gXCAgIF9fXyBfX18gX19fICBfX18gX19ffCB8IF9fX19fIF8gICBfIAogIHwgfHwgfCB8IHwgJ18gYCBfIFwgLyBfIFwgfC8gXyBcfCAnXyBcICAgIC8gXyBcIC8gX18vIF9fLyBfIFwvIF9fLyBfX3wgfC8gLyBfIFwgfCB8IHwKICB8IHx8IHxffCB8IHwgfCB8IHwgfCAgX18vIHwgKF8pIHwgfCB8IHwgIC8gX19fIFwgKF98IChffCAgX18vXF9fIFxfXyBcICAgPCAgX18vIHxffCB8CiB8X19ffF9fX18vfF98IHxffCB8X3xcX19ffF98XF9fXy98X3wgfF98IC9fLyAgIFxfXF9fX1xfX19cX19ffHxfX18vX19fL198XF9cX19ffFxfXywgfAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB8X19fLyA='

Source: classification engine

Classification label: mal52.evad.winEXE@101/120@1/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Code function: 0_2_00403552 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_00403552
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_000000014000A810 GetCurrentThread,OpenThreadToken,GetLastError,ImpersonateSelf,GetCurrentThread,OpenThreadToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,	3_2_000000014000A810
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Code function: 40_2_00007FF6946111C4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,InitiateSystemShutdownExW,	40_2_00007FF6946111C4

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Code function: 0_2_004049E7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049E7

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Code function: _snwprintf_s,CreateServiceW,GetLastError,CloseServiceHandle,DeleteService,CloseServiceHandle,CloseServiceHandle,

3_2_00000001400133A0

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Code function: 3_2_000000014000ACB0 CreateToolhelp32Snapshot,GetLastError,GetLastError,CloseHandle,PostThreadMessageW,Thread32Next,PostThreadMessageW,Thread32Next,GetLastError,GetLastError,CloseHandle,

3_2_000000014000ACB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Code function: 0_2_004021CF CoCreateInstance,

0_2_004021CF

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Code function: 3_2_0000000140002840 GetUserDefaultLangID,FindResourceExW,GetLastError,FindResourceExW,LoadResource,CreateDialogIndirectParamW,

3_2_0000000140002840

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Code function: 3_2_0000000140012160 _snwprintf_s,GetProcessHeap,HeapAlloc,ChangeServiceConfigW,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,ChangeServiceConfig2W,GetLastError,

3_2_0000000140012160

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Code function: 3_2_000000014000A2E0 _snwprintf_s,PathQuoteSpacesW,GetModuleFileNameW,GetModuleFileNameW,PathQuoteSpacesW,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,

3_2_000000014000A2E0

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

File created: C:\Program Files (x86)\IDmelon

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDmelon

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3428:120:WilError_03
Source: C:\Windows\System32\drvinst.exe	Mutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\System32\WUDFHost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

File created: C:\Users\user\AppData\Local\Temp\nsu9AB0.tmp

Jump to behavior

Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sqlite3.dll0.0.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: sqlite3.dll0.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Service.exe, 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmp, e_sqlite3.dll.0.dr, e_sqlite3.dll0.0.dr, e_sqlite3.dll1.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: sqlite3.dll0.0.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: sqlite3.dll0.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: Service.exe, Service.exe, 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll0.0.dr, e_sqlite3.dll.0.dr, e_sqlite3.dll0.0.dr, e_sqlite3.dll1.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Service.exe, Service.exe, 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll0.0.dr, e_sqlite3.dll.0.dr, e_sqlite3.dll0.0.dr, e_sqlite3.dll1.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Service.exe, Service.exe, 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll0.0.dr, e_sqlite3.dll.0.dr, e_sqlite3.dll0.0.dr, e_sqlite3.dll1.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sqlite3.dll0.0.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: sqlite3.dll0.0.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Service.exe, Service.exe, 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmp, e_sqlite3.dll.0.dr, e_sqlite3.dll0.0.dr, e_sqlite3.dll1.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Service.exe, Service.exe, 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmp, sqlite3.dll0.0.dr, e_sqlite3.dll.0.dr, e_sqlite3.dll0.0.dr, e_sqlite3.dll1.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sqlite3.dll0.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Service.exe, Service.exe, 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmp, e_sqlite3.dll.0.dr, e_sqlite3.dll0.0.dr, e_sqlite3.dll1.0.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: sqlite3.dll0.0.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: sqlite3.dll0.0.dr	Binary or memory string: CREATE TABLE xx( name STRING, /* Name of table or index / path INTEGER, / Path to page from root / pageno INTEGER, / Page number / pagetype STRING, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);

Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	ReversingLabs: Detection: 15%
Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Virustotal: Detection: 6%

Source: devcon.exe	String found in binary or memory: ng of the list. When the subcommand completes, the cursor is positioned on the newly-added filter. + Add after
Source: devcon.exe	String found in binary or memory: positioned on the newly-added filter. ! Deletes the next occurrence of the specified filter. When the subcommand

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Windows\SysWOW64\setx.exe setx /M IDmelonMode access-key
Source: C:\Windows\SysWOW64\setx.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyService "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Application "C:\Program Files (x86)\IDmelon\Accesskey"\Service.exe
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Description "Coordinates the communications for using IDmelon solution as a roaming authenticator"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdoutCreationDisposition 4
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderrCreationDisposition 4
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateFiles 1
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateOnline 0
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateSeconds 14400
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateBytes 5000000
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Start SERVICE_AUTO_START
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe"
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process created: C:\Windows\System32\dsregcmd.exe "C:\Windows\System32\dsregcmd.exe" /status
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" start AccesskeyService
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccesskeyHid
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccessKeyFidoVhid
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" install "C:\Program Files (x86)\IDmelon\Accesskey\driver\accesskeyfidovhid.inf" root\AccessKeyFidoVhid
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{e57175bf-8fbc-764b-ad7a-50e1a8f38e0f}\accesskeyfidovhid.inf" "9" "4196477d7" "0000000000000168" "WinSta0\Default" "0000000000000100" "208" "c:\program files (x86)\idmelon\accesskey\driver"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:50ab71fe221ae399:AccessKeyFidoVhid:21.4.53.488:root\accesskeyfidovhid," "4196477d7" "0000000000000168"
Source: unknown	Process created: C:\Windows\System32\WUDFHost.exe "C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-3ba73f07-7082-44ba-ac25-62d6a3756b80 -SystemEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-0c2aa50f-a6b5-49c5-8b4d-5aa353434dea -IoCancelEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-d4f7a26f-e897-4801-9374-f1c601e77e78 -NonStateChangingEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-ec48fbad-1509-4711-bef9-62c3b1e095c0 -LifetimeId:a4533485-4f57-41b2-936a-ec5cac55ccfb -DeviceGroupId:WudfDefaultDevicePool -HostArg:0
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "1" "0" "HID\HIDCLASS\1&2d595ca7&0&0000" "" "" "4eeb73e57" "0000000000000000"
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyReaderService "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService Application "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\service_logs.log"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\service_logs.log"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService Description "IDmelon Accesskey reader service which is responsible for reading Accesskey IDs"
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStdoutCreationDisposition 4
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Windows\SysWOW64\setx.exe setx /M IDmelonMode access-key	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyService "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Application "C:\Program Files (x86)\IDmelon\Accesskey"\Service.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Description "Coordinates the communications for using IDmelon solution as a roaming authenticator"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderrCreationDisposition 4	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateFiles 1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateOnline 0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateSeconds 14400	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateBytes 5000000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Start SERVICE_AUTO_START	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateOnline 0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateBytes 5000000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccesskeyHid	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccessKeyFidoVhid	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateBytes 5000000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyReaderService "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService Application "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\service_logs.log"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\service_logs.log"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService Description "IDmelon Accesskey reader service which is responsible for reading Accesskey IDs"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStdoutCreationDisposition 4	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe"	Jump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process created: C:\Windows\System32\dsregcmd.exe "C:\Windows\System32\dsregcmd.exe" /status
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{e57175bf-8fbc-764b-ad7a-50e1a8f38e0f}\accesskeyfidovhid.inf" "9" "4196477d7" "0000000000000168" "WinSta0\Default" "0000000000000100" "208" "c:\program files (x86)\idmelon\accesskey\driver"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:50ab71fe221ae399:AccessKeyFidoVhid:21.4.53.488:root\accesskeyfidovhid," "4196477d7" "0000000000000168"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "1" "0" "HID\HIDCLASS\1&2d595ca7&0&0000" "" "" "4eeb73e57" "0000000000000000"

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: ncryptprov.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: dsreg.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: cryptngc.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\dsregcmd.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Section loaded: devrtl.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Section loaded: spinf.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Section loaded: drvstore.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Section loaded: newdev.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Section loaded: cabinet.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpnpmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\WUDFHost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\WUDFHost.exe	Section loaded: wudfplatform.dll
Source: C:\Windows\System32\WUDFHost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WUDFHost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WUDFHost.exe	Section loaded: dbghelp.dll
Source: C:\Windows\System32\WUDFHost.exe	Section loaded: wudfx02000.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Section loaded: cryptbase.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

File written: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\ioSpecial.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Static file information: File size 32784232 > 1048576

Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/src/Grpc.Core.Api/obj/Release/net462/Grpc.Core.Api.pdbSHA256 source: Service.exe, 00000021.00000002.3602077345.0000019D3B362000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: Service.exe, 00000021.00000002.3605184889.0000019D3C312000.00000002.00000001.01000000.00000029.sdmp, SQLitePCLRaw.core.dll.0.dr
Source:	Binary string: /_/csharp/src/Google.Protobuf/obj/Release/net45/Google.Protobuf.pdbSHA256 source: Service.exe, 00000021.00000002.3604634725.0000019D3BBE2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: /_/artifacts/obj/System.Text.Encodings.Web/Release/net462/System.Text.Encodings.Web.pdbSHA256 source: System.Text.Encodings.Web.dll.0.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: Service.exe, 00000021.00000002.3605293993.0000019D3C352000.00000002.00000001.01000000.0000002B.sdmp
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\GrpcClients\obj\Release\GrpcClients.pdb source: GrpcClients.dll.0.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.ValueTuple/net47\System.ValueTuple.pdb62P2 B2_CorDllMainmscoree.dll source: Service.exe, 00000021.00000002.3605243399.0000019D3C332000.00000002.00000001.01000000.0000002A.sdmp, System.ValueTuple.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\IDmelonVirtualHidAPI\obj\Release\IDmelonVirtualHidAPI.pdb source: Service.exe, 00000021.00000002.3601729165.0000019D3B2C2000.00000002.00000001.01000000.00000014.sdmp, IDmelonVirtualHidAPI.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\ServerApi\obj\Release\ServerApi.pdb source: Service.exe, 00000021.00000002.3601786369.0000019D3B2D2000.00000002.00000001.01000000.00000015.sdmp
Source:	Binary string: /_/src/DeviceId/obj/Release/net40/DeviceId.pdbSHA256 source: Service.exe, 00000021.00000002.3602128842.0000019D3B382000.00000002.00000001.01000000.0000001A.sdmp, DeviceId.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\DB\obj\Release\DB.pdbg_ source: Service.exe, 00000021.00000002.3604875434.0000019D3C292000.00000002.00000001.01000000.00000025.sdmp, DB.dll.0.dr
Source:	Binary string: T:\altsrc\github\grpc\workspace_csharp_ext_windows_x64\cmake\build\x64\grpc_csharp_ext.pdb source: Service.exe, 00000021.00000002.3618132699.00007FFDF63BA000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdbSHA256 source: Service.exe, 00000021.00000002.3605002329.0000019D3C2C2000.00000002.00000001.01000000.00000027.sdmp, SQLitePCLRaw.batteries_v2.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\DB\obj\Release\DB.pdb source: Service.exe, 00000021.00000002.3604875434.0000019D3C292000.00000002.00000001.01000000.00000025.sdmp, DB.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\AccesskeyCli\obj\Release\AccesskeyCli.pdb_ source: AccesskeyCli.exe.0.dr
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: System.Buffers.dll.0.dr
Source:	Binary string: /var/local/git/grpc/src/csharp/Grpc.Core/obj/Release/net45/Grpc.Core.pdbSHA256n source: Service.exe, 00000021.00000002.3604421784.0000019D3BB62000.00000002.00000001.01000000.00000023.sdmp, Grpc.Core.dll.0.dr
Source:	Binary string: C:\Users\Jafar\source\repos\EllipticCurve\EllipticCurve\obj\Release\EllipticCurve.pdb source: EllipticCurve.dll.0.dr
Source:	Binary string: /var/local/git/grpc/src/csharp/Grpc.Core/obj/Release/net45/Grpc.Core.pdb source: Service.exe, 00000021.00000002.3604421784.0000019D3BB62000.00000002.00000001.01000000.00000023.sdmp, Grpc.Core.dll.0.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Numerics.Vectors/net46\System.Numerics.Vectors.pdb source: System.Numerics.Vectors.dll.0.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256N source: Service.exe, 00000021.00000002.3605293993.0000019D3C352000.00000002.00000001.01000000.0000002B.sdmp
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: Service.exe, 00000021.00000002.3602684343.0000019D3B512000.00000002.00000001.01000000.0000001C.sdmp, System.Threading.Tasks.Extensions.dll.0.dr
Source:	Binary string: C:\xcode\envar test\envar release3\Contrib\EnVar\Release Unicode\EnVar.pdbEnvironmentSystem\CurrentControlSet\Control\Session Manager\EnvironmentEnvironment3System\CurrentControlSet\Control\Session Manager\EnvironmentEnvironmentNULLSystem\CurrentControlSet\Control\Session Manager\EnvironmentEnvironment6System\CurrentControlSet\Control\Session Manager\EnvironmentEnvironment033NULL40165056461116063415160path646System\CurrentControlSet\Control\Session Manager\EnvironmentEnvironment06HKCUHKLMHKLM134NULL134160 source: EnVar.dll.0.dr
Source:	Binary string: C:\Users\Jafar\source\repos\EllipticCurve\EllipticCurve\obj\Release\EllipticCurve.pdb~y source: EllipticCurve.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\GrpcProtoCompiler\obj\Release\TagReaderGRPC.pdb source: Service.exe, 00000021.00000002.3601894777.0000019D3B2F2000.00000002.00000001.01000000.00000017.sdmp, TagReaderGRPC.dll.0.dr
Source:	Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v142\plain\arm\e_sqlite3.pdb source: e_sqlite3.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netfx\System.Memory.pdb source: Service.exe, 00000021.00000002.3604231776.0000019D3BB22000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: c:\dev\sqlite\core\sqlite3.pdb source: sqlite3.dll0.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: Service.exe, 00000021.00000002.3602810988.0000019D3B5D2000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: /home/vsts/work/1/s/src/SocketIO.Serializer.Core/obj/Release/netstandard2.0/SocketIO.Serializer.Core.pdbSHA256w#NtW source: SocketIO.Serializer.Core.dll.0.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdb source: Service.exe, 00000021.00000002.3605002329.0000019D3C2C2000.00000002.00000001.01000000.00000027.sdmp, SQLitePCLRaw.batteries_v2.dll.0.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: Service.exe, 00000021.00000002.3602810988.0000019D3B5D2000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\Logger\obj\Release\Logger.pdb source: Service.exe, 00000021.00000002.3599331221.0000019D22A92000.00000002.00000001.01000000.00000013.sdmp, Logger.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\Suprema\obj\Release\Suprema.pdb source: Service.exe, 00000021.00000002.3604346724.0000019D3BB52000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: C:\Program Files (x86)\Jenkins\workspace\pcProxAPI-sdk-release-bot\pcProxAPI\runtime\win\x64\Release\USBWejAPI.pdb source: pcProxAPI.dll0.0.dr
Source:	Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256CM source: Service.exe, 00000021.00000002.3605184889.0000019D3C312000.00000002.00000001.01000000.00000029.sdmp, SQLitePCLRaw.core.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\Service\obj\Release\Service.pdb source: Service.exe, 00000021.00000000.1852944375.0000019D22292000.00000002.00000001.01000000.00000008.sdmp, Service.exe.0.dr
Source:	Binary string: /home/runner/work/RestSharp/RestSharp/src/RestSharp/obj/Release/net471/RestSharp.pdbSHA256 source: Service.exe, 00000021.00000002.3602187574.0000019D3B3C2000.00000002.00000001.01000000.0000001B.sdmp, RestSharp.dll.0.dr
Source:	Binary string: /_/csharp/src/Google.Protobuf/obj/Release/net45/Google.Protobuf.pdb source: Service.exe, 00000021.00000002.3604634725.0000019D3BBE2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: /home/runner/work/RestSharp/RestSharp/src/RestSharp/obj/Release/net471/RestSharp.pdb source: Service.exe, 00000021.00000002.3602187574.0000019D3B3C2000.00000002.00000001.01000000.0000001B.sdmp, RestSharp.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\Fido\obj\Release\Fido.pdb source: Service.exe, 00000021.00000002.3604129531.0000019D3BAF2000.00000002.00000001.01000000.00000020.sdmp, Fido.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\BioKey\obj\Release\BioKey.pdb source: Service.exe, 00000021.00000002.3604923669.0000019D3C2A2000.00000002.00000001.01000000.00000026.sdmp, BioKey.dll.0.dr
Source:	Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v142\plain\x86\e_sqlite3.pdb source: e_sqlite3.dll1.0.dr
Source:	Binary string: C:\projects\websocket-sharp\websocket-sharp\obj\Release\net45\websocket-sharp.pdb source: websocket-sharp.dll.0.dr
Source:	Binary string: devcon.pdb source: devcon.exe, 00000028.00000000.1876422070.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002A.00000000.1878914711.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002A.00000002.1880845418.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002C.00000000.1881554737.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002C.00000002.1922841753.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe.0.dr
Source:	Binary string: /home/vsts/work/1/s/src/SocketIO.Serializer.Core/obj/Release/netstandard2.0/SocketIO.Serializer.Core.pdb source: SocketIO.Serializer.Core.dll.0.dr
Source:	Binary string: /_/src/Grpc.Core.Api/obj/Release/net462/Grpc.Core.Api.pdb source: Service.exe, 00000021.00000002.3602077345.0000019D3B362000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: devcon.pdbGCTL source: devcon.exe, 00000028.00000000.1876422070.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002A.00000000.1878914711.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002A.00000002.1880845418.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002C.00000000.1881554737.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe, 0000002C.00000002.1922841753.00007FF694618000.00000002.00000001.01000000.0000000B.sdmp, devcon.exe.0.dr
Source:	Binary string: C:\projects\websocket-sharp\websocket-sharp\obj\Release\net45\websocket-sharp.pdb* source: websocket-sharp.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\AccesskeyCli\obj\Release\AccesskeyCli.pdb source: AccesskeyCli.exe.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\Encryption\obj\Release\Encryption.pdb source: Service.exe, 00000021.00000002.3601851877.0000019D3B2E2000.00000002.00000001.01000000.00000016.sdmp, Encryption.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\GrpcClients\obj\Release\GrpcClients.pdbAF[F MF_CorDllMainmscoree.dll source: GrpcClients.dll.0.dr
Source:	Binary string: C:\Users\eric\dev\cb\bld\bin\e_sqlite3\win\v142\plain\x64\e_sqlite3.pdb source: Service.exe, 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmp, e_sqlite3.dll0.0.dr
Source:	Binary string: C:\xcode\envar test\envar release3\Contrib\EnVar\Release Unicode\EnVar.pdb source: EnVar.dll.0.dr
Source:	Binary string: /_/src/DeviceId/obj/Release/net40/DeviceId.pdb source: Service.exe, 00000021.00000002.3602128842.0000019D3B382000.00000002.00000001.01000000.0000001A.sdmp, DeviceId.dll.0.dr
Source:	Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdb source: Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Json.dll.0.dr
Source:	Binary string: /_/artifacts/obj/System.Text.Encodings.Web/Release/net462/System.Text.Encodings.Web.pdb source: System.Text.Encodings.Web.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\WindowsDriverDevelopment\virtual_hid_fido\driver\umdf2\AccessKey\x64\Release\AccessKeyFidoVhid.pdb source: devcon.exe, 0000002C.00000003.1919797893.000001F54C460000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1897657026.000001BA8BF0A000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000002F.00000003.1900629553.000001BA8BFA9000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 00000032.00000003.1917580068.00000255722D8000.00000004.00000020.00020000.00000000.sdmp, WUDFHost.exe, 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmp, SETD2F6.tmp.44.dr, AccessKeyFidoVhid.dll.0.dr, SETDB43.tmp.50.dr
Source:	Binary string: C:\Users\Amini\Downloads\WpfToggleSwitchs\WpfToggleSwitch\CSharp\CSharpControls.Wpf\obj\Release\CSharpControls.Wpf.pdb source: CSharpControls.Wpf.dll.0.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.ValueTuple/net47\System.ValueTuple.pdb source: Service.exe, 00000021.00000002.3605243399.0000019D3C332000.00000002.00000001.01000000.0000002A.sdmp, System.ValueTuple.dll.0.dr
Source:	Binary string: /_/artifacts/obj/System.Text.Json/Release/net462/System.Text.Json.pdbSHA256 source: Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Json.dll.0.dr
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\Suprema\obj\Release\Suprema.pdbqI source: Service.exe, 00000021.00000002.3604346724.0000019D3BB52000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: C:\Users\Public\Documents\Work\accesskey\src\BioKey\obj\Release\BioKey.pdbo source: Service.exe, 00000021.00000002.3604923669.0000019D3C2A2000.00000002.00000001.01000000.00000026.sdmp, BioKey.dll.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: CBOR.dll.0.dr, PropertyMap.cs

.Net Code: TypeToObject

Source: BioKey.dll.0.dr

Static PE information: 0xC929BB55 [Fri Dec 11 23:35:49 2076 UTC]

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Code function: 3_2_0000000140023A88 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

3_2_0000000140023A88

Source: nsExec.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xc1ae
Source: uninstall.exe.0.dr	Static PE information: real checksum: 0x1f4c237 should be: 0x2fdc9
Source: System.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x67cd
Source: EnVar.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0xe868
Source: BioKey.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x159d8
Source: CSharpControls.Wpf.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x1746d
Source: InstallOptions.dll.0.dr	Static PE information: real checksum: 0x0 should be: 0x8314

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Code function: 3_2_00000001400055DB push rcx; iretd

3_2_00000001400055DC

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\Fido.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\CBOR.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\EllipticCurve.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\ServerApi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\grpc_csharp_ext.x86.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\DB.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\Logger.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\URIUtility.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\UMDF\AccessKeyFidoVhid.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\Encryption.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\x64\sqlite3.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}\AccessKeyFidoVhid.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\System.Threading.Tasks.Extensions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\RestSharp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\x86\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-x86\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\SQLite-net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\64\pcProxAPI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.batteries_v2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\AccessKeyFidoVhid.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\Suprema.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\WebKeyLocalServiceDotNetx64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\GrpcClients.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Serializer.SystemTextJson.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Serializer.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\websocket-sharp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\32\pcProxAPI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\IDmelonVirtualHidAPI.dll	Jump to dropped file
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	File created: C:\Users\user\AppData\Local\Temp\{e57175bf-8fbc-764b-ad7a-50e1a8f38e0f}\SETD2F6.tmp	Jump to dropped file
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	File created: C:\Users\user\AppData\Local\Temp\{e57175bf-8fbc-764b-ad7a-50e1a8f38e0f}\AccessKeyFidoVhid.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\UMDF\SETDB43.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\grpc_csharp_ext.x64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\EnVar.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\AccesskeyCli.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFScanner.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\FontAwesome.WPF.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-arm\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\TagReaderGRPC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFMatcher.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.Api.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\Google.Protobuf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\CommandLine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\SocketIOClient.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\Microsoft.Bcl.AsyncInterfaces.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\System.Memory.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\WpfAnimatedGif.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\log4net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\CSharpControls.Wpf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\Numbers.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-x64\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\DeviceId.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\BioKey.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.provider.dynamic_cdecl.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}\SETD4DA.tmp	Jump to dropped file

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\UMDF\SETDB43.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\drivers\UMDF\AccessKeyFidoVhid.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}\SETD4DA.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}\AccessKeyFidoVhid.dll (copy)	Jump to dropped file

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\NSSM

Jump to behavior

Source: C:\Windows\System32\drvinst.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WUDFRd

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDmelon	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDmelon\Accesskey.lnk	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDmelon\Uninstall Accesskey.lnk	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDmelon\Accesskey Website.lnk	Jump to behavior

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Code function: 3_2_000000014000A2E0 _snwprintf_s,PathQuoteSpacesW,GetModuleFileNameW,GetModuleFileNameW,PathQuoteSpacesW,TlsAlloc,GetStdHandle,StartServiceCtrlDispatcherW,GetLastError,

3_2_000000014000A2E0

Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\setx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WUDFHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WUDFHost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Memory allocated: 19D226C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Memory allocated: 19D3AC00000 memory reserve \| memory write watch

Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe

Code function: 33_2_00007FFDF588B9FA str word ptr [rax-75h]

33_2_00007FFDF588B9FA

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: OpenServiceW,GetServiceDisplayNameW,GetServiceKeyNameW,GetLastError,GetLastError,EnumServicesStatusExW,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusExW,GetLastError,GetProcessHeap,HeapFree,GetLastError,_snwprintf_s,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		3_2_000000014000EE50
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: EnumServicesStatusExW,GetLastError,GetLastError,GetProcessHeap,HeapAlloc,EnumServicesStatusExW,GetLastError,_snwprintf_s,GetProcessHeap,HeapFree,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,		3_2_0000000140011A80

Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe

Code function: 40_2_00007FF6946115E8 GetLastError,SetupDiGetDeviceRegistryPropertyW,

40_2_00007FF6946115E8

Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Thread delayed: delay time: 268435455

Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Window / User API: threadDelayed 1366
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Window / User API: threadDelayed 4571
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Window / User API: threadDelayed 3947
Source: C:\Windows\System32\WUDFHost.exe	Window / User API: threadDelayed 553

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Fido.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\CBOR.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\EllipticCurve.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\ServerApi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\grpc_csharp_ext.x86.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\DB.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Logger.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\URIUtility.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\UMDF\AccessKeyFidoVhid.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\System.Buffers.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\System.ValueTuple.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\x64\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Encryption.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}\AccessKeyFidoVhid.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\System.Threading.Tasks.Extensions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\RestSharp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\x86\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-x86\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\SQLite-net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\64\pcProxAPI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.batteries_v2.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Driver\AccessKeyFidoVhid.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Suprema.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\nsExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\WebKeyLocalServiceDotNetx64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\GrpcClients.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Serializer.SystemTextJson.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Serializer.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\websocket-sharp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\32\pcProxAPI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\IDmelonVirtualHidAPI.dll	Jump to dropped file
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{e57175bf-8fbc-764b-ad7a-50e1a8f38e0f}\AccessKeyFidoVhid.dll (copy)	Jump to dropped file
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{e57175bf-8fbc-764b-ad7a-50e1a8f38e0f}\SETD2F6.tmp	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\UMDF\SETDB43.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\grpc_csharp_ext.x64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\EnVar.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\AccesskeyCli.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFScanner.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\FontAwesome.WPF.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-arm\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\TagReaderGRPC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFMatcher.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.Api.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Google.Protobuf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\CommandLine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\SocketIOClient.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Microsoft.Bcl.AsyncInterfaces.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\System.Memory.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\WpfAnimatedGif.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\log4net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\CSharpControls.Wpf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\Numbers.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-x64\native\e_sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\DeviceId.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\BioKey.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Dropped PE file which has not been started: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.provider.dynamic_cdecl.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}\SETD4DA.tmp	Jump to dropped file

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_3-14909

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	API coverage: 4.3 %
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	API coverage: 7.3 %

Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe TID: 1524	Thread sleep time: -16602069666338586s >= -30000s
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe TID: 1524	Thread sleep time: -268435455s >= -30000s
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe TID: 2132	Thread sleep count: 1366 > 30
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe TID: 2132	Thread sleep count: 4571 > 30
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe TID: 1524	Thread sleep count: 3947 > 30
Source: C:\Windows\System32\WUDFHost.exe TID: 7520	Thread sleep count: 44 > 30
Source: C:\Windows\System32\WUDFHost.exe TID: 7524	Thread sleep count: 553 > 30

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WUDFHost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WUDFHost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Code function: 0_2_004068D4 FindFirstFileW,FindClose,	0_2_004068D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Code function: 0_2_00405C83 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C83
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Code function: 0_2_00402930 FindFirstFileW,	0_2_00402930
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Code function: 40_2_00007FF6946169C0 GetWindowsDirectoryW,FindFirstFileW,FindNextFileW,FindClose,	40_2_00007FF6946169C0

Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe

Code function: 33_2_00007FFDF59235E0 GetSystemInfo,

33_2_00007FFDF59235E0

Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Thread delayed: delay time: 268435455

Source: SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Binary or memory string: qeMuI
Source: dsregcmd.exe, 00000023.00000003.1867281988.0000026B5F3E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: Service.exe, 00000021.00000002.3602321373.0000019D3B43A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Grpc.Core.dll.0.dr	Binary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	API call chain: ExitProcess graph end node			graph_0-3399
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	API call chain: ExitProcess graph end node			graph_3-14911

Source: C:\Windows\System32\drivers\WUDFRd.sys

System information queried: ModuleInformation

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Code function: 3_2_0000000140018800 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_0000000140018800

Source: C:\Windows\System32\WUDFHost.exe

Code function: 54_2_00007FFE13201450 SleepEx,CreateNamedPipeW,swprintf,OutputDebugStringA,swprintf,OutputDebugStringA,ConnectNamedPipe,GetLastError,swprintf,OutputDebugStringA,WriteFile,SleepEx,ReadFile,FindCloseChangeNotification,ReleaseMutex,WaitForSingleObject,WriteFile,PeekNamedPipe,CloseHandle,ReleaseMutex,

54_2_00007FFE13201450

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

3_2_0000000140023A88

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Code function: 3_2_0000000140002530 GetUserDefaultLangID,FormatMessageW,FormatMessageW,GetProcessHeap,HeapAlloc,_snwprintf_s,

3_2_0000000140002530

Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe

Process token adjusted: Debug

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_0000000140018800 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0000000140018800
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_0000000140023D20 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0000000140023D20
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_0000000140020180 SetUnhandledExceptionFilter,	3_2_0000000140020180
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Code function: 3_2_000000014001B6C4 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_000000014001B6C4
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF59444B0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	33_2_00007FFDF59444B0
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Code function: 33_2_00007FFDF593F728 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	33_2_00007FFDF593F728
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Code function: 40_2_00007FF694617130 SetUnhandledExceptionFilter,	40_2_00007FF694617130
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Code function: 40_2_00007FF694616F14 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	40_2_00007FF694616F14
Source: C:\Windows\System32\WUDFHost.exe	Code function: 54_2_00007FFE132046C8 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	54_2_00007FFE132046C8
Source: C:\Windows\System32\WUDFHost.exe	Code function: 54_2_00007FFE13204110 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	54_2_00007FFE13204110

Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe

Memory allocated: page read and write | page guard

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Code function: 3_2_000000014000A180 GetProcessHeap,HeapAlloc,GetCommandLineW,_snwprintf_s,ShellExecuteExW,GetProcessHeap,HeapFree,

3_2_000000014000A180

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Windows\SysWOW64\setx.exe setx /M IDmelonMode access-key	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyService "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Application "C:\Program Files (x86)\IDmelon\Accesskey"\Service.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Description "Coordinates the communications for using IDmelon solution as a roaming authenticator"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderrCreationDisposition 4	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateFiles 1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateOnline 0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateSeconds 14400	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateBytes 5000000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Start SERVICE_AUTO_START	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateOnline 0	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateBytes 5000000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccesskeyHid	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe "C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccessKeyFidoVhid	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateBytes 5000000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyReaderService "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService Application "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\service_logs.log"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\service_logs.log"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService Description "IDmelon Accesskey reader service which is responsible for reading Accesskey IDs"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStdoutCreationDisposition 4	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe	Process created: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe"	Jump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Process created: C:\Windows\System32\dsregcmd.exe "C:\Windows\System32\dsregcmd.exe" /status

Source: unknown

Process created: C:\Windows\System32\WUDFHost.exe "c:\windows\system32\wudfhost.exe" -hostguid:{193a1820-d9ac-4997-8c55-be817523f6aa} -ioeventportname:\umdfcommunicationports\wudf\hostprocess-3ba73f07-7082-44ba-ac25-62d6a3756b80 -systemeventportname:\umdfcommunicationports\wudf\hostprocess-0c2aa50f-a6b5-49c5-8b4d-5aa353434dea -iocanceleventportname:\umdfcommunicationports\wudf\hostprocess-d4f7a26f-e897-4801-9374-f1c601e77e78 -nonstatechangingeventportname:\umdfcommunicationports\wudf\hostprocess-ec48fbad-1509-4711-bef9-62c3b1e095c0 -lifetimeid:a4533485-4f57-41b2-936a-ec5cac55ccfb -devicegroupid:wudfdefaultdevicepool -hostarg:0

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Code function: 3_2_000000014000A050 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

3_2_000000014000A050

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Code function: GetLocaleInfoA,

3_2_00000001400245E8

Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe

Code function: 40_2_00007FF6946115E8 GetLastError,SetupDiGetDeviceRegistryPropertyW,

40_2_00007FF6946115E8

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Logger.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\log4net.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\IDmelonVirtualHidAPI.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\TagReaderGRPC.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.Api.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\ServerApi.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Encryption.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\RestSharp.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\DeviceId.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Json.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\System.Threading.Tasks.Extensions.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\System.Runtime.CompilerServices.Unsafe.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Google.Protobuf.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\System.Memory.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Fido.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Suprema.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\BioKey.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\DB.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\SQLite-net.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.core.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.batteries_v2.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.provider.dynamic_cdecl.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.RuntimeInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.RuntimeInformation.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\System.ValueTuple.dll VolumeInformation
Source: C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	Queries volume information: C:\Program Files (x86)\IDmelon\Accesskey\Driver\wudf.cat VolumeInformation
Source: C:\Windows\System32\drvinst.exe	Queries volume information: C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}\wudf.cat VolumeInformation

Source: C:\Windows\System32\WUDFHost.exe

54_2_00007FFE13201450

Source: C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Code function: 3_2_0000000140008480 GetSystemTime,CreateFileW,GetFileInformationByHandle,SystemTimeToFileTime,CloseHandle,SystemTimeToFileTime,CompareFileTime,GetLastError,SystemTimeToFileTime,FileTimeToSystemTime,CopyFileW,Sleep,SetFilePointer,SetEndOfFile,CloseHandle,MoveFileW,GetLastError,

3_2_0000000140008480

Source: C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

0_2_00403552

Source: C:\Program Files (x86)\IDmelon\Accesskey\Service.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	2 LSASS Driver	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	2 LSASS Driver	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Service Discovery	Remote Desktop Protocol	1 Clipboard Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Service Execution	33 Windows Service	1 DLL Side-Loading	21 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Software Packing	NTDS	37 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	33 Windows Service	1 Timestomp	LSA Secrets	2 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	12 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	31 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Registry Run Keys / Startup Folder	1 File Deletion	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	32 Masquerading	Proc Filesystem	1 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	41 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	12 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	16%	ReversingLabs
SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	7%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\IDmelon\Accesskey\AccesskeyCli.exe	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\BioKey.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFMatcher.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFScanner.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\CBOR.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\CSharpControls.Wpf.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\CommandLine.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\DB.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\DeviceId.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Driver\AccessKeyFidoVhid.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\EllipticCurve.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Encryption.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Fido.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\FontAwesome.WPF.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Google.Protobuf.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.Api.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\GrpcClients.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\IDmelonVirtualHidAPI.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Logger.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Microsoft.Bcl.AsyncInterfaces.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Numbers.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\RestSharp.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\SQLite-net.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.batteries_v2.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.core.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.provider.dynamic_cdecl.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\ServerApi.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Service.exe	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Core.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Serializer.Core.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Serializer.SystemTextJson.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\SocketIOClient.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\Suprema.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\System.Buffers.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\System.Memory.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\System.Numerics.Vectors.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\System.Runtime.CompilerServices.Unsafe.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Encodings.Web.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Json.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\System.Threading.Tasks.Extensions.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\System.ValueTuple.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\TagReaderGRPC.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\URIUtility.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\WebKeyLocalServiceDotNetx64.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\WpfAnimatedGif.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\32\pcProxAPI.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\64\pcProxAPI.dll	0%	ReversingLabs
C:\Program Files (x86)\IDmelon\Accesskey\grpc_csharp_ext.x64.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.com	0%	Virustotal		Browse
skm.idmelon.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://mozilla.org/MPL/2.0/.	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://www.sqlite.org/copyright.html.	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/encoding/	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://schemas.xmlsoap.org/wsdl/	0%	URL Reputation	safe
https://www.newtonsoft.com/jsonschema	0%	URL Reputation	safe
https://www.nuget.org/packages/Newtonsoft.Json.Bson	0%	URL Reputation	safe
https://skm.idmelon.com	0%	Virustotal		Browse
https://github.com/dotnet/runtime8	0%	Virustotal		Browse
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8	0%	Virustotal		Browse
https://skm.idmelon.com/apis/access-key-cli/v18	1%	Virustotal		Browse
https://authnapi.idmelon.com/auth/adminiStrator/delegatedAuthenticate	0%	Virustotal		Browse
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8	0%	Avira URL Cloud	safe
https://authnapi.idmelon.com/auth/adminiStrator/delegatedAuthenticate	0%	Avira URL Cloud	safe
https://github.com/dotnet/runtime8	0%	Avira URL Cloud	safe
https://skm.idmelon.com/apis/access-key-cli/v18	0%	Avira URL Cloud	safe
https://skm.idmelon.com	0%	Avira URL Cloud	safe
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	0%	Avira URL Cloud	safe
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	0%	Virustotal		Browse
https://idmp.idmelon.com/v2	0%	Avira URL Cloud	safe
https://idmp.idmelon.com/v2	0%	Virustotal		Browse
https://github.com/restsharp/RestSharp.git	0%	Avira URL Cloud	safe
https://idmp.idmelon.com/v2/Received	0%	Avira URL Cloud	safe
https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf	0%	Avira URL Cloud	safe
https://skm.idmelon.com/apis/access-key	0%	Avira URL Cloud	safe
https://github.com/dotnet/runtime	0%	Avira URL Cloud	safe
https://github.com/protocolbuffers/protobuf.git	0%	Avira URL Cloud	safe
https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf	0%	Virustotal		Browse
https://github.com/restsharp/RestSharp.git	0%	Virustotal		Browse
https://aka.ms/dotnet-warnings/	0%	Avira URL Cloud	safe
https://idmp.idmelon.com/v2/Received	0%	Virustotal		Browse
https://idmp.idmelon.com	0%	Avira URL Cloud	safe
https://aka.ms/dotnet-warnings/	0%	Virustotal		Browse
http://idmelon.com9Failed	0%	Avira URL Cloud	safe
https://github.com/protocolbuffers/protobuf.git	0%	Virustotal		Browse
https://aka.ms/serializationformat-binary-obsolete	0%	Avira URL Cloud	safe
https://authnapi.idmelon.com/auth/adminiStrator/delegatedAuthenticate/?redirectUrl=idmelonpt://login	0%	Avira URL Cloud	safe
https://github.com/dotnet/runtime	0%	Virustotal		Browse
https://sectigo.com/CPS0D	0%	Avira URL Cloud	safe
https://aka.ms/binaryformatter	0%	Avira URL Cloud	safe
https://aka.ms/serializationformat-binary-obsolete	0%	Virustotal		Browse
http://schemas.fontawesome.io/icons/	0%	Avira URL Cloud	safe
https://idmp.idmelon.com	0%	Virustotal		Browse
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0D	0%	Virustotal		Browse
http://wpfanimatedgif.codeplex.com	0%	Avira URL Cloud	safe
https://github.com/netty/netty/issues/6520.s	0%	Avira URL Cloud	safe
https://github.com/JamesNK/Newtonsoft.Json	0%	Avira URL Cloud	safe
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588	0%	Virustotal		Browse
https://github.com/doghappy/socket.io-client-csharp&	0%	Avira URL Cloud	safe
https://aka.ms/binaryformatter	0%	Virustotal		Browse
https://www.idmelon.com/	0%	Avira URL Cloud	safe
https://authnapi.idmelon.com/auth/adminiStrator/delegatedAuthenticate/?redirectUrl=idmelonpt://login	0%	Virustotal		Browse
https://github.com/doghappy/socket.io-client-csharp&	0%	Virustotal		Browse
https://github.com/netty/netty/issues/6520.s	0%	Virustotal		Browse
http://schemas.fontawesome.io/icons/	0%	Virustotal		Browse
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958	0%	Avira URL Cloud	safe
https://github.com/grpc/grpc.git6	0%	Avira URL Cloud	safe
http://nssm.cc/	0%	Avira URL Cloud	safe
https://authnapi.idmelon.com	0%	Avira URL Cloud	safe
http://wpfanimatedgif.codeplex.com	1%	Virustotal		Browse
https://github.com/grpc/grpc.git6	0%	Virustotal		Browse
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f	0%	Avira URL Cloud	safe
https://github.com/dotnet/roslyn/issues/46646~	0%	Avira URL Cloud	safe
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f	0%	Virustotal		Browse
https://github.com/JamesNK/Newtonsoft.Json	0%	Virustotal		Browse
https://github.com/ericsink/SQLitePCL.rawX	0%	Avira URL Cloud	safe
https://github.com/netty/netty/issues/6520.	0%	Avira URL Cloud	safe
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958	0%	Virustotal		Browse
https://authnapi.idmelon.com	0%	Virustotal		Browse
https://github.com/dotnet/runtime/issues/73124.	0%	Avira URL Cloud	safe
https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8	0%	Avira URL Cloud	safe
https://github.com/ericsink/SQLitePCL.rawX	0%	Virustotal		Browse
https://www.idmelon.com/	0%	Virustotal		Browse
https://github.com/grpc/grpc.git	0%	Avira URL Cloud	safe
https://github.com/dotnet/roslyn/issues/46646~	0%	Virustotal		Browse
https://github.com/netty/netty/issues/6520.	0%	Virustotal		Browse
http://nssm.cc/	0%	Virustotal		Browse
https://github.com/dotnet/runtime/issues/73124.	0%	Virustotal		Browse
https://skm.idmelon.com/apis/access-key-cli/v1/apps	0%	Avira URL Cloud	safe
https://www.idmelon.com/downloads/pairing_tool/version.json	0%	Avira URL Cloud	safe
http://idmelon.comoThe	0%	Avira URL Cloud	safe
http://idmelon.com	0%	Avira URL Cloud	safe
https://github.com/grpc/grpc.git	0%	Virustotal		Browse
https://test.authnapi.idmelon.com/apis/access-key-cli/v1	0%	Avira URL Cloud	safe
https://github.com/ericsink/SQLitePCL.rawH	0%	Avira URL Cloud	safe
https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8	0%	Virustotal		Browse
https://github.com/dotnet/roslyn/issues/46646	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.com	34.214.245.150	true	false	0%, Virustotal, Browse	unknown
skm.idmelon.com	unknown	unknown	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://skm.idmelon.com/apis/access-key-cli/v1/apps	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8	Service.exe, 00000021.00000002.3602766191.0000019D3B562000.00000002.00000001.01000000.0000001D.sdmp, Service.exe, 00000021.00000002.3602684343.0000019D3B512000.00000002.00000001.01000000.0000001C.sdmp, System.Buffers.dll.0.dr, System.Threading.Tasks.Extensions.dll.0.dr, System.Runtime.CompilerServices.Unsafe.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dotnet/runtime8	Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Json.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	pcProxAPI.dll0.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.sectigo.com0	pcProxAPI.dll0.0.dr	false	URL Reputation: safe URL Reputation: safe	unknown
https://skm.idmelon.com	Service.exe, 00000021.00000002.3599633247.0000019D22C43000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://skm.idmelon.com/apis/access-key-cli/v18	Service.exe, 00000021.00000002.3599633247.0000019D22FC8000.00000004.00000800.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	pcProxAPI.dll0.0.dr	false	URL Reputation: safe	unknown
https://authnapi.idmelon.com/auth/adminiStrator/delegatedAuthenticate	AccesskeyCli.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	Service.exe, 00000021.00000002.3601954060.0000019D3B312000.00000002.00000001.01000000.00000018.sdmp, log4net.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://idmp.idmelon.com/v2	Service.exe, 00000021.00000002.3601786369.0000019D3B2D2000.00000002.00000001.01000000.00000015.sdmp, Service.exe, 00000021.00000002.3599633247.0000019D22C01000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/restsharp/RestSharp.git	Service.exe, 00000021.00000002.3602187574.0000019D3B3C2000.00000002.00000001.01000000.0000001B.sdmp, RestSharp.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	pcProxAPI.dll0.0.dr	false	URL Reputation: safe	unknown
https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf	Service.exe, 00000021.00000002.3605243399.0000019D3C332000.00000002.00000001.01000000.0000002A.sdmp, System.ValueTuple.dll.0.dr, System.Numerics.Vectors.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://idmp.idmelon.com/v2/Received	Service.exe, 00000021.00000000.1852944375.0000019D22292000.00000002.00000001.01000000.00000008.sdmp, Service.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://skm.idmelon.com/apis/access-key	Service.exe, 00000021.00000002.3599633247.0000019D22FC8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/protocolbuffers/protobuf.git	Service.exe, 00000021.00000002.3604634725.0000019D3BBE2000.00000002.00000001.01000000.00000024.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://mozilla.org/MPL/2.0/.	Service.exe, 00000021.00000002.3603461570.0000019D3B8FC000.00000004.00000020.00020000.00000000.sdmp, Service.exe, 00000021.00000002.3604421784.0000019D3BB62000.00000002.00000001.01000000.00000023.sdmp, Service.exe, 00000021.00000002.3601327320.0000019D32C23000.00000004.00000800.00020000.00000000.sdmp, Grpc.Core.dll.0.dr	false	URL Reputation: safe	unknown
https://github.com/dotnet/runtime	Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Encodings.Web.dll.0.dr, System.Text.Json.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/dotnet-warnings/	System.Text.Json.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://idmp.idmelon.com	AccesskeyCli.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://idmelon.com9Failed	Service.exe, 00000021.00000000.1852944375.0000019D22292000.00000002.00000001.01000000.00000008.sdmp, Service.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/serializationformat-binary-obsolete	Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Json.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://authnapi.idmelon.com/auth/adminiStrator/delegatedAuthenticate/?redirectUrl=idmelonpt://login	AccesskeyCli.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0D	pcProxAPI.dll0.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/binaryformatter	Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Json.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.fontawesome.io/icons/	AccesskeyCli.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588	Service.exe, 00000021.00000002.3604231776.0000019D3BB22000.00000002.00000001.01000000.00000021.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Service.exe, 00000021.00000002.3599633247.0000019D22C43000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://wpfanimatedgif.codeplex.com	AccesskeyCli.exe.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/netty/netty/issues/6520.s	Service.exe, 00000021.00000002.3618132699.00007FFDF623D000.00000002.00000001.01000000.0000000C.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sqlite.org/copyright.html.	sqlite3.dll0.0.dr	false	URL Reputation: safe	unknown
https://github.com/JamesNK/Newtonsoft.Json	Service.exe, 00000021.00000002.3602810988.0000019D3B5D2000.00000002.00000001.01000000.0000001E.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/doghappy/socket.io-client-csharp&	SocketIO.Serializer.Core.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0	pcProxAPI.dll0.0.dr	false	URL Reputation: safe	unknown
https://www.idmelon.com/	AccesskeyCli.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958	Service.exe, 00000021.00000002.3604231776.0000019D3BB22000.00000002.00000001.01000000.00000021.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/grpc/grpc.git6	Service.exe, 00000021.00000002.3604421784.0000019D3BB62000.00000002.00000001.01000000.00000023.sdmp, Grpc.Core.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	pcProxAPI.dll0.0.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	Service.exe, 00000021.00000002.3599633247.0000019D22CA5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nssm.cc/	nssm.exe, nssm.exe, 00000003.00000000.1816759065.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000005.00000002.1821554597.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000007.00000002.1824056715.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000009.00000002.1826504358.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000000B.00000000.1827718062.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000000D.00000000.1830187905.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000000F.00000002.1835388792.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000011.00000000.1835854085.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000013.00000000.1838414436.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000015.00000002.1842863095.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000017.00000002.1845034170.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000019.00000000.1846041093.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000001B.00000002.1849679192.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000001D.00000000.1850811410.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000001F.00000000.1852024276.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000024.00000002.1871928036.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000026.00000000.1873191186.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 00000038.00000000.1933180702.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000003A.00000002.1937478499.0000000140065000.00000002.00000001.01000000.00000007.sdmp, nssm.exe, 0000003C.00000000.1938257275.0000000140065000.00000002.00000001.01000000.00000007.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://authnapi.idmelon.com	AccesskeyCli.exe.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f	Service.exe, 00000021.00000002.3602684343.0000019D3B512000.00000002.00000001.01000000.0000001C.sdmp, System.Buffers.dll.0.dr, System.Threading.Tasks.Extensions.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dotnet/roslyn/issues/46646~	Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Json.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/ericsink/SQLitePCL.rawX	Service.exe, 00000021.00000002.3605184889.0000019D3C312000.00000002.00000001.01000000.00000029.sdmp, SQLitePCLRaw.core.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/netty/netty/issues/6520.	Service.exe, 00000021.00000002.3618132699.00007FFDF623D000.00000002.00000001.01000000.0000000C.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dotnet/runtime/issues/73124.	Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Json.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe	false	URL Reputation: safe	unknown
https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8	Service.exe, 00000021.00000002.3605243399.0000019D3C332000.00000002.00000001.01000000.0000002A.sdmp, System.ValueTuple.dll.0.dr, System.Numerics.Vectors.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/grpc/grpc.git	Service.exe, 00000021.00000002.3604421784.0000019D3BB62000.00000002.00000001.01000000.00000023.sdmp, Grpc.Core.dll.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.idmelon.com/downloads/pairing_tool/version.json	Service.exe, 00000021.00000002.3601786369.0000019D3B2D2000.00000002.00000001.01000000.00000015.sdmp	false	Avira URL Cloud: safe	unknown
http://idmelon.comoThe	Service.exe, 00000021.00000002.3601786369.0000019D3B2D2000.00000002.00000001.01000000.00000015.sdmp	false	Avira URL Cloud: safe	unknown
http://idmelon.com	Service.exe, 00000021.00000002.3599633247.0000019D22EA4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://james.newtonking.com/projects/json	Service.exe, 00000021.00000002.3602810988.0000019D3B5D2000.00000002.00000001.01000000.0000001E.sdmp	false	URL Reputation: safe	unknown
https://test.authnapi.idmelon.com/apis/access-key-cli/v1	AccesskeyCli.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/ericsink/SQLitePCL.rawH	Service.exe, 00000021.00000002.3605293993.0000019D3C352000.00000002.00000001.01000000.0000002B.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/roslyn/issues/46646	Service.exe, 00000021.00000002.3603075194.0000019D3B692000.00000002.00000001.01000000.0000001F.sdmp, System.Text.Json.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/praeclarum/sqlite-net.git7	Service.exe, 00000021.00000002.3605079178.0000019D3C2D2000.00000002.00000001.01000000.00000028.sdmp	false	Avira URL Cloud: safe	unknown
https://www.idmelon.com/downloads/pairing_tool/setup.exe?v=	Service.exe, 00000021.00000002.3601786369.0000019D3B2D2000.00000002.00000001.01000000.00000015.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	pcProxAPI.dll0.0.dr	false	URL Reputation: safe	unknown
https://www.catcert.net/verarrel	Grpc.Core.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/grpc/grpc-dotnet.git	Service.exe, 00000021.00000002.3602077345.0000019D3B362000.00000002.00000001.01000000.00000019.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	pcProxAPI.dll0.0.dr	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/wsdl/	Service.exe, 00000021.00000002.3599633247.0000019D22CFB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/doghappy/socket.io-client-csharp	SocketIO.Serializer.Core.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://www.newtonsoft.com/jsonschema	Service.exe, 00000021.00000002.3602810988.0000019D3B5D2000.00000002.00000001.01000000.0000001E.sdmp	false	URL Reputation: safe	unknown
https://skm.idmelon.com/apis/access-key-cli/v1	Service.exe, 00000021.00000002.3601786369.0000019D3B2D2000.00000002.00000001.01000000.00000015.sdmp, Service.exe, 00000021.00000002.3599633247.0000019D22C01000.00000004.00000800.00020000.00000000.sdmp, Service.exe, 00000021.00000000.1852944375.0000019D22292000.00000002.00000001.01000000.00000008.sdmp, Service.exe.0.dr, AccesskeyCli.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0A	pcProxAPI.dll0.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/ericsink/SQLitePCL.raw	Service.exe, 00000021.00000002.3605184889.0000019D3C312000.00000002.00000001.01000000.00000029.sdmp, Service.exe, 00000021.00000002.3605002329.0000019D3C2C2000.00000002.00000001.01000000.00000027.sdmp, Service.exe, 00000021.00000002.3605293993.0000019D3C352000.00000002.00000001.01000000.0000002B.sdmp, SQLitePCLRaw.core.dll.0.dr, SQLitePCLRaw.batteries_v2.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://www.nuget.org/packages/Newtonsoft.Json.Bson	Service.exe, 00000021.00000002.3602810988.0000019D3B5D2000.00000002.00000001.01000000.0000001E.sdmp	false	URL Reputation: safe	unknown
https://www.idmelon.com/pairing-tool/	AccesskeyCli.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/praeclarum/sqlite-net.git	Service.exe, 00000021.00000002.3605079178.0000019D3C2D2000.00000002.00000001.01000000.00000028.sdmp	false	Avira URL Cloud: safe	unknown
http://www.idmelon.com	SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, 00000000.00000002.2061205840.000000000062F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, 00000000.00000003.2060679922.000000000062D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.8.8.8	unknown	United States		15169	GOOGLEUS	false
34.214.245.150	k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1477394
Start date and time:	2024-07-21 06:34:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	68
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
Detection:	MAL
Classification:	mal52.evad.winEXE@101/120@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 88 Number of non-executed functions: 214
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:35:24	API Interceptor	10289384x Sleep call for process: Service.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.com	SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exe	Get hash	malicious	Unknown	Browse	54.213.11.204
	SecuriteInfo.com.PUA.Tool.InstSrv.10.27384.30600.exe	Get hash	malicious	Unknown	Browse	54.70.179.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	file.exe	Get hash	malicious	Babadeda	Browse	143.204.215.122
	file.exe	Get hash	malicious	Babadeda	Browse	143.204.215.18
	arm7.elf	Get hash	malicious	Mirai	Browse	130.177.187.248
	arm5.elf	Get hash	malicious	Mirai	Browse	54.171.230.55
	https://www.svb.com/learning-central/go/contact	Get hash	malicious	Unknown	Browse	18.245.46.101
	file.exe	Get hash	malicious	Babadeda	Browse	143.204.215.115
	file.exe	Get hash	malicious	Babadeda	Browse	143.204.215.18
	file.exe	Get hash	malicious	Babadeda	Browse	143.204.215.115
	https://xv-dna-idx-com.resmi-v1.biz.id/	Get hash	malicious	Unknown	Browse	18.239.18.5

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Mx0UGSI897.exe	Get hash	malicious	DCRat	Browse	34.214.245.150
	https://xv-dna-idx-com.resmi-v1.biz.id/	Get hash	malicious	Unknown	Browse	34.214.245.150
	https://help-metaprotectextension.gitbook.io/	Get hash	malicious	Unknown	Browse	34.214.245.150
	https://bet3659981.com/	Get hash	malicious	Unknown	Browse	34.214.245.150
	http://madive-bunde-thinkkjhgf.pages.dev/help/contact/728719822901550/	Get hash	malicious	HTMLPhisher	Browse	34.214.245.150
	http://www.829347219502.com/	Get hash	malicious	Unknown	Browse	34.214.245.150
	https://helps-org---metamskk.gitbook.io/	Get hash	malicious	Unknown	Browse	34.214.245.150
	https://vishalyadav30301.github.io/Instagram-login-page	Get hash	malicious	HTMLPhisher	Browse	34.214.245.150
	http://help--chomre-metaamsk.gitbook.io/	Get hash	malicious	Unknown	Browse	34.214.245.150

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	41
Entropy (8bit):	4.045980358012783
Encrypted:	false
SSDEEP:	3:TdRPZCALEZWp3aV:TfZdLZZe
MD5:	C1D68091F5550E6D1E8EFD8A74BBAEDD
SHA1:	ADE9C2C175686A3A077E496C286EC1361401137F
SHA-256:	F4D11E83230D4B84579A1E456A71C020ECA8C8F221B23196AE1B37D8BF3E6B4F
SHA-512:	F97D2ACD20028EA2BF1D4F73F555316F1C6D6A69A2CDFADD486254ED76872C96172EA38A2CDAE7B2A0E18E04576205E8FA25DBD2E523A6A3A67076428B6EA4F6
Malicious:	false
Preview:	.sxdflgkjhngljkhnasdfoplkhngoljwehnfrop

C:\Program Files (x86)\IDmelon\Accesskey\Accesskey website.url

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<http://www.idmelon.com>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	48
Entropy (8bit):	4.532268229617389
Encrypted:	false
SSDEEP:	3:HRAbABGQYm/0S4aQLdVv:HRYFVm/r4aezv
MD5:	4382924CD029D894827F113225475D20
SHA1:	8A962CFB320B887119C03BF4B0A8BB456661632F
SHA-256:	41074075E517313974A00A633A82522B481F8AE4B867AF10271985D07995BADE
SHA-512:	3B1FD0ECE3554DFA0C3CE82E4B2A6184E4F3982B17DE67EF63B4E670FB288A31E3B3D1ADEA2ADF16726D3C4F914B3D2F46F33C9BE676681634A358B813AB01BA
Malicious:	false
Preview:	[InternetShortcut]..URL=http://www.idmelon.com..

C:\Program Files (x86)\IDmelon\Accesskey\AccesskeyCli.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	228392
Entropy (8bit):	5.3227611841816005
Encrypted:	false
SSDEEP:	1536:jPETvxZODI/y64HbnYLYLBPsM8mb8QsnGU3bsOlI/AZ5lfr/30Qh2RApO+T3QvNa:IvxAR77ELmb8QMGUrsOlEQh2n83QVa
MD5:	5C68F548BED2D865DAEEFB1708493351
SHA1:	B99B5482BF003EFC9729D3F291E1700A1C268741
SHA-256:	809CEAFD55FE53B235DB101586BF5CB5A4CCBC4815175CF0F89C2F228F5EB442
SHA-512:	FC7B6A6E46C4FCF7DC55800DF3610B7900CF9FF4EDD7EBCAA696B64BC2DA291669ABF67292890E4555B225261D8CF488037E85E8096F5ECBF77571258B1B7A6A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ..............................E.....`.................................7...O.......L............j..(...............8............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc...............h..............@..B................k.......H........z...............a...x...........................................~......(....Vs....(....t...........( .....{...."..}......( .....{...."..}......( .....( ....r...p.....6(.....(....&....0..........r...p(!.......9.......o"....>.......(....9....(....(#.....o$......(%....3.s....%...(....o&...o'...&+4.o$......(%....3.....s....o....+.r...pr"..p...((...&.W.rF..p.()...(....D..,&...o"....1....i.Y.(....,....i.Y.(.....-.(#.... . ..(+.....(.............m........0..

C:\Program Files (x86)\IDmelon\Accesskey\AccesskeyCli.exe.config

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2158
Entropy (8bit):	5.001906641704252
Encrypted:	false
SSDEEP:	48:327Yg+mOwg1Sg+CBOg1gg+w3mgDSag+FIsg+w3w:Kkf6YKwDTwg
MD5:	0CC816CC5B23BFDF1B3201CFF674DBD1
SHA1:	2651C52CAE238FFD27D1D8374EBBE7D7974462AF
SHA-256:	FA516EFA039B73FF56E559789A38E74BCC164F65F7B7C56C6FC364D5EAF56A55
SHA-512:	A51FE6749E38D2F8D779DB9A075B3A92B98403CD912551347CFC0010A09EDDC46F14E449595508AD1C42373BAE75D8ACD3FC8831CF359D90D9B762797D350E19
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.1.4.0" newVersion="4.1.4.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.batteries_v2" publicKeyToken="8226ea5df37bcae9" culture="neu

C:\Program Files (x86)\IDmelon\Accesskey\BioKey.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	4.949607387291885
Encrypted:	false
SSDEEP:	384:C3HwUZ3sK1F2v1I23ou3wHQp9t66S1DFlrMdOREjeJxxICzZhK/vNX3Y2zI0vUIa:C3sK1/W93wwbO3kcE0d9NN
MD5:	18D8F8729A887B835D49D296FE579A85
SHA1:	9ED4A1BF1AD5075BFC71746E55979A6444F766AB
SHA-256:	21FC933D379AD710F889BC07E921420539E3C96F4FC99BA5AC7175956059485A
SHA-512:	A26026885940C246A0C49B56401E2DFEAB7CAED6717C8714CFA840505B8BFB30D1AE84B23E34B86C1A73DABF3C82BE40BCB454770FBE757DCE0D0D6710551B77
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.)..........." ..0..h............... ........... ....................................`.................................G...O.......h...............................8............................................ ............... ..H............text....f... ...h.................. ..`.rsrc...h............j..............@..@.reloc...............n..............@..B................{.......H.......(A...D...........................................................0............s....}......s....}......s....}......s....}......s....}.....(.....s....}.....{......$...%...})....{.....}'....-..{.....}&....{.....}(...+..{.....}&....{.....}(....(....-.r...ps....z..}......}.....s....}.....s....}.....s....}.....s....}....*....0............s....}......s....}......s....}......s....}......s....}.....(......}.....{......$...%...})....{.....}'....-..{.....}&....{.....}(...+..{...

C:\Program Files (x86)\IDmelon\Accesskey\BioKey.dll.config

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1439
Entropy (8bit):	5.043688272837476
Encrypted:	false
SSDEEP:	24:JduPF7NruH2/+mVV+TkH2/17zVUrPH2/+CVVXBOH2/17zVQ7uH2/X9y:327Yg+mOwg1Sg+CBOg1SagXw
MD5:	92908A348BDC4D9C1F69A8C951BF2137
SHA1:	A4ECC68E91EDCF1FB1DA52C4A56CA627D6D71366
SHA-256:	4A18461C471A3BFF1139472062BEC545680EB63CAA28588E75BCC54882737B3C
SHA-512:	1E27B3AA7A6E284EC92F93A17BC0DD7CD65C8225C224A37BD15366D3B1AF6C2C43BCC76EFE1F49B34599B9AEA83345CBDE4141030E447F4FD310407B1F6A7714
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.1.4.0" newVersion="4.1.4.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.batteries_v2" publicKeyToken="8226ea5df37bcae9" culture="neu

C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFMatcher.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.2308666869663676
Encrypted:	false
SSDEEP:	384:kBTJPM/MtwWRGfo6QQFuiwuXAhOKbjo7U:GPwWQfo64l07U
MD5:	AB04E46306767BD337068AA8D06FD030
SHA1:	A414059F2233666740D04663925F05A9D62FE38F
SHA-256:	CA821422D66B5F8F828A33F7FA63D2E3DCF37FFF349486699AF60C9BE3A9A78C
SHA-512:	0B8BA392975292FF3739BA8906E3A655C4F096C6AC8A64B025348383BBBD926626734494120226F9D7051C9841EDC5C89934663DCE18B3E3A73FBA4D63A33710
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...dm.d.........." ..0..0... ......"J... ...`....... ....................................@..................................I..O....`..8............................................................................ ............... ..H............text...(*... ...0.................. ..`.rsrc...8....`.......@..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFScanner.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	4.657614516436592
Encrypted:	false
SSDEEP:	768:gQg4Qrw97g3TGIsPJKop0TDQBIxRSX56GxVgeT:QnkqkOoIDI1Vp
MD5:	EA82AE4604A655B2FCDA992EC6214930
SHA1:	1CD5636CF38085B28394DC99A1B9AC361B0E8DE5
SHA-256:	7F435BD4091FB4544F996DA9C31940F2D1A86388382045D95EA9FBB6DC49F7E4
SHA-512:	F94337618B2BBE802981DF10094AE9FF925BDC3F9F9AB55F7E05F931730B228F503B7BF232E1E897A565BEA18FFA1D02CEF9C38C0762CFC086AC26106802D250
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...bm.d.........." ..0...... ........... ........... ....................... ......sZ....@.................................<...O.......8............................................................................ ............... ..H............text........ ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\CBOR.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	5.922763836627469
Encrypted:	false
SSDEEP:	3072:xdkYH1ptN/+HyzN7HFcix3Y18912gMyCN0W7wPzozc+j+oYQ0kFz8RN:vdQOHFluq8GCcn
MD5:	8DEF7E1FC741E9D8CBCE2E8F4D4E11B4
SHA1:	85BA62180D7ED3BAA15BD2E4DFDDB3091FF8675E
SHA-256:	442ADD0037FF9593C3737F5C77BF77B198AFD5DD3A8DA0714F3C50D990EA733C
SHA-512:	199AC50D872069BF915CA15C3EDB55DCAFE5465DB2319DB755572A6C66CC71695AF008EF075B2E3CD8B13F862C0341756F0A488730E3F0E3B0D52BA0A08E22D6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....N.a.........." ..0.................. ... ....... .......................`......,M....@.................................P...O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H............6...........................................................0..4........-.r...ps!...zs"........i..(....,.r...ps#...z.o$....0..:........-.r)..ps!...z....+...(.......X... ..../..+..X...o%...2.....0..!........-.r...ps!...z../.r1..p..(&...rA..p('...s#...z...i1'r1..p..(&...rc..p..i...(&...((...s#...z../.r...p..(&...rA..p('...s#...z...i1'r...p..(&...rc..p..i...(&...((...s#...z..i.Y./M..E...%.r...p.%...(&....%.r...p.%...i.Y...(&....%.r...p.%...(&....()...s#...zs".....

C:\Program Files (x86)\IDmelon\Accesskey\CSharpControls.Wpf.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	30720
Entropy (8bit):	5.748915622125059
Encrypted:	false
SSDEEP:	768:fmUjegUxTULjdDGaP5zAzU48RZWupurud70IRRY4GNRzglX6TL6:m2RDGaP5zAzULKupurud70IvY4GNRzgb
MD5:	48BAF45D80E6625E61088522D673F4DE
SHA1:	B87C4B3C272EE344AC6A3CFE0F47A8D8FEE49715
SHA-256:	B6AD6A470BA086174871F88F33C9B8F45406E99765E56809DAB0806A2C1A17BF
SHA-512:	E48662A726558CDB9628C153F53D84F6ECDD71509C50D07076149298BE2F04E8193461DF683768E925A73C6703B265CDC7EA05D81B0E00F9F5F96B6E7C349571
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I..a.........." ..0..p............... ........... ....................................`.................................\...O...................................$................................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B........................H........+..D2...........]..(/..........................................>. 4......(....2......o....:........o.....0..,........o....r...p $...........%...%....o....t....&...o......(.......u...............q..............0..2........(......,&.o.....o ...-..o.....(!...,....(........0..N.......~"........#........s#........#........s#........#...... @#........#...... @#........s$..........c ....(%...s&........ .... .... ....(%...s&..........c ....(%...s&........ .... ....

C:\Program Files (x86)\IDmelon\Accesskey\ClientLog.config

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	552
Entropy (8bit):	5.06340490227939
Encrypted:	false
SSDEEP:	12:HW0M+dHJn4FS+MbFEmczXX6FIPqapEyyIcGRN6zqpUF06J3puellQEmsZwnv:HW0MKHz+UbmXqFIPGHINNULxpueQbsq
MD5:	561E19225AECC736A141C75ACDF39E96
SHA1:	8EB13CD4FC8F25C6076FD16B32A1D24415057176
SHA-256:	AA53894994BE24945B4578A5DC29F552787C0F00A70D816014C456DDD3E0EB08
SHA-512:	DEC25F23C2F9298FD905E4A984D57E3C3D934352471109CB97D6CA393049C5A44F172E1862C82B326E0C885192EA993C5FEB64F83F1A1335D6EE284ADD09304E
Malicious:	false
Preview:	.<log4net>...<appender name="file" type="log4net.Appender.RollingFileAppender">....<file value="C:\ProgramData\IDmelon\Accesskey\clientLog.log" />....<appendToFile value="true" />....<rollingStyle value="Size" />....<maxSizeRollBackups value="5" />....<maximumFileSize value="10MB" />....<staticLogFileName value="true" />....<layout type="log4net.Layout.PatternLayout">.....<conversionPattern value="%date %level - %message%newline" />....</layout>...</appender>...<root>....<level value="ALL" />....<appender-ref ref="file" />...</root>..</log4net>

C:\Program Files (x86)\IDmelon\Accesskey\CommandLine.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	225280
Entropy (8bit):	6.201066097308408
Encrypted:	false
SSDEEP:	6144:sG/zAnUPpKO6acJ8Ha+VbR9HGzIuIliUtf:syzAUPMeaIDGcfi
MD5:	2F345B6D207489E52DB3F85C2E4E617D
SHA1:	D0CD77AA88B8ED0AE5F07A8132EACA857DEA7795
SHA-256:	2135B40FA819E58CF1942453E4409BFDEA2BE631077A354B878DE8402BE7E026
SHA-512:	24AD3B3620E5E093EA57C1BEC486379853D625DBF962210B2DEB823115A45F9EC4083B6D4BB69610A9DAE4B6076284C11E3663430DB4EA739224E6DE93D88E8D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..f............... ........... ...............................d....`.................................b...O.......................................T............................................ ............... ..H............text....e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H.......dJ...9............................................................{......{/...V.(0.....}......}/......0..A........u........4.,/(1....{.....{....o2...,.(3....{/....{/...o4...... a.(. )UU.Z(1....{....o5...X )UU.Z(3....{/...o6...X...0..b........r...p......%..{.......%q!....!...-.&.+...!...o7....%..{/......%q"...."...-.&.+..."...o7....(8.....{9.....{:...V.(0.....}9.....}:....0..A........u#.......4.,/(1....{9....{9...o2...,.(3....{:....{:...o4...... ..% )UU.

C:\Program Files (x86)\IDmelon\Accesskey\DB.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.299901416152227
Encrypted:	false
SSDEEP:	384:1E44E69TJN6eOuJ0wOs6tx/nQv50DNmfVS6rM/c9:h6dbdwxM0DI9S6rM/c9
MD5:	A03CAA1272CEF60DC2B0064FAC645DF9
SHA1:	0658FA611454F9A9502DD1B5D37AC588E715B8A8
SHA-256:	B976CA18F96DD9BCCF14B33F9832517B966FA2E57CF601BD75C7E8F6DBD175E6
SHA-512:	CFA1EE365F4C37C8BC22A748F7EB8D038C9A72EF07FD8A6DC11E1AFA907A58B3E0D268FA4DA49A38C99BD1FCA0DBB12D4656752A92691DDCF3C6EAE1B85091B1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8..........." ..0..@..........._... ...`....... ....................................`.................................?_..O....`..H............................^..8............................................ ............... ..H............text....?... ...@.................. ..`.rsrc...H....`.......B..............@..@.reloc...............F..............@..B................s_......H.......(....0...........................................................~....{.....0...........(....o....(....r...p(....}.....(......{.....s....}.....{....o...+&.{....o...+&.{....o...+&.{....o...+&.{....o...+&.{.....o...+&.{.....o...+&.{.....o...+&.{.....o...+&.{.....o...+&.s...........{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......(......{...."..}......{...."..}......{....*"..}.

C:\Program Files (x86)\IDmelon\Accesskey\DB.dll.config

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	693
Entropy (8bit):	5.1233623193005275
Encrypted:	false
SSDEEP:	12:MMHdGzNFF7ap+5Xl+Tkf/2/1ZFUSFip+5XlXBorf/2/1ZFUSFicYo4xT:JduPF7NV+TkH2/17zVVXBOH2/17z9y
MD5:	75A1EDD6FC9985FBD0D5824D40B58B35
SHA1:	C4F6C27B5F34254288A7369B5D28F835F6ECABE8
SHA-256:	55DA44B00F8B5B2F9D1AE0C7741E1A55DEFA08BC3033AA22E0D47848D5AA4D4A
SHA-512:	8CCFDFC6C769439CD2F741F3C34CEA4A5550DA89D5EB5532EF167E52CD3AACAB8C32E0F41C007A11F93AE967C1A66D4834670CF2FFF6B3E10ED825A414744FF0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.batteries_v2" publicKeyToken="8226ea5df37bcae9" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

C:\Program Files (x86)\IDmelon\Accesskey\DefaultLog.config

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	311
Entropy (8bit):	4.791338764275588
Encrypted:	false
SSDEEP:	6:HW0MvN7dDv/+qpcLrSu0AOMJyNQKmuellozEmsDyEpWKAO:HW0MvFdrHpUF06J3puellQEmsZpNv
MD5:	6A3D6D149385B00DE23C87B4B1BFD4F4
SHA1:	D4ACA7ABA9ADB086F4FB66888EC1B799CC3F8829
SHA-256:	94F3425B94B3ADAB9CC851D1236D44ACAC3D4528BDAA8400FE492F2804A5B096
SHA-512:	DA66005E9BD319C6296D1A13014BD409A3F98150B7F627B120FF78B8D13BE8BB157B9C40C5AD0EDD6CCEEA1C38851B4F3A46A061E1713669B2FB61426DB586B3
Malicious:	false
Preview:	.<log4net>...<appender name="console" type="log4net.Appender.ConsoleAppender">....<layout type="log4net.Layout.PatternLayout">.....<conversionPattern value="%date %level - %message%newline" />....</layout>...</appender>...<root>....<level value="ALL" />....<appender-ref ref="console" />...</root>..</log4net>

C:\Program Files (x86)\IDmelon\Accesskey\DeviceId.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	5.675149624141371
Encrypted:	false
SSDEEP:	384:QYCdkWmMEJAEUGz0PylRukCA+OYD0vRbqslxEmwlYu2:tCdkWmMQiylQHA+KvRbqslxEmeY5
MD5:	AF01286DFD69ABEB06AB1537E374628C
SHA1:	10D16C22B588AFE22FF330176200515D0192CE63
SHA-256:	3793DCB2D3C25D22577E9B8836FD11C5870BE01B068F2DBF04BEF4F32E6C83E7
SHA-512:	29CDD5647D751B459EABBFB60D6F8D404497FE2C8845DD6994A0D1F279CB63E0B4E4CD116C652266AD0BEC90056CCE5D1090C7CF659EBDBDD019C091D9828609
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)..........." ..0..N..........Rm... ........... ....................................@..................................l..O...................................<l..T............................................ ............... ..H............text...XM... ...N.................. ..`.rsrc................P..............@..@.reloc...............V..............@..B................2m......H......../..0<...................k........................................(....:.(......}......{...."..}......{......(.....(....(.....(....s....}....>.(......o.......(....-.r...ps....z.(.....(....o!...&..o.....Z.r...p(....sX...o....Z.r...p(....sX...o....Z.r...p(,...sX...o....N.r...p..sb...o.....0..$.......r...p.o.....,...(........s^...o.....~.....~.....(&...sI...s6........(&...($...s6........v.(.....s....}.....s....}....&..}.....>.{......o......0..........

C:\Program Files (x86)\IDmelon\Accesskey\Driver\AccessKeyFidoVhid.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	52944
Entropy (8bit):	6.483483863603903
Encrypted:	false
SSDEEP:	1536:nXVCxosSAPn6cWynO6SUJhUZnY1PdBmz:XVzsZPnNWykLnYBm
MD5:	42BB134409EB5B648998844608434CD7
SHA1:	492284DD87E06372E6DDCA23D64C8B2FC771077B
SHA-256:	0B502F92BF3B6B975D88EA60A2288134C18B3B28BC93A3482ED4C336B7DC674B
SHA-512:	DAF807A2384A22425812DE390CCB33491874E206F5E9F6A9CCD16180D653A9F3DD2D659E1E668A32AAE5E974B800620CF9246355CF6FE02B0172E67BD62B010A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................[..............................F.....F.....F.7....F.....Rich...........................PE..d.....+d.........." ...".P...J.......@...................................................`A............................................X.......x........................8......D...0...8............................~..@............`...............................text...`O.......P.................. ..`.rdata...0...`...2...T..............@..@.data...P...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D...........................@..B................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\Driver\accesskeyfidovhid.inf

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	4836
Entropy (8bit):	3.7387330079455343
Encrypted:	false
SSDEEP:	48:rRxR/zoP0dlUlyFxloQPxWmxxvVARfmwCfi6gDVkf3iQLt97Hu6/OgTgy7dCrXL5:rh/z9YRfmwCfiTQR97O4p4v9lsqs0sI
MD5:	8A71F48313969317868E08E1B8009DEF
SHA1:	3AE7FDACC7BEF1ECCDBEE2427E97ED90EFE2CF04
SHA-256:	09BB78FDE1F9681AACAA95880DB62B439DD6A25418D5E6BB44FB6EB90E66E12D
SHA-512:	32480914934142D1FB808CABF9651AF6295228766C39AB22CE4E1BC4E50555F03415E798D5117139AFE1482F7FFE8DE5F1014D5A3A0AF2DB490039621210EA31
Malicious:	false
Preview:	..[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.I.N.D.O.W.S. .N.T.$.".....C.l.a.s.s.=.H.I.D.C.l.a.s.s.....C.l.a.s.s.G.u.i.d.=.{.7.4.5.a.1.7.a.0.-.7.4.d.3.-.1.1.d.0.-.b.6.f.e.-.0.0.a.0.c.9.0.f.5.7.d.a.}.....P.r.o.v.i.d.e.r.=.%.P.r.o.v.i.d.e.r.S.t.r.i.n.g.%.....D.r.i.v.e.r.V.e.r. .=. .0.4./.0.3./.2.0.2.3.,.2.1...4...5.3...4.8.8.....C.a.t.a.l.o.g.F.i.l.e.=.w.u.d.f...c.a.t.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .C.l.a.s.s. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........;.[.C.l.a.s.s.I.n.s.t.a.l.l.3.2.].....;.A.d.d.r.e.g.=.F.I.D.O.C.l.a.s.s.R.e.g.........;.[.F.I.D.O.C.l.a.s.s.R.e.g.].....;.H.K.R.,.,.,.0.,.%.C.l.a.s.s.N.a.m.e.%.....;.H.K.R.,.,.I.c.o.n.,.,.-.5.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .D.e.v.i.c.e. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.S.t.r.i.n.g.%.=.I.D.m.e.l.o.n.,. .N.T.a.m.d.6.4...6...3.........[.I.D.m.e.l.o.n...N.T.a.m.d.6.4...6...3.].....%.D.e.v.i.c.

C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83456
Entropy (8bit):	4.915846781735663
Encrypted:	false
SSDEEP:	1536:q1Hclj1z7qfAHwFj9f5G9RN5CJp+T8Atgwd7Fc5VzGwFMqO7W0:q182fAHwwouT8TOpcLG2M3W
MD5:	6EA4F64D02AE236A6B60E5E665079A89
SHA1:	DB974A620B2D766E8D0E7FEED4F95C8D5B01F4AB
SHA-256:	40AC07FEC5D9204CBB87D52BCE95AAEC67D37233BC3FFD9E9BAF02D0B55AB912
SHA-512:	EFC8520CCF8B712479AF23ADC4587FCAF9F8AC6E565F1073C2F97AEF45F7382FCA49E8E1E3A87B98BD66DD69D2CF8C46EE9EFB4B1DBB40DC2747145891BBB411
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F...'...'...'...L...'...L...'...L...'...L...'...'...'...L...'...L...'...L...'..Rich.'..........PE..d....p..........."......f...........n.........@..........................................`.......... ......................................t...........p...............................T...........................................(................................text....e.......f.................. ..`.rdata... ......."...j..............@..@.data...............................@....pdata..............................@..@.rsrc...p...........................@..@.reloc...............D..............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\Driver\disabledrv.bat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	61
Entropy (8bit):	4.460399887206969
Encrypted:	false
SSDEEP:	3:mKDDFAR+SZxvBAKeBeJ+dDDFBRyn:hmRBp2e+PBAn
MD5:	BC77DB060E792626050D496B5263979B
SHA1:	AC4DC60491EDBFCC9419971618DF44C97E4B2E73
SHA-256:	0F87882948A3F4F775CFAF5B2375CBFB9842C4FB85E0660320ED28513CCAB3BF
SHA-512:	728DA3F09EA11494F6D80EF964B27D716031F3D7C12F99EA322D36E40DE5AF0293635900190FB810BA50B3B8F19B06DE675260D88FECF36B55B85941B29E2B32
Malicious:	false
Preview:	@echo off..set args1=%1..devcon.exe disable %args1% && exit..

C:\Program Files (x86)\IDmelon\Accesskey\Driver\enabledrv.bat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.426990803617332
Encrypted:	false
SSDEEP:	3:mKDDFAR+SZxvBAKeALEHOvdDDFBRyn:hmRBp2+LEHOvPBAn
MD5:	7BF5E5460E19DA15BC50E4CB525FFE47
SHA1:	253F0562AE28E3E2B3C48EB0FFF58572BEDABC7C
SHA-256:	B968760E9B5E613B8D3E7C746F45256D204E71CA2D577EC19911BDF251555D89
SHA-512:	5AEB53187279B6621CDEF0A27099FC6960C190F9B7D376AD386E26C398DC7E11C968125A2818AA976BE7A5D7865A6EEFE3C232BE0EA18578FEBE98E8F3D3F905
Malicious:	false
Preview:	@echo off..set args1=%1..devcon.exe enable %args1% && exit..

C:\Program Files (x86)\IDmelon\Accesskey\Driver\installdrv.bat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	81
Entropy (8bit):	4.346542017363296
Encrypted:	false
SSDEEP:	3:jb6+SZxvWA4SSiheMLVLzAQDn:36BpWRiJLVoQD
MD5:	DE964C03675D7068BE42F3F269A40EB9
SHA1:	5F49AD4D74AB33FBB571A44A75079FF41A7356D5
SHA-256:	EFA52F366577471E8E304663EA30756D0302166059B5CDB95612D68550EB7238
SHA-512:	34EB3F7377F795B2CD79C89C0D1C2E20080FFE16E302F6B3E5B1F62E98725467C17800C6D52E05F952141ABDB7D3910DB30E7C1984CF0E8DCC73DA073326C576
Malicious:	false
Preview:	echo on..set args1=%1..set args2=%2..devcon.exe install %args1% %args2%..echo off

C:\Program Files (x86)\IDmelon\Accesskey\Driver\statusdrv.bat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	DOS batch file, Unicode text, UTF-8 (with BOM) text, with very long lines (327), with CRLF line terminators
Category:	dropped
Size (bytes):	401
Entropy (8bit):	5.091399972357828
Encrypted:	false
SSDEEP:	6:SmR94BgqrJzkmwPIct0yl/mmFN3tfRGiTy6EGrgyAyxAyI2RTiDhMB5ZBR:J74tdk5jtnrC0yyGyDR+A5J
MD5:	5992CF74AF8F737C1BD71D549D1C1065
SHA1:	6B38B8077C0D103ABA384C72BC1AEBFB2035D958
SHA-256:	BF41D1895CD280B1AEF7F41BA20F53C6D1EFF1FF9B83F8AB6E03299C5C367DF3
SHA-512:	F1BF08405256C7818CD027D87F0BB5634B4930139CD0B35DED33640F74EDB0E6D7BEEF714330B5873F1F0A3F585D06A3938E2D7651A26D9F36263C8E24D18191
Malicious:	false
Preview:	.@echo off..set "params=%*"..cd /d "%~dp0" && ( if exist "%temp%\getadmin.vbs" del "%temp%\getadmin.vbs" ) && fsutil dirty query %systemdrive% 1>nul 2>nul \|\| ( echo Set UAC = CreateObject^("Shell.Application"^) : UAC.ShellExecute "cmd.exe", "/k cd ""%~sdp0"" && %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs" && "%temp%\getadmin.vbs" && exit /B )..devcon.exe status root\IDmelonHid && exit

C:\Program Files (x86)\IDmelon\Accesskey\Driver\uninstalldrv.bat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	58
Entropy (8bit):	4.195849477991226
Encrypted:	false
SSDEEP:	3:jb6+SZxvBAKeXt9PgDn:36Bp2hgD
MD5:	1B4BAD54EB85ADB7C4350B331FBA9030
SHA1:	DFB39F684097EF2615ECDFBBEA07C61027085FFF
SHA-256:	DC525C3758A61AD80DC434023D0A53111BC2F54A1572E169BC5BEBD749CC9A9D
SHA-512:	D35E50A69907319525E92FA2B017B7F732E9FEA62B468F374804B488B5242451137480DC1755C02126EA302E95F4DAB6BBE6534B51E375AD6ECE2892C175B05B
Malicious:	false
Preview:	echo on..set args1=%1..devcon.exe remove %args1%..echo off

C:\Program Files (x86)\IDmelon\Accesskey\Driver\wudf.cat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	data
Category:	dropped
Size (bytes):	11622
Entropy (8bit):	7.262321244095951
Encrypted:	false
SSDEEP:	192:1fMl5zkpJC4eRe4fh8uEwFQbdxUNQlO8X01k9z3AXL9Wa38i:1Xp7Aeo8uExUKlO8R9zGpWa3z
MD5:	F99106D82F0FF3A7CEDEF078919DD359
SHA1:	C4281154C3B52B32467AB042B460333623033F3B
SHA-256:	51FA1FC1D6CBA95C28E0AA3D622DFEBF925548ACB5440CC3CD865ED1DDBCDC9F
SHA-512:	8F8DB7AC371C52F7C9622AADE894027B509D5EBD7FB75ED1C8813A7B1A01634EFCD25CEC0B8842E9FCC175550C39F3509A11D036F1247DF0E8E2F4B79E8790FA
Malicious:	false
Preview:	0.-b..*.H........-S0.-O...1.0...`.H.e......0..k..+.....7.....\0..X0...+.....7........ppwO..<.X.7+..230920084942Z0...+.....7.....0...0.... ..x...h.......+C..T...D.n..f.-1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..x...h.......+C..T...D.n..f.-0.....G.i..I7....K3U...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0.... 2...F.[n.P.6.O.h...3in..=...?..@1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 2...F.[n.P.6.O.h...3in..=...?..@0....:........B~......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>.

C:\Program Files (x86)\IDmelon\Accesskey\EllipticCurve.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	25088
Entropy (8bit):	5.301585636569163
Encrypted:	false
SSDEEP:	768:T/jmOxf+QZMuSOR8jfftu+lp3S/KG06EQ0v:TCOrLS/rk+lpMKG06EPv
MD5:	009DACE4EAA81F59E619B6AEF6684B48
SHA1:	8EED9304CC7DD14DD9B614B0EBB8464458170F10
SHA-256:	9059288BAE4FC8715CA67C98EEB0BECE76BA0CE196189B0FEF7EBE2E4D797CC4
SHA-512:	4E914F75C239E305319A75CFF358BB74F1D45694D66D6684AC59DD3B8515C13216E7AF74C6C7156F069666554E5796AF1DF0702A0BF847DD16694B28284630FC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....hY..........." ..0..Z...........y... ........... ....................................`.................................Vy..O....................................x..8............................................ ............... ..H............text....Z... ...Z.................. ..`.rsrc................\..............@..@.reloc...............`..............@..B.................y......H........A...7............................................................{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}.....0..T........(......(......(......(.......(..................s&...(.......(.......(.......(.....0...........o#....j(....-..o#....(.....(....(....(....,...o$....j(....-..o$....(.....(....(....(....,..*.o$....(.....o#....(.....(.....o#...(....(.....(....(....(.....(....(h

C:\Program Files (x86)\IDmelon\Accesskey\Encryption.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	4.906632271878699
Encrypted:	false
SSDEEP:	192:GXh1+9FT278xgs9XoUPUx2rH2oq3PAU9hj3p991lRSzJEgB:iL+9FT2oxga9LrH2oY93pjRS9VB
MD5:	CC88D9CD36AFDB321CA58395A009B170
SHA1:	6D1FD46157840493DEA1DB8F7996DE606CD5B404
SHA-256:	62FA56823E248D1562EF54B14909A24C177F5A680EA661A2DBD01632D86C367D
SHA-512:	63D1C7F408EC8790E81114A3A36AAD0EC977CB2A544BBB34D56E677F3F29CE313358A3C8AE24EFB86601EF4CA18D410C3C20310E7E47060D976FCE51175A5EE6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m.+..........." ..0.. ..........>... ...@....... ....................................`..................................=..O....@.......................`......4=..8............................................ ............... ..H............text...0.... ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......&..............@..B.................>......H........(..(.............................................................(......{.....0..O........{....,..{.....o.....+..{.....o.....r...p.{....{....(.....{....{....(....(......0............}.....(......}.....{....(....,...{....(....(....}....+Ks....%(....o....%.s....o....% ....s....o....%.o......(.....{.....( ...}......{....s!...}.......}.....(......}.......(....("...}.......0...........{....-.r...ps#...zs$..... ....o%.... ....o&.....o'.....{....~....o(....s).......s*.

C:\Program Files (x86)\IDmelon\Accesskey\Fido.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	5.644125419442534
Encrypted:	false
SSDEEP:	768:zh/uRqYAXHKZ0DATRtMuVLco/6zeAWhk6xrMNcojEC9R9:zh/VY4YPMuVz/WeQsrMNcojZ7
MD5:	A9A0AA1A1D625C3919C79372EF288235
SHA1:	87028CD0D275BEDB1771B47FB4BAAF7AE6061BF5
SHA-256:	5F5C8A67FF04D3075DA7F5BC863D5D101E27EDE9336D2797179E2C83F1B000F1
SHA-512:	9728105C6356269E61AF1058898B6BD918C09A5E6956AF5073543CD4669B44E42F8FF41932C5F71CE9B8A49383FB01E9CFD619911E55828293757A888E053922
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....B..........." ..0..h.............. ........... ....................................`.....................................O.......X...............................8............................................ ............... ..H............text....f... ...h.................. ..`.rsrc...X............j..............@..@.reloc...............n..............@..B.......................H........B..(C...........................................................0..Y........(....,...'....o.....[.'.....o.....],.r...ps....z..+....[...o......(.......X...o....2......0..M.........i.'........i(......i.Zs.........+.......r...p...'...o....&..X....i2..o........0............Y...'.........(.......0..$.........i..i.....+............X....i2...0..G.......s......'.....o....s.........+.......r...p...'...o....&..X....i2..o......0..*.........'......Y.+.... ...._...c%....

C:\Program Files (x86)\IDmelon\Accesskey\Fido.dll.config

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1192
Entropy (8bit):	5.059106104983516
Encrypted:	false
SSDEEP:	24:JduPF7NV+TkH2/17zVUrPH2/+CVVXBOH2/17zVQ7uH2/X9y:327Gwg1Sg+CBOg1SagXw
MD5:	332BE3E21BF51019D30F3682034BA4CD
SHA1:	B89362ACEAC875258EB616551F97C6BD022A9200
SHA-256:	E2CBECB050A6F0296811552F52E238A5A24EFC7F31B156AFBAEF0B90D8F25534
SHA-512:	0A91ACF7620C99AE8896F0A2A9120B7081440234A68532054331F4E8CE16A12BC7FE07C12895A37625C6D0C3BDE7D97DBF003273BE906E581E487A402EBD98C0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.batteries_v2" publicKeyToken="8226ea5df37bcae9" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f1

C:\Program Files (x86)\IDmelon\Accesskey\FontAwesome.WPF.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	209408
Entropy (8bit):	7.118411209816897
Encrypted:	false
SSDEEP:	6144:Z8P7/P97ilHDqO01ktQOzB4YjDnX08RYA3fP5S:Z8PpilHD+kQA4uk8RYA3f
MD5:	2ACE85429EEE9E8320C82D878E5562B4
SHA1:	77ED8B89210930D1DE2495BA363519B696D0B6E2
SHA-256:	63D50DBE094BBCE5D7BF8AF08C0D919CFA5E057CA05AE7B27704A8477C8B348F
SHA-512:	7CE3467D1469ACDB544F4F42864D94C5AE0ADA252C5F096329E16D4B571FC1800BD572E52CFE902EE5D4B91D59A1A4182B07F40B7A4DFE54E338CA46684AF989
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....nX...........!.....(...........G... ........@.. ....................................@.................................`G..K....`...............................F............................................... ............... ..H............text....'... ...(.................. ..`.rsrc........`.....................@..@.reloc...............0..............@..B.................G......H........C..............D1......LC......................................F.~....o...........J.~..........o......0..E........u....-..t.......(....u....-...(............~....o...........o........0..T.......r...ps....re..ps.........r...p.....(.........(.................s....s....(.........*.0..G.............o....u....%-.&s......o....(...+(...+..,..#........o....+G.o....#........s....o...........o..........#.......?#.......?s....o....s.....s....%#........s....o....% h...ls...

C:\Program Files (x86)\IDmelon\Accesskey\Google.Protobuf.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	461600
Entropy (8bit):	6.121892709817012
Encrypted:	false
SSDEEP:	6144:r4/m8Ea0LJqGVByY/ISDYLh0JPYqe9XMKr0g3pkUtdJAtQLxisgFafDcabBv805E:M+VLJqGVBlASKXMKJLBL0k/
MD5:	54AEB9BDBCAA96811DB6D02A620D2229
SHA1:	795AB7B578D8DEEE64BFA1AECB50391ABD25B5D7
SHA-256:	B628AEE109C1FD016F955C2FE3549EDD5195D86B57A213189A6210C396D00756
SHA-512:	D16DE313B944975ECE181D49959EC33806771EB4B6926279628454746E7BD1B1AA8D7243CFC027102518CC679BA980918259789C814D522441578DBFBC5B4F34
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ............" ..0.............^.... ........... .......................@.......N....`.....................................O....................... )... ......4...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................?.......H............Z............................................................(E.....(E.....(E...:.(E.....}......{....:.(E.....}......{......{...."..}....V.(E.....}......}......{......{......{...."..}......{...."..}......{...."..}......{...."..}........0../...........1.......(F......X...+...%.X........X...2...0..%...........i.Y.+.................X...Y...2...s....F.(...+(H...(....:.(I.....}.....~....2.\|....(J....(.......2.\|....(K.....{....2.\|....(L.

C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.Api.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	68896
Entropy (8bit):	6.319426362612074
Encrypted:	false
SSDEEP:	1536:MuuEI8RKXkCKysZ4rGzxViOZWBG+foVswKlOyDYGQeywKeP70xSc:hf5OrGzxUomgVswJyDYGQe/P
MD5:	68528BFB3CF84503766EFB6A3921B7A0
SHA1:	37FA9BFC4A2031383AC2A1A774EAE21CB2C2A55B
SHA-256:	90132B0E9AE73337CC3FD5958DD5380D1742ED4E51EE9B5452EE0D54156879FD
SHA-512:	9FF86B04F86CE643BF49E90B928072FC1E44ADA2CBAFF9F446166529F935B23C329D429FCF3B593E9BE62953011D3D2E29CCD15D234AC34E3E621D16168DA510
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o4.d.........." ..0.................. ........... .......................@............`.....................................O....................... )... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......LE..H.............................................................(&...^.(&......I...%...}....:.(&.....}....:.(&.....}....:.(&.....}....:.(&.....}......{....V.(&.....}......}......{......{......{...."..}......{...."..}......{...."..}......{...."..}....:...('...(......((.....r...p(...+}......r...p(...+}......}......{......{......{.......}......}......} ......}!......}"......}......}......} ......}!.....}".....{".....0..(........{....u......-..

C:\Program Files (x86)\IDmelon\Accesskey\Grpc.Core.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	485656
Entropy (8bit):	6.61009099792126
Encrypted:	false
SSDEEP:	6144:VrJLcdXl5xFcQyCmnMENW1H/M8f9Z5mNplX4XmRrcMFADwYCuMsligT/Q5MSg:VrJLcd15XafWN/vZ4NLqmRrctb65MB
MD5:	6155B91228D88A0CFFF0E8F32942E772
SHA1:	B855C00124FF8048DD278F3ADA5A3392576AA5D6
SHA-256:	AA99E6AD71C01997C154BE1F0F6E5402266F787422CF67D66C5D59F63D26131F
SHA-512:	4E6A0C07C09845072EBE16AA7087B572358800E6FF1691B2A2E6F56C60EBDDB29EB9CDD4412DC78A8B9738E2D14B76B6C72373DBC7CD444B972E6320A818A728
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-.n..........." ..0..8..........BV... ...`....... ....................................`..................................U..O....`...............@...)...........U..T............................................ ............... ..H............text...H6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................$V......H.......t... ?...........K.......T........................................(......(....^.(...........%...}....:.(......}....:.(......}..........(....v...o......o ....o!.....("....0..V.........r...p(...+}$.....r...p(...+}%.....}&......r...p(...+}'......rC..p(...+}(......}).....{$.....{%.....{&.....{'.....{(.....{)......0...........q........})....6.s....o+.....0..)........s......o,...~-...~....~/...~0....s1.......0../........s......o2....s3...~-...~....~/...~

C:\Program Files (x86)\IDmelon\Accesskey\GrpcClients.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.9894399990535785
Encrypted:	false
SSDEEP:	192:6SNau5KGFgn97spCUyTEOehDXh5sy0x0cI:DFTgNfQOe1Xh5sym0T
MD5:	E9A35F8D6FC71C5DE125CC864FB66148
SHA1:	5E786CD645D8C2114A10E455E1BFD510A5DD8BE5
SHA-256:	DBE71AFF3E3B31669FFDAF6CE1ACD433014B818D9AFCD87843E0EA44CD5B894A
SHA-512:	324D78FBE5131FB62A5166B2D7FA328B70B8480E7E4A8C5133A9A497BE490056BF971E83A318D3D3556573C371ECA47CF9F12788B6D3A523ECA5066B5B1FF0B3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....H..........." ..0..(..........nF... ...`....... ....................................`..................................F..O....`..............................tE..8............................................ ............... ..H............text...t&... ...(.................. ..`.rsrc........`.....................@..@.reloc..............................@..B................MF......H..........X..............................................................(......(......(.......(.......(.......(......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}........0..p........-...u....,........+...(......(....(....,B.(......(....(....,..(......(....3..(......(....3..(......(........0..m....... C... )UU.Z(.....(....o....X )UU.Z(.....(....o....X )UU.Z.(....o....X )UU.Z.(....o....X )UU.Z.(.......(....XR..........

C:\Program Files (x86)\IDmelon\Accesskey\GrpcClients.dll.config

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1430
Entropy (8bit):	5.037022201639899
Encrypted:	false
SSDEEP:	24:JduPF7NUrPH2/+CVQ7uH2/XV0PH2/+w3VV+TkH2/17zVVXBOH2/17z9y:3276g+CSagXsg+w3Owg1BOg1w
MD5:	FDC82C11296CA77D3A27DE9A030C06AD
SHA1:	B36EFA9C90C46386C8B745D4E865F9A6E40C75DB
SHA-256:	8E9E9EB64BF5F7BDAA2D18A19B8E5936640B8F14F3F6B89CDAD3B31A6E2D04D1
SHA-512:	60B143C7AC6B21ECB49CED9E826E320A65E95896568A82A5EC78D63A1B6A111C54952E68D9E7A81FAE064F4899D9DF3B354EDF78BE47B567BDDE58057FA2AB39
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutr

C:\Program Files (x86)\IDmelon\Accesskey\IDmelonVirtualHidAPI.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.6365058468804055
Encrypted:	false
SSDEEP:	192:SQZuc9daUvdNX3j7vGPYbbegoTnZOZOKzLgrDtd:SQcunfGPYbbegoTnZuWZd
MD5:	6BD94B959873B15EE070DB03C910E727
SHA1:	9255B0627EDA36B16DCFF2360BA3E79BA07BCC81
SHA-256:	94C31663DE6A9F509B9C259FC02FF709FE999EDD8708C98FA63D4F99BF09E696
SHA-512:	8156EFFAE8DD6B4DA5CA2F857F42D0FEC5AA97475A4CB2C0918B69A9E1454B144307CACF011F8F9CE05D422466E90D5CB3DE99215BD75FB4A7C0CFD26DB08A0F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....X............" ..0..(..........BF... ...`....... ....................................`..................................E..O....`..............................8E..8............................................ ............... ..H............text...H&... ...(.................. ..`.rsrc........`.....................@..@.reloc..............................@..B................#F......H........(..0............................................................r...p.....R.{....-.r...prM..pR.{....-.r...pr...pR.{....-.r...pr1..pR.{....-.r_..pr...pR.{....-.r...pr...p:.(......}.....0............@(...+(...+....,.(....-..(....+..(....& ....(.....(....&..r?..p(.....(....rk..p(....r...p(......(.....s....}......(.....s....}.....{.... ....o....-..{....o....r...p(.......]......r>..p.o....(....(.......>.....{.....o.......r...p.o....(....(.............{.... ..

C:\Program Files (x86)\IDmelon\Accesskey\IDmelonVirtualHidAPI.dll.config

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1192
Entropy (8bit):	5.059106104983516
Encrypted:	false
SSDEEP:	24:JduPF7NV+TkH2/17zVUrPH2/+CVVXBOH2/17zVQ7uH2/X9y:327Gwg1Sg+CBOg1SagXw
MD5:	332BE3E21BF51019D30F3682034BA4CD
SHA1:	B89362ACEAC875258EB616551F97C6BD022A9200
SHA-256:	E2CBECB050A6F0296811552F52E238A5A24EFC7F31B156AFBAEF0B90D8F25534
SHA-512:	0A91ACF7620C99AE8896F0A2A9120B7081440234A68532054331F4E8CE16A12BC7FE07C12895A37625C6D0C3BDE7D97DBF003273BE906E581E487A402EBD98C0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.batteries_v2" publicKeyToken="8226ea5df37bcae9" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f1

C:\Program Files (x86)\IDmelon\Accesskey\Logger.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	5.942626437949717
Encrypted:	false
SSDEEP:	1536:l/yCHmCh+SXU3b88bGkc07ylVupbY1jht9lEwkfCKcxFQ:JX9kr86Gkc02lVupbyjvdg
MD5:	5F0FD20617D7DBF8D5EDDBA30DE47769
SHA1:	BA5BD4241D3BBA553A89AB8DF75314B70D1820C1
SHA-256:	DDA4728FC38441449EDB924FC35C94808999DA0AD4B1FC07D6FFA1732FDA8418
SHA-512:	A9A46D24F8E7F1E447E9741D8D9E4D4A564784F57CE53CA175DA6E21ADD5A860C1535B27248E7402FBB05DCE2C0668964F78C2EB66EABD5FC7B04BF6B2FDE52D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..X...........w... ........... ....................................`..................................w..O....................................v..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H....... .................................................................{...."..}....>..(......(...."..s......{...."..}..........(......0..?.......s........}.......(.....,%.{....,...o...........s....(...+(...."..s....*....s....R.o.....o......s......{...."..}......{!..."..}!.....{"..."..}".....{#..."..}#.....{$..."..}$.....{%..."..}%.....{&..."..}&.....{'..."..}'.....{(..."..}(.....{)..."..})......0..................r...p.s....(".......0......

C:\Program Files (x86)\IDmelon\Accesskey\Logger.dll.config

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1192
Entropy (8bit):	5.059106104983516
Encrypted:	false
SSDEEP:	24:JduPF7NV+TkH2/17zVUrPH2/+CVVXBOH2/17zVQ7uH2/X9y:327Gwg1Sg+CBOg1SagXw
MD5:	332BE3E21BF51019D30F3682034BA4CD
SHA1:	B89362ACEAC875258EB616551F97C6BD022A9200
SHA-256:	E2CBECB050A6F0296811552F52E238A5A24EFC7F31B156AFBAEF0B90D8F25534
SHA-512:	0A91ACF7620C99AE8896F0A2A9120B7081440234A68532054331F4E8CE16A12BC7FE07C12895A37625C6D0C3BDE7D97DBF003273BE906E581E487A402EBD98C0
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.batteries_v2" publicKeyToken="8226ea5df37bcae9" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f1

C:\Program Files (x86)\IDmelon\Accesskey\Microsoft.Bcl.AsyncInterfaces.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	26752
Entropy (8bit):	6.512503595653532
Encrypted:	false
SSDEEP:	768:DulwnBhYlTVv2wK5idcgF4of1n6K9zUYJ:ywHYFtKYdcg/f1nXzUYJ
MD5:	970B6E6478AE3AB699F277D77DE0CD19
SHA1:	5475CB28998D419B4714343FFA9511FF46322AC2
SHA-256:	5DC372A10F345B1F00EC6A8FA1A2CE569F7E5D63E4F1F8631BE367E46BFA34F4
SHA-512:	F3AD2088C5D3FCB770C6D8212650EED95507E107A34F9468CA9DB99DEFD8838443A95E0B59A5A6CB65A18EBBC529110C5348513A321B44223F537096C6D7D6E0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$:............" ..0..4...........S... ...`....... ....................................`..................................S..O....`...............@...(...........R..T............................................ ............... ..H............text....3... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............>..............@..B.................S......H........'..P..................,R........................................(......(....^.(.......1...%...}....:.(......}....:.(......}....:.(......}....:.(......}......(......(......(......(....:.(......}......{....:.(......}......{....:.(......}......{......(....:.(......}......{....^.(.......2...%...}....:.(......}......{....z.(......}.......2...%...}....V.(......}......}......{......{....:.(......}......{......{...."..}......{...."..}......{

C:\Program Files (x86)\IDmelon\Accesskey\Newtonsoft.Json.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	711952
Entropy (8bit):	5.967185619483575
Encrypted:	false
SSDEEP:	12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
MD5:	195FFB7167DB3219B217C4FD439EEDD6
SHA1:	1E76E6099570EDE620B76ED47CF8D03A936D49F8
SHA-256:	E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
SHA-512:	56EB7F070929B239642DAB729537DDE2C2287BDB852AD9E80B5358C74B14BC2B2DDED910D0E3B6304EA27EB587E5F19DB0A92E1CBAE6A70FB20B4EF05057E4AC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O......................../.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(......(....^.(...........%...}....:.(......}....:.(......}......(....:.(......}......{......(......(....:.(......}......{.....(.............}.....(......{.....X.....}......0...........-.~.....~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..\|....(......._..{........+,..{\|....3...{{......(....,...{{.....{}.......-.....0...........-.r...ps....z.o......-.~.....~....

C:\Program Files (x86)\IDmelon\Accesskey\Numbers.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	294912
Entropy (8bit):	5.96623908194718
Encrypted:	false
SSDEEP:	6144:pjRrliK3x0YVUQAMiqzodDwRhSE/Z+j1DnJj1FVtZ//x:JRrliK3x0YVlAMiqzo/JZH
MD5:	39D370F850D234CF73DA822A7F2121BD
SHA1:	379960EF969DEF2B0A563C829BE3F413B52F49F5
SHA-256:	CF57674E763AD6F47F330AD21B2B663616AF053D6C5072540DD99879261FC6D3
SHA-512:	17F15A4C972DFE83DF07D321295C7C312D38569FE2DB19B45DF84C11890133B3542924343BB5B2838ADB2CEE1FEA47B3D214B6EA4C5801DF02B30C947F7E9CF6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`.........." ..0..v..........n.... ........... ..............................S.....@.....................................O.......$............................................................................ ............... ..H............text...\t... ...v.................. ..`.rsrc...$............x..............@..@.reloc...............~..............@..B................P.......H.......dK..8?...........................................................~.......Y..0..l.........Y.X........+W.-....Y~.....+D..3....Y~.....+4...3....Y~.....+#...Y.(....(....~9.....2..+...s.......X...1..r.(......}......}......}......{....o.....{....o.....{....s....2.{....o....6.{......_...2.{....._...f.{......_-..{....o.......(....-...(....-..{.....o.....2....(....{.....o............(....-..{....o.....{....o....o......{......_-..{....o....-..{....._-....*2.{...

C:\Program Files (x86)\IDmelon\Accesskey\RestSharp.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	184320
Entropy (8bit):	6.186528718822514
Encrypted:	false
SSDEEP:	3072:Zn1z0eAv+f6FuseJFf3+Ptl6n6dYQ7g8QqWF2OYiBbcfJS/zC3lR6O/c:Z1z0bv+f68LRol6n6diqyt8R6
MD5:	98A13F2791C25C39C65268A55EBC219C
SHA1:	9843E3FE2BDB0D42509F5B1DDF02A71A6683FC82
SHA-256:	199E6A74E46AE881AD238656169CEAA390E2C2CE8038494BAAC236C117838D9F
SHA-512:	3F74016B5FB2636F102DF8347D283FCDD831AD0884A133623CFB1147D1E47E795F772162A401ADEEB3BC1787FA022EF6302C50580BC2405A4C6C7DAA407CEEE7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....j..........." ..0.............6.... ........... .......................@......d.....`.....................................O............................ ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H...........d...................\|.........................................(2...^.(2..........%...}....:.(2.....}....:.(2.....}....:.(2.....}........0..a.........(.....o....oe....o\....o....o~..... ...%..oR....%..o!....(........o........(......(......(........0..S.........(.....o....oe....o\....o....o~..... ...%..oR....%..o!....(........o........(....*..0..y.......s.......}9.....}:..... ...%..{9...oR....%..{:...o!...........s3...(...+(...+..o6...,"r...p........s7...(...+

C:\Program Files (x86)\IDmelon\Accesskey\SQLite-net.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	101376
Entropy (8bit):	5.985092012305013
Encrypted:	false
SSDEEP:	1536:oTQ+q+zYQKdQVHYMqMuuy6I2SbEt3/ilufBNaxJtfIlic7h8rp2:CVuX2SbEt3YC7ErBp2
MD5:	E9B6CAF8D7A3351D36BF3C16FCCD5BB6
SHA1:	5E06692D09AC842E3A87972D0827F655C06643E1
SHA-256:	1B40EEE85207AC6424BBE3E6ADECB8F2028D840AC7492CDD4C3C5D65D30591BE
SHA-512:	C8955986F37A716430AB3F905B0629B86488569DBF9CD112C408CBA9277E62A3ACC44E72910F4FD6C3973BFF2858E1C9174CB81A034CB1D874FC9E125D62C19D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q ..........." ..0................. ........... ....................................`.....................................O...................................x................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......H...0.............................................................{...."..}....>..(......(...."..s......{...."..}..........(......0..?.......s........}}......(.....,%.{}...,...o...........s....(...+(...."..s....*....s....R.o.....o......s......{...."..}......{!..."..}!.....{"..."..}".....{#..."..}#.....{$..."..}$.....{%..."..}%.....{&..."..}&.....{'..."..}'.....{(..."..}(.....{)..."..})...rs................. ...( .....0..................

C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.batteries_v2.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.165095041426296
Encrypted:	false
SSDEEP:	192:MGLhQCwvA9yV+FOdJNFOYBH8aZ2L13pS9mWgcbcTVDggAA8b:phKpVrHHBH8aZqmgDTFggAAK
MD5:	FC99E1AECA222C1980C3042AC2E72C08
SHA1:	D94BBD5C3CB1324AA1B66E984E8DE2F3BEBC9939
SHA-256:	7AA16C8D1D924C877B5CFF9E84ECB633FA5E654B19A24F98CA2933319D193D15
SHA-512:	A86C1CCCDDD421F8D9A5EB9D89DE2B0D35736A98360B34EADA658C8C55A05FA941049CF1B735CC3721FAA81859E2B4C386F1892A58EC6BA7509F3418B0F0E801
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-.=..........." ..0.."...........A... ...`....... ....................................`..................................A..O....`..`............................@..T............................................ ............... ..H............text...."... ...".................. ..`.rsrc...`....`.......$..............@..@.reloc.............................@..B.................A......H........'.......................@.......................................(......0...............(....o........(....s.......0............(.......(....s....(....6r...p..(.....0.._.......s!.....s....}.....{....r...p.r'..p(....o.........."...s....(....%~....(....,..{....o....s....z..0..#.......(......-...(......3...(....s....z...(....%~....(....,.r=..p.r'..p(....s....z..0..#.......(......-..(....&..3..(....&*s....z..0..7..........~....%-.&~..........s....%.....(.........

C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.core.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	50688
Entropy (8bit):	5.811409220314285
Encrypted:	false
SSDEEP:	768:jmOGveifSTtyXEQ3nPGLb4PFvSMJCD2j+SIfHq1wJd9P581IADm/Dskqd:FLTtyXEQ3+bO6U+dlrPi14LsX
MD5:	E4823410682299E5A17619043C789EFB
SHA1:	410D31CA04AF5264F265DF10DE499416225A0962
SHA-256:	C33995427EDD44FA641CF702DF8B63CC82CB7054DD984DC8277D15EE7C958874
SHA-512:	5DDF9C356CB813BCA2097184CB16172A6B3D70CFB17CD11216CD1268550C2C897BC0C42A6675720E334EBF150EBB3725185380BB5822D9B4D953B00EC0B21583
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,b............" ..0.................. ........... ....................... ............`.....................................O.......0...............................T............................................ ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................H.......@@..<...........\|.................................................(......(......(...........Z~....,..oB...&.............b~....-.r...ps....z~.....(#...o8....0..........(#......o9.....(....Q6.(.....(%....0..........(#........o:.....(....QR.(.......(....('...:(#......o?...N.(.....(.....()...2(#....o;...2(#....o<.....o......o....2(#....o=...2(#....o>...6(#.....o.......0..........s"......}"....{"...-...+....#...s.......(1...6(#.....o....6..(....(3..

C:\Program Files (x86)\IDmelon\Accesskey\SQLitePCLRaw.provider.dynamic_cdecl.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64512
Entropy (8bit):	5.579635492627126
Encrypted:	false
SSDEEP:	1536:Kjb2NmqeZsE64aEKbMsZG0EN3ovewf8unWE7LJ/ZE/i1:KjbUmqWL3MjWkV8I
MD5:	C8A7C821CC06720B082CC301C902675F
SHA1:	DF4F540B334EF6701F0C995CE1CFD10F2AF3A52E
SHA-256:	6C5A7905456018EB99C214644A25F2A93542E52AA0083A18F76FFEFF408D33FC
SHA-512:	6158C3F24AF9499A12FCB8D323E945E23D37C811DD7F5D668F98C189D359BDBAF4CB954A6C5C27B8675C0EACF23EC3BF9F51C9A90065903A5BFA0B88C1A26699
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....w............" ..0.............".... ... ....... .......................`.......#....`.....................................O.... .......................@..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......pG...................... .......................................6.......(.....~....F~J......o.......N........s....o...+..0............(........~......o2....0............(........~K.....o.....0..%.........(..........(........~L.......o........0..H.........(..........(........~M....o.............(....(.........{........o....2~$....o....2~#....o....2~H....oz...6~I.....o~...:~J......o....2~%....o....2~&....o....>.(.......o.......0..N........,........s.....

C:\Program Files (x86)\IDmelon\Accesskey\Scripts\start-service.bat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (327), with CRLF line terminators
Category:	dropped
Size (bytes):	401
Entropy (8bit):	5.064495148978155
Encrypted:	false
SSDEEP:	6:F8694BgqrJzkmwPIct0yl/mmFN3tfRGiTy6EGrgyAyxAyI2R842uRn:F794tdk5jtnrC0yyGyD5Rn
MD5:	E870918430EAF37D07C8A8564B87468E
SHA1:	18BD9AF36B48432352AFFCEE343CF052D9E5249D
SHA-256:	5ADFAACE20B0A450F32B416A370A4773132145074DC5AF68A4BEB24CF4DA24AA
SHA-512:	B79E189866059E16F9D822F9326CDAD0191E80DF9B33F533F46CC2BB6350D4C1E45D17FE9765468546E6488F7514D6E2F39184E975A714AAC0CC589BD98C2FDA
Malicious:	false
Preview:	.echo on..set "params=%*"..cd /d "%~dp0" && ( if exist "%temp%\getadmin.vbs" del "%temp%\getadmin.vbs" ) && fsutil dirty query %systemdrive% 1>nul 2>nul \|\| ( echo Set UAC = CreateObject^("Shell.Application"^) : UAC.ShellExecute "cmd.exe", "/k cd ""%~sdp0"" && %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs" && "%temp%\getadmin.vbs" && exit /B )..sc start "AccesskeyService"..echo off..exit

C:\Program Files (x86)\IDmelon\Accesskey\Scripts\start-tag-service.bat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (327), with CRLF line terminators
Category:	dropped
Size (bytes):	408
Entropy (8bit):	5.0917913131282635
Encrypted:	false
SSDEEP:	6:F8694BgqrJzkmwPIct0yl/mmFN3tfRGiTy6EGrgyAyxAyI2Re9SE7c2uRn:F794tdk5jtnrC0yyGyD0o0WRn
MD5:	818D01EAC4231B35964F077D5A2DD233
SHA1:	DB2B8DF50700CD3A1262572DAF097A90FCD55859
SHA-256:	D00C5EBDAF9D4455B3B62EB882D31A12001D89EF483447A52433300975CA7DA1
SHA-512:	FC961A202807BBD213BDC31549BF693611FC514D371CF386F4D8C6598517A40460212E7EDA299EC108ED1AF8D49F31BBFA79B8B685BAF88895ED2D6113D541EE
Malicious:	false
Preview:	.echo on..set "params=%*"..cd /d "%~dp0" && ( if exist "%temp%\getadmin.vbs" del "%temp%\getadmin.vbs" ) && fsutil dirty query %systemdrive% 1>nul 2>nul \|\| ( echo Set UAC = CreateObject^("Shell.Application"^) : UAC.ShellExecute "cmd.exe", "/k cd ""%~sdp0"" && %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs" && "%temp%\getadmin.vbs" && exit /B )..sc start "IDmelonTagreaderService"..echo off..exit

C:\Program Files (x86)\IDmelon\Accesskey\Scripts\stop-service.bat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (327), with CRLF line terminators
Category:	dropped
Size (bytes):	400
Entropy (8bit):	5.067904955709468
Encrypted:	false
SSDEEP:	6:F8694BgqrJzkmwPIct0yl/mmFN3tfRGiTy6EGrgyAyxAyI2RdFW42uRn:F794tdk5jtnrC0yyGyDTHRn
MD5:	AD612C9DDB6599506A9E675D6FCC4016
SHA1:	70B92B9CBC37BF58BA585AFBFBF341A6E49CEB56
SHA-256:	68D268C9ABB712BEE74ABC06FA3C025324241FE1A8B73122B5C1A0D0E82C066B
SHA-512:	DC424F1E4F59F74985DC62A652F7DB0574D2111DCF64A741EED2FA10C973B19B5C8AE25B87DC1DD4200B6E19000EF38DCA335627AE7F9DBCF5359FFC75BFF980
Malicious:	false
Preview:	.echo on..set "params=%*"..cd /d "%~dp0" && ( if exist "%temp%\getadmin.vbs" del "%temp%\getadmin.vbs" ) && fsutil dirty query %systemdrive% 1>nul 2>nul \|\| ( echo Set UAC = CreateObject^("Shell.Application"^) : UAC.ShellExecute "cmd.exe", "/k cd ""%~sdp0"" && %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs" && "%temp%\getadmin.vbs" && exit /B )..sc stop "AccesskeyService"..echo off..exit

C:\Program Files (x86)\IDmelon\Accesskey\Scripts\stop-tag-service.bat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (327), with CRLF line terminators
Category:	dropped
Size (bytes):	407
Entropy (8bit):	5.095958406848568
Encrypted:	false
SSDEEP:	6:F8694BgqrJzkmwPIct0yl/mmFN3tfRGiTy6EGrgyAyxAyI2RdZE7c2uRn:F794tdk5jtnrC0yyGyDTZ0WRn
MD5:	83999CB2B340534A72785D49A5185718
SHA1:	757E5D2833539108DD8EA3E03E81AD4165DD89C0
SHA-256:	FF7D44C5CF92026F63DF56CE6825B6E69EE14ABA6AE229E06C4AE03DCF1810AB
SHA-512:	A6A33396E7A28C6197072B8B797326A05C4217AD3AC27424F3963BD9EAF8065AA083D58C9BC8BD73F28FEC5A56F1A528A5211D2B39AAEE82F75F40CE1902ACC2
Malicious:	false
Preview:	.echo on..set "params=%*"..cd /d "%~dp0" && ( if exist "%temp%\getadmin.vbs" del "%temp%\getadmin.vbs" ) && fsutil dirty query %systemdrive% 1>nul 2>nul \|\| ( echo Set UAC = CreateObject^("Shell.Application"^) : UAC.ShellExecute "cmd.exe", "/k cd ""%~sdp0"" && %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs" && "%temp%\getadmin.vbs" && exit /B )..sc stop "IDmelonTagreaderService"..echo off..exit

C:\Program Files (x86)\IDmelon\Accesskey\ServerApi.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	5.446927521203983
Encrypted:	false
SSDEEP:	768:sOAnaMx/sBpZ4LBGhj0Q/Zi4ugn8AZyQ33W076pLS:xAnDUBpZ8G/mAH
MD5:	C8B5C818EDA361C70D6F6B0168021787
SHA1:	A613691900EB3355712F44522B2C9EC16FAB0208
SHA-256:	E1776E33CB542C5ACF3272012D7D10A9A0825FDF4A61156A849922A1C2B2BFDD
SHA-512:	DC32B1F9189F559A8F3CE0EEA557E2AE98EB4C986E7C7ACDF96FC47BFA2C28B72CD877EAB1058F40A1B8DBF971B78AB0F2E70103AFCDCF12B5FF5C3071575AF9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!..........." ..0.............:.... ........... ....................................`....................................O.......x...........................D...8............................................ ............... ..H............text...@.... ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B........................H........H..d]............................................................{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......(........0..f.......r...p(....%(....o....o....o....s....o....o......8...%..:.o.......o......8...%..<.o.........&r5..p..............[[.......0..[.......rE..p.r[..ps....(....(...+~Z...%-.&~Y.........s....%.Z...(...+(...+t7......&("...o#................EK......Br...pr...p(....^s$...(%.....(&...o'...*....0..1.......~(..

C:\Program Files (x86)\IDmelon\Accesskey\ServerApi.dll.config

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1673
Entropy (8bit):	5.020737883232971
Encrypted:	false
SSDEEP:	24:JduPF7NILhpPH2/i/QVQ7uH2/XVV+TkH2/17zVUrPH2/+CVVXBOH2/17zVEPH2/2:327ugDSagXOwg1Sg+CBOg1gg+w3w
MD5:	6B3FDF65DF4A30692CE9EF25E9B06E4F
SHA1:	DFBFABA0E0F9AAE107EA8C4AC21B6342F7A825DC
SHA-256:	CD5E255267B12593722E107DA6205EA0C3BEE8242BB742B87979E0546CFBF162
SHA-512:	80AF3C7633A724D57E1AB2EF75762A271CD7AFD9E31E1C3C591B89EBB2413944FFB04D23D9CF5AF8318CBD8A979E1F202E53FB59B7FBC14EF8BFE2FBA0AA0380
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Text.Json" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-7.0.0.3" newVersion="7.0.0.3" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" cultur

C:\Program Files (x86)\IDmelon\Accesskey\Service.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	165928
Entropy (8bit):	4.8862081336233
Encrypted:	false
SSDEEP:	768:P1PybS2XfSy8S0jS9tRNCsB48pwZHgyQLiqMphHY+BHAKqQK+pODKE9uLUKgKNJU:P16ZI+C30UHfwi5H0upOOyLDQvNX+L
MD5:	9E99F6F2DC43830D3959E55EDDDDB422
SHA1:	98421E8A9C1338AD98D8115C8F7E85CFC7F778CE
SHA-256:	D4F6EDE434577D4D47DB52EDE20762343968AA55B126DE34899E0CB8D95DE897
SHA-512:	B7E898CA1BE2356C3F2C26327D0857E95ECBB51C2688EF34CFF2760AEA7FDDF4F04BD1498A8955327BA15825B47A27C34239B6E0D6E7A85EA743D017532652DF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Zu............"...0.................. ........@.. ....................................`.................................u...O...................v..(...............8............................................ ............... ..H............text........ ...................... ..`.rsrc..............................@..@.reloc...............t..............@..B........................H.......hb..p............................................................0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3.....0..)........{.........(....t......\|......(...+...3..~....{....2~.....}....J~....-.s.............0..V........(.....s....}....(L...-.r...ps....z.{.....(L...s[...o............s....(....~....o.....~....{.....{I...o.....{H...o\|...*r~....{.

C:\Program Files (x86)\IDmelon\Accesskey\Service.exe.config

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2158
Entropy (8bit):	5.001906641704252
Encrypted:	false
SSDEEP:	48:327Yg+mSg+Cgg+w3Owg1BOg1sg+w3mgDSag+FIw:KkTJweJywDN
MD5:	08F1F6BE83F37D15AE0712D06BE2A2BD
SHA1:	5406180DD412ED1F1156FB9D2D3F8DCA46FCADC8
SHA-256:	A76DD9BC94DC1898DBA458FD6723D6D13FA5BF6C1C1A7DC427176FDA9452C255
SHA-512:	924919364B3D452ABD3B3C28E12AEE6269F3B00022BD28D6C937BDA0442276876C1D9529E275772C28EE7147A6FFA037DFC94CEAB24C0F3EA5790A98ED30035D
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.1.4.0" newVersion="4.1.4.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.ValueTuple" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />..

C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Core.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.274825677811034
Encrypted:	false
SSDEEP:	96:ysIyrk8HlIxX8cr22F+04xXzLjsUCj5CWCwLp:ybuSXXr2G8Lg5CC
MD5:	972CF7A2ABA153424A0662839E3392C2
SHA1:	1C578A512D07B4EC6DB9FBA6764052A9F0F6E1BE
SHA-256:	6471168C0B27CE265A51C17E49D45411FAB1CFEB9232AC8121C72E473A9F5AE5
SHA-512:	C8ECDBF4B445A92368F4495638B6A92CA221119FD720719317F0BE2C38A3B959560C7275873FD44D7FE561ECB9577B0685CD08E466ED3B4668A7C095ADD2F4C9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C_............" ..0..............-... ...@....... ..............................Z.....`..................................-..O....@..<....................`.......,..T............................................ ............... ..H............text........ ...................... ..`.rsrc...<....@......................@..@.reloc.......`......................@..B.................-......H.......P ......................D,......................................BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.d.......#GUID...t.......#Blob...........W..........3..............................................................g...........................<.....&.................?.....\...............................(.............................5.........y...5...........................5....... ...V.....V....... ...V.....V.....V.....V.6...V.

C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Serializer.Core.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	4.852842646024464
Encrypted:	false
SSDEEP:	96:hOzpHU8Qv77EBsSfSMe3qDdxst4jJEjrluuCTI6y4:k+tXjSfrQ7tGJqr0H1
MD5:	A97869B96E79428CD4DE4FF68033004C
SHA1:	C4AA6C116BAD95CEE3AE55634F314271280CDCF7
SHA-256:	A3C7E1BE985467BBB6877A2B943CCA4CF51D0AD95AC77832180AA0C32DC02AB5
SHA-512:	77E76F6982302408944BD1508342AEB0B0BBA78745B2884D1EE3958025CB64A370CD3861348FAD40DA13F9B8E66B94AB6113247F8C0B5B52E4697854BC5E98C5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Y..........." ..0..............3... ...@....... ...............................L....`..................................2..O....@.......................`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H........!......................H1........................................(....:.(......}......~....%-.&~..........s....%.....(...+..~....%-.&~..........s....%.....(...+o.......0..O........~....%-.&~..........s....%.....(...+~....%-.&~..........s....%.....(...+(...+..{...."..}......{...."..}......{...."..}......(.....s...........(.....o........o........o.........o....*.BSJB............v4.0.30319......l... ...#~......\|...#Strings............#US.........#GUI

C:\Program Files (x86)\IDmelon\Accesskey\SocketIO.Serializer.SystemTextJson.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.368820720638889
Encrypted:	false
SSDEEP:	384:nwTZplrcrd+qyGDbDDDDbDUl081IgEeOpNdueeu2eUA:w1HqQlqeWdue4A
MD5:	21EBD70AA77DAEEB17A2CBF67C692303
SHA1:	E07B57C359ADDFF75A05A27A89A156AB04B84F4E
SHA-256:	03DDC08CDF50F6459342190B5C420AA34593B30A8BEF6BDB151F9A0B6DA99178
SHA-512:	8C87605AD79AE623D0AC727F5F87FBA8EF2DB37818E8906C281B689B22DA55A122932BE427E76AE463D18FFBDEC5695BD761B6AD1DE48EE047CEA0AB8EA24D8F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....@..........." ..0..6...........U... ...`....... ..............................0.....`.................................\U..O....`.. ...........................LT..T............................................ ............... ..H............text....5... ...6.................. ..`.rsrc... ....`.......8..............@..@.reloc...............>..............@..B.................U......H.......8....%...................S........................................(....:.(......}....J.(.....s....}......{.......0...........(.........(....&.(.....3..(....r...p(....,...(....&.(......3..(....-...(....&.(.....3..(....r...p(....,...(....&.(......(.....o.....(....&.0..I........(.....o.....o.....r...po......o.....r...po......(....o.....Yo.....o....V.(......}......(......{......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}....

C:\Program Files (x86)\IDmelon\Accesskey\SocketIOClient.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	78336
Entropy (8bit):	5.871892034938933
Encrypted:	false
SSDEEP:	1536:lumQyiDPHmQ9WunI5z+rMhBgowTY3Hwmj1q2jwkrM9a:gm3umQbIiMhBrws3QI1qRkrP
MD5:	4B7D9B4D9125563AA9559AE6514B4531
SHA1:	49040376A040DD128EACD561850990883F02A2CC
SHA-256:	83EDC51BFE335F8744604E60DD7B761EE8197DFC79B3FACB754ACB71998A1690
SHA-512:	3313BACD146A5566DFD70563FAFD2356AEE40094922B823AF2EDFD58EDA1E1715B637F89ED339068CD567416B3DD9B9A87F68FA38DEA7AA2558EC1F4D6D758C1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...cU............" ..0............jH... ...`....... ....................................`..................................H..O....`..............................8G..T............................................ ............... ..H............text...p(... ..................... ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B................LH......H.......x...@....................F........................................(....:.(......}......(.....r...p.....r+..p.....rU..p.....ro..p.....r...p....."..(....&...(....6..s....(4...6..s....(6...:..s.....(6.......0..k........s....}.......s....}.......s....}&......s....}(....(......%-.&r...ps....z(8.....%-.&r...ps....z}.....(\.....{......{.....(....,...}......(....,..o....r...p( ...,...o....(<.....{...."..}......{...."..}......{...."..}......{......{...."..}

C:\Program Files (x86)\IDmelon\Accesskey\Storage.db

Download File

Process:	C:\Program Files (x86)\IDmelon\Accesskey\Service.exe
File Type:	SQLite 3.x database, last written using SQLite version 3033000, file counter 5, database pages 10, cookie 0x5, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.2878717232896105
Encrypted:	false
SSDEEP:	24:TLsnOLXGt+MwZvp6XGT+MxgrXGt+MeiMXGZJU5dXGtz9leeee:TRLXKM9p6XSFgrXKKiMXOIdXKz
MD5:	512E0C244AC04D27B26F4269F8071065
SHA1:	C2F421D27D62B378D245AC19789A85FF2695D838
SHA-256:	6D08531FFF511C9F2EF043DA2486AE777ECA77E1A8F81994751ACBD6FE22BFAB
SHA-512:	D77D4C1EC123EA2B4B1AC71F3101BA6FE292F1890ABB657C6382BA5D50E0D743EE1F8C41F6E69125CEC34DBDAF21F39F1BBFE1F2D1419E7A2F556A88A7629F02
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................G.......o..s.....P.0...5...o..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\Storage.db-journal

Download File

Process:	C:\Program Files (x86)\IDmelon\Accesskey\Service.exe
File Type:	SQLite Rollback Journal
Category:	modified
Size (bytes):	4616
Entropy (8bit):	1.5716632048498833
Encrypted:	false
SSDEEP:	24:7+tVRPqL0G6XGT+MxgrXGt+MeiMXGZJU5dXGtz9z:7M3qH6XSFgrXKKiMXOIdXKzd
MD5:	A19B18F253C10F0F2E64A9C089A88350
SHA1:	3FE8C3A29BF3A1107D01C9ED7D802438B2601A78
SHA-256:	61E71C16C63E52F6B87DAA2F391D9B0315F04F99344EA67C0BA4B26E5E70A9F3
SHA-512:	F24B519A20C4DAA8FFC0F57E0F1F85CBC80A9ACFC45B2B3C1A307077F50147892A4224A110470AD463CE70B53493305B5758EB9E5ADC4CE047B85B72681E1C89
Malicious:	false
Preview:	.... .c........X....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................G.......5..s.....P.0...5..........................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\Suprema.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	5.35006186027745
Encrypted:	false
SSDEEP:	384:HbLoKXGYTOw7+GwJ5pm83AYsoOLHG/dH6W:HbLpG9WooHGFHB
MD5:	ACDD4380035D977ABA2FA558A351FC2D
SHA1:	7B67E12F024C3E159A01C4C812ABB2EBD87EDF6D
SHA-256:	BE75B10A04E02FCCBE9DA405262A56EEFE53310FE0E6C309B1E6CC71C9E249D0
SHA-512:	70E70D7883534854AC440A4DE1EBB3ECA3DFD3ADB76D1E0FA1A8DE2C10DFB3FAE88AFD17E45F5233B1A2B0BD19A5AD46897E949459BC7AE57310AA52CBD4B0DC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s............" ..0.............I... ...`....... ....................................`.................................II..O....`...............................H..8............................................ ............... ..H............text....)... ..................... ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B................}I......H........(... ........................................................... ......(.....s....}.....{.....}W....(....b.(.....s....}.....(....R.(......}.....(....F.{....o....o.....0..b.........i...i..{....-..(....,....}Q......}R.....{.....{....{W...o.......{..........o....}R......}Q.......0............i...i.!.......+.........i....X......i2..{....-..(....,....}.......}......{.....{....{W...o.....{.....o.......{............o....}.......}.....*....0.......... .....".........

C:\Program Files (x86)\IDmelon\Accesskey\Suprema.dll.config

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1415
Entropy (8bit):	5.0365606453501925
Encrypted:	false
SSDEEP:	24:JduPF7NruH2/+YVV+TkH2/17zVVXBOH2/17zVUrPH2/+CV0PH2/+Q9y:327Yg+YOwg1BOg1Sg+Csg+Qw
MD5:	74A1E9E2C09E9A02425E15E3734C3AB7
SHA1:	BDA59ACB1E4BE2214B795AE54C4845EC62FF60FA
SHA-256:	6AFD5C4F0AF961344237D01CC076B22DAD492757A83E888B04518E37962AE5A5
SHA-512:	535B7BD67267DA6C4D6C864FBD73150277466091E738376E1D09DE68DC480DEC654AE7856D05D18E4096D3C9222E4024CDE430EE80E7D29AB7201F7BCB2E1BE8
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.1.3.0" newVersion="4.1.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.batteries_v2" publicKeyToken="8226ea5df37bcae9" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" cultur

C:\Program Files (x86)\IDmelon\Accesskey\System.Buffers.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	20856
Entropy (8bit):	6.425485073687783
Encrypted:	false
SSDEEP:	384:/rMdp9yXOfPfAxR5zwWvYW8a2cyHRN7vCvlbLg:/rMcXP6N6e
MD5:	ECDFE8EDE869D2CCC6BF99981EA96400
SHA1:	2F410A0396BC148ED533AD49B6415FB58DD4D641
SHA-256:	ACCCCFBE45D9F08FFEED9916E37B33E98C65BE012CFFF6E7FA7B67210CE1FEFB
SHA-512:	5FC7FEE5C25CB2EEE19737068968E00A00961C257271B420F594E5A0DA0559502D04EE6BA2D8D2AAD77F3769622F6743A5EE8DAE23F8F993F33FB09ED8DB2741
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ....................................@..................................B..O....`..@...............x#...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%..........0..$.........(.....o.......&...,....o....,.....................,!(....,..r...p.(....(......(......(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(.....~....2r...p.(....B.....(.........R.....(...+%-.&(!...^.....("....(...+&~.....s$..."..s%.....(&........0......................

C:\Program Files (x86)\IDmelon\Accesskey\System.Memory.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	142240
Entropy (8bit):	6.142019016866883
Encrypted:	false
SSDEEP:	3072:nUGrszKKLB8a9DvrJeeesIf3amN32AW/rcyw/s:OB8l3/aK32qU
MD5:	F09441A1EE47FB3E6571A3A448E05BAF
SHA1:	3C5C5DF5F8F8DB3F0A35C5ED8D357313A54E3CDE
SHA-256:	BF3FB84664F4097F1A8A9BC71A51DCF8CF1A905D4080A4D290DA1730866E856F
SHA-512:	0199AE0633BCCFEAEFBB5AED20832A4379C7AD73461D41A9DA3D6DC044093CC319670E67C4EFBF830308CBD9A48FB40D4A6C7E472DCC42EB745C6BA813E8E7C6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`.......>....@.................................`...O.... ..@................'...@......(................................................ ............... ..H............text........ ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...>..}......}......{......{......{.....{....3..{.....{....((......0...........%.u....,..........(.....z.{....%-.&.+.o)....{....(a.....(....zN........o...s+....(....z.s,.....(....zF(U....(O...s-....(....z.(V...s-....(....z.s.....(....z.s/.....(....zN........o...s0....(....zrr...p(\....c.K...(O...s1....(....zBr...p(Y...s1....(....z.s2....(....z.(X...s3....(!...z.(_...s3...*.(#...z

C:\Program Files (x86)\IDmelon\Accesskey\System.Numerics.Vectors.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	115856
Entropy (8bit):	5.631610124521223
Encrypted:	false
SSDEEP:	1536:nPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/hV+sUwS:nWw0SUUKBM8aOUiiGw7qa9tK/bJS
MD5:	AAA2CBF14E06E9D3586D8A4ED455DB33
SHA1:	3D216458740AD5CB05BC5F7C3491CDE44A1E5DF0
SHA-256:	1D3EF8698281E7CF7371D1554AFEF5872B39F96C26DA772210A33DA041BA1183
SHA-512:	0B14A039CA67982794A2BB69974EF04A7FBEE3686D7364F8F4DB70EA6259D29640CBB83D5B544D92FA1D3676C7619CD580FF45671A2BB4753ED8B383597C6DA8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................DF....@.................................f...O........................>.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..\|?..........$... ...D.........................................(....&.l(....k&.l(....k..l.l(....k..l.l(....k&.l(....k&.l(....k&.l(....kj~....%-.&(....s....%........0..$.........(.....o.......&...,....o....,.....................,!(....,..r...p.(....(......(......(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(.....~....2r...p.(....2rG..p.(....2r...p.(....*2r...p.(.

C:\Program Files (x86)\IDmelon\Accesskey\System.Runtime.CompilerServices.Unsafe.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	16768
Entropy (8bit):	6.361391591273708
Encrypted:	false
SSDEEP:	192:LGLxTyHvc4ROgcxAdWXYWJeaPtWsI9A9GaHnhWgN7aJeWw0fnCsqnajt:LgGLROZAdWXYW8aPcyHRN7WEqn1lx
MD5:	DA04A75DDC22118ED24E0B53E474805A
SHA1:	2D68C648A6A6371B6046E6C3AF09128230E0AD32
SHA-256:	66409F670315AFE8610F17A4D3A1EE52D72B6A46C544CEC97544E8385F90AD74
SHA-512:	26AF01CA25E921465F477A0E1499EDC9E0AC26C23908E5E9B97D3AFD60F3308BFBF2C8CA89EA21878454CD88A1CDDD2F2F0172A6E1E87EF33C56CD7A8D16E9C8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!................^2... ...@....@.. ...............................y....@..................................2..S....@...................#...`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@2......H........#..@...................P ......................................{.v.`)!.t..@.62C<.=...h....X..}.`v.r...g.e...yXa.dat.mwQ.XdJ...M..`..J...$\|.j.6W.U.3.r.A.h.....9Q..\|..,<g..gy..6V9o%..Gd.r.0...........q......0..............q.......0..............q.......0..................0......................0......................0............q.............0............q.............0..............0..................0..................0..................0..........

C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Encodings.Web.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	78976
Entropy (8bit):	6.105061710610473
Encrypted:	false
SSDEEP:	1536:4OO7OOOc2yIDmBkKQh3rt7jUGyRG/mz4CRLf8ocVW4t72bfQZHzp:fyMmXQh3rNjUFG/mk8f8owW4s0ZHF
MD5:	C77AE3414D78C1F082C65415FAE69661
SHA1:	3B35461D86A774535AC226CA9706FB50332DE20A
SHA-256:	C792BFE3F43C894E20339252D159A96A20CCC6E13322B2D382570FF97939E501
SHA-512:	08941BA8BE5031CC4E363A916525437C62B409576C91C10FC72795FAA10BC989F0D1797B576802E208DFE4305A4447C0299E2755BA92F97F531DE1F56FD5865A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u............" ..0.................. ... ....... .......................`......<.....`.....................................O.... ...................(...@..........T............................................ ............... ..H............text...0.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........m......................H.........................................('.....('.....('...^.('......8...%...}....:.('.....}....:.('.....}....:.('.....}....^.('......9...%...}....:.('.....}....:.('.....}......0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X((.....R...((.....d.R....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X().... ...._.S...().....d.S..0..&.........+....(...G...Z.(......X....(+...2....0............(+.....1...(+....Z.:..

C:\Program Files (x86)\IDmelon\Accesskey\System.Text.Json.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	582320
Entropy (8bit):	5.99177382417674
Encrypted:	false
SSDEEP:	12288:Bo+rY8ZyAVNXL1VPGSEiWqJHsiEg2A9fLF:BhxXXrPGS6A7h
MD5:	B7083FFD5D2BBBE83C6B439196838D78
SHA1:	17B58D7F1CFFE4C1DD8E8246E127C949F4066D85
SHA-256:	D14DBC34F6824757E6F6AE758B05F76C447F96F8D75BE3C4B8286FCC5A388B30
SHA-512:	6C82D0F3B8E65DB99AA6F3973A6CB69CC9D02EFD3C3CC55AF03F01D5318360054E004EA4BCB53A2A7CF5DC1C0D77DC9183B479654CF88BBAC7B263FC68C61B16
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................... ......+.....`.................................i...O........................(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........S..............`O...w............................................(J.....(J.....(J.....(J...^.(J..........%...}....:.(J.....}....:.(J.....}....:.(J.....}......(J...:.(J.....}.....0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(K.....R...(K.....d.R....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(L.... ...._.S...(L.....d.S..0..&.........+....(M...G...Z.(......X....(N...2.*...0............(N.....1...(N....Z.....(...+.+...(N....Z......

C:\Program Files (x86)\IDmelon\Accesskey\System.Threading.Tasks.Extensions.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	25984
Entropy (8bit):	6.291520154015514
Encrypted:	false
SSDEEP:	384:1R973o62/KqcAnb05J3w0I5eUGef8s72XBWdvVW2JW8aJcyHRN7WEimpplex:1RZ4nNxnYTb6Blha
MD5:	E1E9D7D46E5CD9525C5927DC98D9ECC7
SHA1:	2242627282F9E07E37B274EA36FAC2D3CD9C9110
SHA-256:	4F81FFD0DC7204DB75AFC35EA4291769B07C440592F28894260EEA76626A23C6
SHA-512:	DA7AB8C0100E7D074F0E680B28D241940733860DFBDC5B8C78428B76E807F27E44D1C5EC95EE80C0B5098E8C5D5DA4D48BCE86800164F9734A05035220C3FF11
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..8...........V... ...`....... ....................................@..................................V..O....`...............B...#..........PU............................................... ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................V......H........0...$...................T........................................(......(....z..(....z2.(....s....2.(....s....:........o.....~....~.-..(......}......}......}....~.-..(......}......}......}....Z..}......}......}....J.{....%-.&.o....^.u....,........(.....~.{.....{....3..{.....{.......&...(....2...(...........0..'........{......,..u....%-.&..(...+(....(....n.{....,..(....s.....q......0..a.........{....o0.....,;..{....o2...(......;...3.~.......s......

C:\Program Files (x86)\IDmelon\Accesskey\System.ValueTuple.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	25232
Entropy (8bit):	6.672539084038871
Encrypted:	false
SSDEEP:	384:VyPa16oAL4D+wW9IWmDIW4IWYDMFm0GftpBjMIraQHRN7VlmTpF0:VWs6oqDjADKeDYViG+LN
MD5:	23EE4302E85013A1EB4324C414D561D5
SHA1:	D1664731719E85AAD7A2273685D77FEB0204EC98
SHA-256:	E905D102585B22C6DF04F219AF5CBDBFA7BC165979E9788B62DF6DCC165E10F4
SHA-512:	6B223CE7F580A40A8864A762E3D5CCCF1D34A554847787551E8A5D4D05D7F7A5F116F2DE8A1C793F327A64D23570228C6E3648A541DD52F93D58F8F243591E32
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ...............................H....@..................................2..O....@...............$...>...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%..........0..$.........(.....o.......&...,....o....,.....................,!(....,..r...p.(....(......(......(....,.r...p......%...%...(......(.....(....,.r...p......%...%...%...(.......(.....(....,!r...p......%...%...%...%...(........(.....~....2r...p.(....2r[..p.(....B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

C:\Program Files (x86)\IDmelon\Accesskey\TagReaderGRPC.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	58880
Entropy (8bit):	5.651114038528575
Encrypted:	false
SSDEEP:	1536:cDO9PdVWTawODut3SZHVlC1i9ZUNOJufiacJ:qznO9ZHVA14Z6b+
MD5:	EFD5FCE9CDF53D5C85E525785303ACB5
SHA1:	2A19F03B1581C92BBA9779B52942110E993CB2B1
SHA-256:	124F009C133115826657F247B197A29E77358B2D2B2F88E00320A566E5DD92B6
SHA-512:	3B6086BF1E4F2E1A0A1A01DDEEEB28245E9CFE9064A570EBEFC385BC410E2ADAC6547F47B56DD990C9B8CE558CD92EAFA31DB7EEB71E6480A6945F61A5EB9247
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m.(..........." ..0.................. ........... .......................@............`.....................................O............................ ..........8............................................ ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......Di...............................................................(....^.(.......1...%...}....:.(......}.....~.......0...........$.2...%.r...p.%.r{..p.%.r...p.%.ro..p.%.r...p.%.rc..p.%.r...p.%.rW..p.%.r...p.%..rK..p.%..r...p.%..r?..p.%..r...p.%..r3..p.%..r...p.%..r'..p.%..r...p.%..r...p.%..r...p.%..r...p.%..r...p.%..r...p.%..r}..p.%..r...p.%..rq..p.%..r...p.%..re..p.%..r...p.%..rY..p.%..r...p.%..rM..p.%..r...p.%. rA..p.%.!r...p.%."r5..p.%.#r...p.(....(............

C:\Program Files (x86)\IDmelon\Accesskey\TagReaderGRPC.dll.config

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	928
Entropy (8bit):	4.995731281926125
Encrypted:	false
SSDEEP:	24:JduPF7NQ7uH2/XV0PH2/+w3VUrPH2/+C9y:3276agXsg+w3Sg+Cw
MD5:	76B344530DD42F0FEFF3CA3260B4742D
SHA1:	A80D8B82F4CD400BDB2967C50FD9531C3D2E33DD
SHA-256:	670AFA345EB43C0E2AA042236AAA429796C8A70396360E5D091A50A066730019
SHA-512:	EDA8FA1B9ACBF6FCA579B9263E8039429D8A81B2F3414A265E5755F2F5B10B6166EE74100B147399F5130C79883EB1CFCD5BC0DE6A0A5C1EC81322A897F8C49A
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.2" newVersion="4.0.1.2" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

C:\Program Files (x86)\IDmelon\Accesskey\URIUtility.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.4382207566495016
Encrypted:	false
SSDEEP:	384:9xfl8lKmlSlm+ElBSSLqbKabycb787BlQHZrvyHRD09iDmA:9xfqT0788s8f874H4xtB
MD5:	F77DEB0E6843989453DDFC19FFF5988D
SHA1:	57B4A410356A5752BF54259A19399007C443D3F4
SHA-256:	4CF1BE49C8CDB265603E446F755DFD1F2D79AE3398BA730A734B74A6C49EFE38
SHA-512:	18D10AE9F2DF5AD9CC01EE7D8810014DD55FA904D9EB4FE119A4DECF67027DE2B6E3600A291C6A58999A8788F10EF6891285E71E89929D65767073DD257F34CC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y].........." ..0..>..........~\... ...`....... ..............................$'....@.................................,\..O....`..x............................................................................ ............... ..H............text....<... ...>.................. ..`.rsrc...x....`.......@..............@..@.reloc...............F..............@..B................`\......H........F.......................[...........................................2#.r...po....&...........Yo....o....&.....2!..#o....&............Yo....o....&v...........Yo....(....o....&b...........Yo....o....&.....2 ..?o....&...........Yo....o....&.....2 ...........Yo....o....&..:o....&..0...........-......3..,....o.....("...+....-...,....o.....("...+......o.....s.....8......o........ ...._ ....3E..X./?...Xo.... ...._ ....3) ...... ...._..bX...Xo.... ...._X....X.+... ..

C:\Program Files (x86)\IDmelon\Accesskey\WebKeyLocalServiceDotNetx64.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	111200
Entropy (8bit):	6.1221789546919325
Encrypted:	false
SSDEEP:	3072:Vf5KanssKF6BsefWKqjBbbgPiQ5i5v7F4MsiDMxi0:qasspVfWKMFQM34Mn50
MD5:	FFEEE6F46AAF9B189DDC7FC3B3357FC4
SHA1:	BD087AB87968434BACBA247CEBA70478904EC4A3
SHA-256:	01C2BA352545C2B28D4CA2AA7E6B042C52214B8312372D66FD4514C3FE6D133B
SHA-512:	8B100634D04271C14B9C96C3F5C373B405FBCD41696C7FAA029438886122903BD93BDC88F4073580F381A3487A999242F831AB2D61F79005F9C33C160BE58754
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......vx..2...2...2...;a_.6...`q..0...W...1...,K_.0...`q..'...`q..5...`q..3...p..0...2.......p..?...p3.3...2.[.3...p..3...Rich2...........PE..d...B..d.........." .....P...8.......Y....................................................`.................................................,`.........../......4.......`(......@....s..T............................t...............p.. ............r..H............text....I.......J.................. ..`.nep.........`.......N.............. ..`.rdata..\....p.......T..............@..@.data........p.......N..............@....pdata..4............T..............@..@.rsrc..../.......0...X..............@..@.reloc..@...........................@..B................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\WpfAnimatedGif.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	42496
Entropy (8bit):	5.782944900930189
Encrypted:	false
SSDEEP:	768:H0Gl7W1UiZTo1ooEqTh0sq/s/MnBOyvUPrYZbkch:UqQpZTsooEah0sqU/by4UZzh
MD5:	47D729B6841F1E0E510BBC7D74454B73
SHA1:	BB7A519A2BF2DBFA8AEF238241D6DD5C62AEED77
SHA-256:	B4C69BE213BA3DD40E6BC819B7BFC13AB03D06D5F3EFA0E4643B1B55E5A529F9
SHA-512:	F5ECD0CCA56306273685C12CCB5AF8F540161E2CFFE3F639A2FA1F9DE29CFEBB2F6D8F8BA4AD43E02A721DA30DD8E3CC911E46E4237578E026A5BA8C059429AF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ...............................F....@.................................J...O.......$...........................h...T............................................ ............... ..H............text........ ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B................~.......H........H..Hq...........................................................{......{....V.(......}......}.......0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....... ...' )UU.Z(.....{....o....X )UU.Z(.....{....o....X...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!......0..2..........(....~.......o"...-.~.....s#...%.o$.....o%...&*...0..A..........(....~.......o"...,)..o&..., .o'...-.~.....o(

C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	19082792
Entropy (8bit):	7.993961306364174
Encrypted:	true
SSDEEP:	393216:V/m3pWBJH9dNrvymWTOha1OQK2GN2gLocDfDgMc6XCTLJWfRVyv43Gc:VK0LNrvy5ql12GIYocb0zQIL8fR5Gc
MD5:	FC4E01D66E8A5D58C306CEB4D115E464
SHA1:	83A3707C8E265702263B4C25E66D31785B5DA1DE
SHA-256:	54A1096D6A9DEEC8503831B262610314410C6307F0B98ABC74EED747AA6589F1
SHA-512:	F52FB92F69DC9EA53B83D2A6E9D50DD9A3083BFCEB6A5FFB36E68B38EF70D673D96E171B30B029E52E08F3ED61E8EA7158B9A53D4F762F182E1B562FB9FD5273
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]..G<.G<.G<..D..O<..D..<..D.M<.G<.F<.A.>.C<.A..o<.A..V<.A...V<..D.@<.G<.><.(..R<.(...F<.RichG<.........PE..d.....vf.........."....&......................@.............................@........#...`.....................................................P............@..d#....#.(....0..\...p...............................0...@............................................text...P........................... ..`.rdata..&,..........................@..@.data....3..........................@....pdata..d#...@...$..................@..@_RDATA.......p......................@..@.rsrc...............................@..@.reloc..\....0......................@..B........................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\32\pcProxAPI.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	495584
Entropy (8bit):	6.7696106294027665
Encrypted:	false
SSDEEP:	12288:liTMfjH1WyHWOJ9cKAuBxjC5kQqM+Ocq1qxwQpIDzu:liTMfL1zH3cKdNkcpxdwzu
MD5:	7E4FF135187E924AB5E9AF57F063257A
SHA1:	76FC0D22948806794633AC83AC8DB950597129F7
SHA-256:	62AE41A2314CEF52325CA8D0D0DE4EE20669A89BCC8AB69058FCE44307242033
SHA-512:	8400924C40EC18B7CB2BACF022990B7F3A84843399519288696EBC865111C1D43A8D30E2A73ED258181BEA38B809F3D703E33B88CEE192CD184FD02410B944F2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........2..FS..FS..FS...;..IS...;...S...;..US....i.GS..."..IS..."..SS..."..gS...;..OS..FS...S...!..GS...!..TS...!..GS...!Q.GS..FS9.GS...!..GS..RichFS..........................PE..L......a...........!.........~.......................................................Q....@A.............................)......d....................f...)... ...V......................................@............................................text............................... ..`.rdata........... ..................@..@.data...(...........................@....rsrc...............................@..@.reloc...V... ...X..................@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\32\pcProxAPI.lib

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	87450
Entropy (8bit):	5.377844050731864
Encrypted:	false
SSDEEP:	1536:UYPgQYWWC/TKo5JQRMEMue6nTygxBI5ykPlq6Q2/K5npAenyxnw/OCTojlh26TgN:UYP4WOR+uO5zPAxp6xc8DEl7RPHg3AB
MD5:	4BF8353FA573249AF8D2185D06886A2A
SHA1:	B11BC033B5994693DA00511A1E328D84A483C8A5
SHA-256:	7FB669CAC2000307EDB87E4FE5D4313050A189C13FAFC11E001AA6D46D5FA616
SHA-512:	885F136EC3AC7FC086794AA8D1D8F005FFDE8F1DE75B3449FDBF8F3F51C0F36048FA84C4A22C121CAD29DB773A62DBE001335D5DDD426DA049E77189AF1E2625
Malicious:	false
Preview:	!<arch>./ -1 0 21502 `............0...h...,...,...................v...v...........R...R...........:...:...........................................j...j...0...0...................................V...V...................................n...n.................N...N.................T...T...p...p...................2...2.................x...x...........V...V...........8...8.......................l...l...........D...D........."..."...............................x...x...................8...8...............................^...^...D...D.........(...(.................~...~...........`...`..."...".................v...v...........\...\.........................0...0.................4...4...P...P.........................~...~...........T...T...............................................\|...\|...........^...^.................:...:..."...".................^...^...........D...D.........$...$.........................

C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\64\pcProxAPI.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	481248
Entropy (8bit):	6.549528625401982
Encrypted:	false
SSDEEP:	12288:xTl7DNpxv0H9Qq54mhhdFnJLgw79+sqi6:xTl7DNLq5H/Qw7Ei6
MD5:	D522C17E1620D9F3AFFE969C2E8ED089
SHA1:	AD465E113E4CBEAC0747DBB1BE8630053325105C
SHA-256:	0EA38137164E2BE0599B6AF01326720C41DDDCA0A2CF491441A5EE0C0B7BFC7C
SHA-512:	4C2215D1E7ECC2C801BA58F7F5A2536B35148CD8384512D2BF23B6348DFB120578302F63DAA7ED49509CA1687F901A6101105CBE4171A824E7376895BDDAD7C0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.".q.L.q.L.q.L..H.z.L..O.v.L..I...L..m..p.L..H.~.L..O.x.L..I.S.L..M.x.L.q.M...L..H.p.L..I.c.L..L.p.L...p.L.q..p.L..N.p.L.Richq.L.........PE..d...3..a.........." .....J...........*.......................................`......9.....`A.............................................)..`...d....@..........06.......)...P.......k..T...........................@l..8............`...............................text... H.......J.................. ..`.rdata...~...`.......N..............@..@.data...............................@....pdata..06.......8..................@..@_RDATA.......0......................@..@.rsrc........@......................@..@.reloc.......P.......$..............@..B................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\pcprox\lib\pcproxapi\64\pcProxAPI.lib

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	80822
Entropy (8bit):	5.371100192595072
Encrypted:	false
SSDEEP:	1536:CQ/x1S+l7EsJWZtKkK42URmqhXgotyTK0SSlEH9SmhgfkE1+7nvGsoKYuRqX/JCw:CQ/jW1Tfye0w9ckb4P1TxmjQ
MD5:	19F5B596AAC79018239D44390816A1EA
SHA1:	DC76E2DE0881DB72794DFFE02554BCA066B530FD
SHA-256:	B83B1196E79A4B81DCF7DF21B7527F5DA646EC614BECEDA771D7C3B0EEAB22D9
SHA-512:	6F81EB41AB03C75B7AB5A98A62EBF4CDA8DB060A11E0F34229D4B87FC1279D438F11B893896C501B2EE1759EDD89E659E1A0CC8291F5E536420811AD1B5A40A9
Malicious:	false
Preview:	!<arch>./ -1 0 19410 `........B...t.......\|...\|...........N...N...........$...$...................r...r...........L...L.................................J...J...........$...$...................`...`...........2...2...................d...d...........>...>...........~...~...........T...T...........0...0...................t...t...........F...F...................................f...f...........:...:...........................X...X...........B...B.................................z...z...P...P...........$...$...........h...h...........................&...&...................p...p...........T...T...........t...t...........R...R.....................................d...d...........4...4...........v...v...........R...R...........,...,.................d...d...............................................t...t...........R...R.........z...z...(...(...........p...p...........4...4...............................^...^...........D...D...

C:\Program Files (x86)\IDmelon\Accesskey\config.xml

Download File

Process:	C:\Program Files (x86)\IDmelon\Accesskey\Service.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	715
Entropy (8bit):	5.900377503872211
Encrypted:	false
SSDEEP:	12:TMHd4Pro8iKdjV/xK5/2ICZNpqlG9wVKSANmGykRquWqSSYPxBYHNweWTLS:2d4jo8Pf/Q/2bZ/qmwVKSvG7eXB5nS
MD5:	02BE68D6960A88D9624395552010229F
SHA1:	8862F5DD62E21C145F8AFDF99F2D3C2593AF5CBB
SHA-256:	5610612647CEA38F5FF70BE9FE88F2E8787B33D9BFF75EE93BF24E3DF006E78C
SHA-512:	FEE065201842C533FDAF3EB5F85558D9C79CF40DF26DC7A4A2EB26E1C703F577F16F27E21F6C7DFC8CEC5AF9E1C9594EF75B6F3B0FCDA927B790849C523EC141
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<Config xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <Mode>Card</Mode>.. <AppID>669c900e0431ff000837d547</AppID>.. <Token>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7ImNyZWF0ZWRBdCI6MTcyMTUzNjUyNjg4MCwiX2lkIjoiNjY5YzkwMGUwNDMxZmYwMDA4MzdkNTQ3In0sImlwIjoiOC40Ni4xMjMuMzMiLCJ1c2VyQWdlbnQiOiJSZXN0U2hhcnAvMTEwLjIuMC4wIiwiaWF0IjoxNzIxNTM2NTI2fQ.lAFTXKb0Zv2nI1iLvPNnotIrLG7Meqmmz8NGQKY_sKg</Token>.. <ServerPublicKey>04e80ad41dd32e8b28bfd640e6d08e4bbea84d7f8bbb3e03797c3673e5f4b2f236faad80ab6cfa5169a1047ff1b558fcebaf87b8ef788dbb27b2c0fdde32b84623</ServerPublicKey>.. <PinPolicy>PinRequired</PinPolicy>..</Config>

C:\Program Files (x86)\IDmelon\Accesskey\grpc_csharp_ext.x64.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	12684056
Entropy (8bit):	5.750572800376826
Encrypted:	false
SSDEEP:	98304:T90rvru1gfhuxb58gzjuq8/bx72QJg/+gqms:T9Mvru1+hux/uPTcQK/Zjs
MD5:	865C7D285D665FE4D9FB672B111DD54D
SHA1:	C3E83E7A8402F0DE75A49D5DCC71DD131E9B2CAB
SHA-256:	4151229B6E31DAE91D459BE70655417DD18E6B0869C9A72FEF08A5BB28D980B8
SHA-512:	9BE1CA48ABFBCFB0964B25613E62EF75A5603876E84DD317D5946A96E1FFC64E219366B4635582D4C455212580E6B94A5DE54E5FFF6523792ABFA2BCF0E18A1E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6es.r...r...r....`..o....`..\|....`.........v...IZ..x...IZ......IZ..Z...r...c....`..y...r........Z.......Z.......Z..s....Z..s....Z..s...Richr...........PE..d...~\|.c.........." .........`8..............................................`............`.............................................#...x...x....0..Y....@..x....b...)...@.......n..8.......................(...0o..................x............................text............................... ..`.rdata...,.......,.................@..@.data........@...Z...&..............@....pdata...q...@...r..................@..@.idata..K$.......&.................@..@.tls....s...........................@....gfids..4...........................@..@.00cfg....... .......:..............@..@.rsrc...Y....0.......<..............@..@.reloc..V....@... ...B..............@..B........................................................

C:\Program Files (x86)\IDmelon\Accesskey\grpc_csharp_ext.x86.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	9986840
Entropy (8bit):	5.798952004538316
Encrypted:	false
SSDEEP:	98304:ht0TyUQmSCXRLO0KmlsunPzBVhgH01n/QoDD:hwQmSCB3Kmlsq1
MD5:	5375B505F0463930EE8EA2254B477DEB
SHA1:	B114BC70840FCFD7BB60ECACFFA1944F23A459FF
SHA-256:	F6A6B19A8EA19E51CD4FB8E120A8B3DF609429193653618E56D24C5D9704E56C
SHA-512:	2CE74BB9CAFB182E0052CEFBC5B40C0CEBC6DF31DF80DF59CD1BE9AFFAB53E274D75133327903FE3D8828F09225B20D48E3E2FC58BB58A4D17F542C5D6E7F7D4
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......\|C..8"..8"..8"..WF..."..WF..."..WF..'".....;"...\|..$"...\|..O"...\|..."..8"..4"..WF..3"..8"..."..\|...#..\|..#..\|..9"..\|..9"..\|..9"..Rich8"..........................PE..L...p\|.c...........!......z.........T+........z..........................................@.........................0........d..x.......Y............:...).............8..........................H...@............`...............................text.....z.......z................. ..`.rdata...H....z..J....z.............@..@.data....3... ......................@....idata..K....`.....................@..@.tls....$...........................@....gfids..............................@..@.00cfg............... ..............@..@.rsrc...Y............"..............@..@.reloc..............(..............@..B................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\log4net.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	270336
Entropy (8bit):	5.596191661109029
Encrypted:	false
SSDEEP:	3072:h+8gmdoxSO7ZbQFroo7RVir/dtnK0sgdnogtHcU5qFG1RSGCkE9kKn7GCcaLoWn:c1N8LLI/PK0scnodG1RS1T93caL
MD5:	46319A38CE5D09020D2AC56B67829C6C
SHA1:	FFE64CA4D4BC9E1DAB1D195982D22121A6BAA058
SHA-256:	1D45A6AFA38F0B10814063F2A42E6EFCE45752853667650E765844B8566B3332
SHA-512:	0DE61771A92EE71470E51BCCF66D3A39C105AE23D60E73D8E4E7D44135DFF4C8D1DDDFF9BBB6BE72FF083D51C784E5CA829A6ADEFEE87FD901D2DE58DB0DDB03
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....O..........." ..0...... ........... ... ....... .......................`...........`.....................................O.... .......................@......\|................................................ ............... ..H............text...(.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	373288
Entropy (8bit):	5.612916865047601
Encrypted:	false
SSDEEP:	6144:dI6VyDGb+HiFr4kchE18dkuCj7jLwcYBQarDosNXUk:dIJDGb+Hiu9hE18dkxfdsNXV
MD5:	17DE7869B1B721B3FFF9DBE111CAAFF8
SHA1:	5CA75CBF7928732B5B022BC06146216CC7EEBC30
SHA-256:	852F71F992F9C6FE89875F468AB7058FD9E0CF03FC13654E7E2F291BC403517F
SHA-512:	A4C736EECDCC4DBED1D871B1E593B174A09001DFAB5D2FE1309918CCDF82DC25C09683799B35F6BF748E4A61466BC302A30A5FB62A350A6912C9112108501155
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"1P.C_..C_..C_..;...C_..;...C_...$..C_..C^.YC_..;...C_......C_..;...C_.Rich.C_.........................PE..d...]..Y..........#......D...X................@.........................................................................................................\|...P..."......(............................................................`.. ............................text...4B.......D.................. ..`.rdata.......`.......H..............@..@.data...dC......."..................@....pdata..."...P...$..................@..@.rsrc....\|.......~..."..............@..@................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-arm\native\e_sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) ARMv7 Thumb, for MS Windows
Category:	dropped
Size (bytes):	1083392
Entropy (8bit):	7.142876487136901
Encrypted:	false
SSDEEP:	24576:klnHRpXN2xxKmSckQwFwM3CHpzDTzRHzYNrCP74Y:k9cxxKJckQwdCJzDWNr4
MD5:	FBB305C445AB83E83BF60BDBA8534173
SHA1:	AB6E1A12C5EA3C14B7657395D09B3B7ED2546126
SHA-256:	632CEB55168C31C79A9B25BEF41C197AE6978326EE17F80DEF74EB75F1BE474E
SHA-512:	22024B6FE6241D8C6509A3094225302EF852CC39F85D168110D2C1C745B68CD957ED3B799CF22AB8038F13A0F8BFD964D9B0D529594AC83D7D938B9A830B0419
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.&...u...u...u.n.tc..u.n.t...u.n.t...u...ui..u.v.t...u.v.t...u.v.t...uXw.t...uXw.t...uXw4u...uXw.t...uRich...u........................PE......f.:_.........."!................aH....................................................@A........................0~...".....(....P..........pO...........`...V..h...T............................................................................text............................... ..`.rdata..............................@..@.data...tJ.......>..................@....pdata..pO.......P..................@..@.rsrc........P......................@..@.reloc...V...`...X...0..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-x64\native\e_sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1570816
Entropy (8bit):	6.521735562400957
Encrypted:	false
SSDEEP:	24576:HIDsTpsRAN6hgpHIUpR9kMjYfV2QDdMQzb704Zw6K33PM36ZM5NH2Rt:HIDsTpsqtpoUpRQNYJ6e3PM3ek
MD5:	B429904F765F9EC975A15E8AB8CEB569
SHA1:	45D073854924B924C50B27363D37531673CBCC81
SHA-256:	F1C53F43819798C577EB9F4AC83BB3FAB38FA21AAF565DEFE8573B2FCA768230
SHA-512:	76AA50E3B6FC4D2C8C3F468AB061F0809399F8C723B1359E291011EE288AC75EA8170D357F9BE20EF94D121140B7FF53BB05E29F96EBE041032357ED7334A279
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................D............L..1......1......1......~......~......~.W....~......Rich...................PE..d...].:_.........." .........>...............................................P............`A........................................ ...."......(.... .......@...............0......X...T...............................0............................................text............................... ..`.rdata..*...........................@..@.data...Xj.......T..................@....pdata.......@......................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\runtimes\win-x86\native\e_sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1184256
Entropy (8bit):	6.73335357356
Encrypted:	false
SSDEEP:	24576:XZrSxkftqbYzaTG7p5SX6BrR/uNQHBfvELjdf960rsJGgbNG:XZryxKR9TANit8lsJ6
MD5:	E02613D1A6211EB1BFC8D15431ACBD68
SHA1:	44D61B27A03C4BAE38C69B9F5449F613913E88DA
SHA-256:	03EF15557EC8B1DD8D8D1F5552EC96DF2E5EC27DE3A1ACFCB1C16D7A8A559AC9
SHA-512:	9CF82D36C77A33A77DF24335FE967A58E41C9140002C686912B465F1B3A1AB29511888AB39D3974BD9CA0E4B08C2B0F9310E60DB8CA09A0E52B84F9BC0FFD3C9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............z...z...z..y..z....o.z..~..z..{...z...{.~.z......z...~...z...y..z.H.~...z.H.z...z.H.....z.H.x...z.Rich..z.................PE..L...R.:_...........!.........l...............................................P............@A.........................*..."...M..(...................................."..T...........................p"..@............................................text............................... ..`.rdata..n...........................@..@.data....K...`...>...L..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log

Download File

Process:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
File Type:	ASCII text, with very long lines (467), with CRLF line terminators
Category:	dropped
Size (bytes):	2317
Entropy (8bit):	5.695897002288219
Encrypted:	false
SSDEEP:	48:1cHxpHXhVw3MmE0yx3MmELucsV/2dBCKR7I/WrSWrPEj7j6AxuEX:1KFQMmZCMmYucg2dBCQI/1KEj7jVxl
MD5:	FC7B23C76DBE73425D476CD78BBB9E07
SHA1:	F5C2190124DE808C89318B9652AB93CBE38E1C68
SHA-256:	A0A0F64A373D1F7E79F5DC3A2A75EAC59E21142B471CA1351341181A58E55B43
SHA-512:	809EAD24140E15B5763B652F8F0A9D9721A171A9B5EE71AC5216F6304051E429FBD0B1CAB9A9B34EDB810B8F83572555A6E07104BED818C847E6F6E86E29FDD5
Malicious:	false
Preview:	2024-07-21 00:35:22,998 INFO - [Main] IDmelon AccessKey service started.....2024-07-21 00:35:23,029 INFO - [Main] IDmelon AccessKey service v2.7.0.0..2024-07-21 00:35:23,061 INFO - [InitConfig] Requesting new Token and AppID..2024-07-21 00:35:23,061 INFO - [InitConfig] No Proxy is being used..2024-07-21 00:35:23,873 INFO - [InitRequest] [ServiceManager._InitRestRequest] {"uniqueId":"XRF4CT6SRPHEA160VN5TV766AYHCRVBQQ94JZAVP22H0AYXFCNZG","os":{"name":"Microsoft Windows 10 Pro","version":"19045"},"appversion":"2.7.0.0","PCName":"141700","userName":"SYSTEM","deviceId":null,"publicKey":"0475589d95854bd7f0e7992afc5a3a5af230cc6212dd161e84efced44b7b2986b06df027804fc54dc90b170db7e7837158361c6c8bb823d75c674e22ed644bd703"}..2024-07-21 00:35:23,951 INFO - [InitRequest] [ServiceManager._InitRestRequest] Reqeusting new accesstoken with params: {"uniqueId":"XRF4CT6SRPHEA160VN5TV766AYHCRVBQQ94JZAVP22H0AYXFCNZG","os":{"name":"Microsoft Windows 10 Pro","version":"19045"},"appversion":"2.7.0.0","PCName":

C:\Program Files (x86)\IDmelon\Accesskey\uninstall.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	175053
Entropy (8bit):	5.440434367296417
Encrypted:	false
SSDEEP:	1536:JfHLrLkSRoybCQUZsrs0DC1cu8pOwSPAcezB010n6BBteqmLAl:Jfr3k+o5buDC1culhjKB0+n6Xteqmkl
MD5:	B70EC66793408BD53E85984AFB1243AA
SHA1:	571CC2B6E2F1BAE181BAA46775A2BE15A88B9AA2
SHA-256:	E2A31247F61646FEE58C3F2483E982EE838596D25FB6EBE8C674C6DCA83714EC
SHA-512:	787157F29C1B578D271EF3D421AE73B50546D72B61A2B4FAFA6908644287E4853441E52A45F0DFCF91A3AA1448659BCD60D1065935F5BC6133E53D94A67B0218
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................j..........R5............@..........................@......7.....@.........................................................@-..(............................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata...@...P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\websocket-sharp.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	226816
Entropy (8bit):	5.805239882361139
Encrypted:	false
SSDEEP:	6144:aG6L6WIqe9bjj1OLNryn2aJJJnoQCSJgI:aG6L6WTeBjKsn2aJPoQ
MD5:	E67544B112F568F13B17D72189FDA007
SHA1:	B75B79C65330A77FE7AEA5EF6C319D7F3D1865D4
SHA-256:	697F13F09CB2C425DDCFE1AA167D698F7AF5AEA48D03D5370143BC00E9BBFA2E
SHA-512:	5A3381C0BE69DF8DC5A8C7C931B14919A189A8D03D2128D3848FBF73E3FD21631FE44ECCD9BAF97A15F646D0FCC5B3263B6EAC2F98D67557A07AD6FB4F91C402
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9!..........." ..0..j..........V.... ........... ...............................2....`.....................................O.......0...........................`...8............................................ ............... ..H............text...ti... ...j.................. ..`.rsrc...0............l..............@..@.reloc...............t..............@..B................6.......H.......0...............................................................J.("....~N...}....&...(....&...(....:.(".....}....R.("......s....}....&...(......{....2.{....o....V.{....o....%-.&~#.....{...."..}....&...(....V.(".....}......}......{......{........0..#.........j-...s$.....(........,..o........................0..X.......s%.....o&...-....jo'......s(...... ....o)....o....~......o+.....jo'........,..o............!.+L.......0.."........(......o*....o,....

C:\Program Files (x86)\IDmelon\Accesskey\x64\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1680384
Entropy (8bit):	5.9158652584281235
Encrypted:	false
SSDEEP:	24576:bu0KzhOuLJpZi3M3FEacJpL99AdS/3cZM:KDzlDyMCawpaS/
MD5:	E6663E129C949753773147061E5AC708
SHA1:	301FF30F7A698FA67AF19CEB9063B09E8BA5163B
SHA-256:	CDD6C407B61371280E49C9A2B34AF4EC06B0191993E6EDE8EFB9235990837977
SHA-512:	00B4313247C367298E7CD529F5CEA1B9F8A74671477DE29A34474F2E132B0EE61EE629905C0788546ED53505983A59D6E1170F463869FE660E66F23CF691488C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y...=.f.=.f.=.f..w..>.f.=.g.C.f.4...&.f.4...6.f.4...f.f.4...<.f.#...<.f.4...<.f.Rich=.f.........................PE..d.....<W.........." ................................................................................................................0....#...p..(............p......................................................................8u...............................text...4........................... ..`.rdata..............................@..@.data...9Z.......B..................@....pdata.......p.......2..............@..@.idata..D....p.......2..............@...text....J............H..............@.. data....F ......."...N..............@..@.rsrc................p..............@..@.reloc.._........ ..................@..B........................................................................................................................................

C:\Program Files (x86)\IDmelon\Accesskey\x86\sqlite3.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	826775
Entropy (8bit):	6.520580307753605
Encrypted:	false
SSDEEP:	24576:QJCoOO8Mh2X8Vy0JHfv3kDpigeLKh2R6fFQVp:QL8MFVym/kDpitLKZy
MD5:	16A1612789DC9063EBEA1CB55433B45B
SHA1:	438FDE2939BBB9B5B437F64F21C316C17CE4A7F6
SHA-256:	6DEAEC2F96C8A1C20698A93DDD468D5447B55AC426DC381EEF5D91B19953BB7B
SHA-512:	D727CE8CD793C09A8688ACCB7A2EB5D8F84CC198B8E9D51C21E2DFB11D850F3AC64A58D07FF7FE9D1A2FDB613567E4790866C08A423176216FF310BF24A5A7E3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...TM<W....*......!.....j.........................a.........................`.......#........ .........................................x.......................@/..................................................................................text...,i.......j..................`.P`.data................p..............@.`..rdata..............................@.`@.bss..................................`..edata...............f..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...x...........................@.0..reloc..@/.......0..................@.0B/4........... ......................@.@B/19.........0......................@..B/31..................j..............@..B/45.................................@..B/57.................................@.0B/70.....i.... ..........

C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\EnVar.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	5.408403475729264
Encrypted:	false
SSDEEP:	192:hjD5Bzu8mRd7ylc01dOF6Nr4mNiFHFEH3HGH8t+zaY6GVIb6:V9BXI4cqxCa+WFAzUeC6
MD5:	4EE6C0578960BCB5DAD78947E0CBFFE9
SHA1:	DD90488FFDE0B0DF76E0A5E8DCA8192C77619D8B
SHA-256:	EB182D049BA19F697628E20228AF329780AAF62C3585A1E36B9FB988911FE697
SHA-512:	0592166761C32AA804A26FB90191F636173B6E5144E4C10B100841FCB4D05CC30D8FFC3716E823D02DD3BCC73CFB9106639CF8AE2AEEBA409213F2F40DF5932C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f.....................................................Rich....................PE..L...,N"`...........!................p'.......0...............................`............@.........................@2......l0..P............................P..\...P0...............................................0..L............................text............................... ..`.rdata..k....0......................@..@.data........@......."..............@....reloc.......P.......&..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\InstallOptions.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	5.4709854684159085
Encrypted:	false
SSDEEP:	192:E6GQtZkTktEQUrJaZfuyCnSmUsv3sY7L7cW8Y6Q86QvoT311929WtshLAzgSrX8:E6Nt+4t7uJalUnGesY7Lt8nC3/Yosa
MD5:	D1EEFB07ABC2577DFB92EB2E95A975E4
SHA1:	0584C2B1807BC3BD10D4B60D2D23EEB0E6832CA2
SHA-256:	89DD7D646278D8BFC41D5446BDC348B9A9AFAA832ABF02C1396272BB7AC7262A
SHA-512:	EAFFD9940B1DF59E95E2ADB79B3B6415FFF5BF196EBEA5FE625A6C52E552A00B44D985A36A8DD9EB33EBA2425FFEA4244ED07A75D87284FF51EC9F9A5E1AC65E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N.px.q.+.q.+.q.+.q.+[q.+.~C+.q.+^R.+.q.+^R/+.q.+.w.+.q.+.Q.+.q.+Rich.q.+........PE..L....C.f...........!.........`.......+.......0............................................@..........................8......X1..................................X....................................................0..X............................text............................... ..`.rdata..G....0......."..............@..@.data...DL...@.......,..............@....rsrc................6..............@..@.reloc..x............8..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.805604762622714
Encrypted:	false
SSDEEP:	192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
MD5:	4ADD245D4BA34B04F213409BFE504C07
SHA1:	EF756D6581D70E87D58CC4982E3F4D18E0EA5B09
SHA-256:	9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
SHA-512:	1BD260CABE5EA3CEFBBC675162F30092AB157893510F45A1B571489E03EBB2903C55F64F89812754D3FE03C8F10012B8078D1261A7E73AC1F87C82F714BCE03D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...S.d...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\ioSpecial.ini

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	1066
Entropy (8bit):	3.697986458887617
Encrypted:	false
SSDEEP:	24:Q+sxv5SAD5ylSjqWCs7y6J9aQ9nO6k8lb2WvCxGKC96kDWlYpf:rsxwAQSjqQz9a78lbQV8
MD5:	8F5F8C0B198B22805B684A52FA5BFBD3
SHA1:	31AEFDE93E8EE12C564A83E5F05E55C384E39203
SHA-256:	8CBFE04467E491138805F33B5FA1A0B3441052348EDCB7843DD8329DD263BB2E
SHA-512:	DA3ABD8E8B2E34FA3989C504A8697017F49985B44FB305EC8C9C07A07647F98CFA5374CB14A3536D80B03852BC2A806106AC56ACC036690F7BF348181EE8050A
Malicious:	false
Preview:	..[.S.e.t.t.i.n.g.s.].....R.e.c.t.=.1.0.4.4.....N.u.m.F.i.e.l.d.s.=.3.....R.T.L.=.0.....N.e.x.t.B.u.t.t.o.n.T.e.x.t.=.&.F.i.n.i.s.h.....C.a.n.c.e.l.E.n.a.b.l.e.d.=.....S.t.a.t.e.=.0.....[.F.i.e.l.d. .1.].....T.y.p.e.=.b.i.t.m.a.p.....L.e.f.t.=.0.....R.i.g.h.t.=.1.0.9.....T.o.p.=.0.....B.o.t.t.o.m.=.1.9.3.....F.l.a.g.s.=.R.E.S.I.Z.E.T.O.F.I.T.....T.e.x.t.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.n.s.k.9.B.0.F...t.m.p.\.m.o.d.e.r.n.-.w.i.z.a.r.d...b.m.p.....H.W.N.D.=.9.1.7.6.3.2.....[.F.i.e.l.d. .2.].....T.y.p.e.=.l.a.b.e.l.....L.e.f.t.=.1.2.0.....R.i.g.h.t.=.3.1.5.....T.o.p.=.1.0.....T.e.x.t.=.C.o.m.p.l.e.t.i.n.g. .A.c.c.e.s.s.k.e.y. .S.e.t.u.p.....B.o.t.t.o.m.=.3.8.....H.W.N.D.=.8.5.3.0.5.0.....[.F.i.e.l.d. .3.].....T.y.p.e.=.l.a.b.e.l.....L.e.f.t.=.1.2.0.....R.i.g.h.t.=.3.1.5.....T.o.p.=.4.5.....B.o.t.t.o.m.=.1.8.5.....T.e.x.t.=.A.c.c.e.s.s.k.e.y. .h.a.s. .b.e.e.n. .i.n.s.t.a.l.l.e.d. .o.n. .y.o.u.r. .c.o.m.p.u.t.e.r...\.r.\.n.\.r.\.n.C.l.i.c.k. .F.i.n.i.s.

C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\modern-wizard.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 314 x 4, image size 26376, resolution 2834 x 2834 px/m, cbSize 26494, bits offset 118
Category:	dropped
Size (bytes):	26494
Entropy (8bit):	1.9568109962493656
Encrypted:	false
SSDEEP:	24:Qwika6aSaaDaVYoG6abuJsnZs5GhI11BayNXPcDrSsUWcSphsWwlEWqCl6aHAX2x:Qoi47a5G8SddzKFIcsOz3Xz
MD5:	CBE40FD2B1EC96DAEDC65DA172D90022
SHA1:	366C216220AA4329DFF6C485FD0E9B0F4F0A7944
SHA-256:	3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
SHA-512:	62990CB16E37B6B4EFF6AB03571C3A82DCAA21A1D393C3CB01D81F62287777FB0B4B27F8852B5FA71BC975FEAB5BAA486D33F2C58660210E115DE7E2BD34EA63
Malicious:	false
Preview:	BM~g......v...(.......:............g..................................................................................DDD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@..DDD....DDDDDD........................................DDDDDDDDDD....DDDDDDDDD........DD@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDD@@@@DDDDDDDDDD@@@@@@D..DD....DDDDDDD......................................DDDDDDDDDD....DDDDDDDDDD......D..D@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@DDD..D.....DDDDDD......................................DDDDDDDDD.....DDDDDDDDD......DDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDDD@@@@@@DDDD.......DDDDDD.....................................DDDDDDDDDD....DDDDDDDDDD.....DDDDD..@@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@DDDDDDDDDD@@@@DDDDDDDDD@@@@@@DDDDDD.......DDDDDD....................................DDDDDDDDD....DDDDDDDDDD......DDDDDD..@@@@DDDDDD@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7168
Entropy (8bit):	5.2959870663251625
Encrypted:	false
SSDEEP:	96:JwzdzBzMDhOZZDbXf5GsWvSv1ckne94SDbYkvML1HT1fUNQaSGYuH0DQ:JTQHDb2vSuOc41ZfUNQZGdHM
MD5:	B4579BC396ACE8CAFD9E825FF63FE244
SHA1:	32A87ED28A510E3B3C06A451D1F3D0BA9FAF8D9C
SHA-256:	01E72332362345C415A7EDCB366D6A1B52BE9AC6E946FB9DA49785C140BA1A4B
SHA-512:	3A76E0E259A0CA12275FED922CE6E01BDFD9E33BA85973E80101B8025EF9243F5E32461A113BBCC6AA75E40894BB5D3A42D6B21045517B6B3CF12D76B4CFA36A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L...Q.d...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{e57175bf-8fbc-764b-ad7a-50e1a8f38e0f}\AccessKeyFidoVhid.dll (copy)

Download File

Process:	C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	52944
Entropy (8bit):	6.483483863603903
Encrypted:	false
SSDEEP:	1536:nXVCxosSAPn6cWynO6SUJhUZnY1PdBmz:XVzsZPnNWykLnYBm
MD5:	42BB134409EB5B648998844608434CD7
SHA1:	492284DD87E06372E6DDCA23D64C8B2FC771077B
SHA-256:	0B502F92BF3B6B975D88EA60A2288134C18B3B28BC93A3482ED4C336B7DC674B
SHA-512:	DAF807A2384A22425812DE390CCB33491874E206F5E9F6A9CCD16180D653A9F3DD2D659E1E668A32AAE5E974B800620CF9246355CF6FE02B0172E67BD62B010A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................[..............................F.....F.....F.7....F.....Rich...........................PE..d.....+d.........." ...".P...J.......@...................................................`A............................................X.......x........................8......D...0...8............................~..@............`...............................text...`O.......P.................. ..`.rdata...0...`...2...T..............@..@.data...P...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D...........................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{e57175bf-8fbc-764b-ad7a-50e1a8f38e0f}\SETD2F6.tmp

Download File

Process:	C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	52944
Entropy (8bit):	6.483483863603903
Encrypted:	false
SSDEEP:	1536:nXVCxosSAPn6cWynO6SUJhUZnY1PdBmz:XVzsZPnNWykLnYBm
MD5:	42BB134409EB5B648998844608434CD7
SHA1:	492284DD87E06372E6DDCA23D64C8B2FC771077B
SHA-256:	0B502F92BF3B6B975D88EA60A2288134C18B3B28BC93A3482ED4C336B7DC674B
SHA-512:	DAF807A2384A22425812DE390CCB33491874E206F5E9F6A9CCD16180D653A9F3DD2D659E1E668A32AAE5E974B800620CF9246355CF6FE02B0172E67BD62B010A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................[..............................F.....F.....F.7....F.....Rich...........................PE..d.....+d.........." ...".P...J.......@...................................................`A............................................X.......x........................8......D...0...8............................~..@............`...............................text...`O.......P.................. ..`.rdata...0...`...2...T..............@..@.data...P...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D...........................@..B................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{e57175bf-8fbc-764b-ad7a-50e1a8f38e0f}\SETD326.tmp

Download File

Process:	C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	4836
Entropy (8bit):	3.7387330079455343
Encrypted:	false
SSDEEP:	48:rRxR/zoP0dlUlyFxloQPxWmxxvVARfmwCfi6gDVkf3iQLt97Hu6/OgTgy7dCrXL5:rh/z9YRfmwCfiTQR97O4p4v9lsqs0sI
MD5:	8A71F48313969317868E08E1B8009DEF
SHA1:	3AE7FDACC7BEF1ECCDBEE2427E97ED90EFE2CF04
SHA-256:	09BB78FDE1F9681AACAA95880DB62B439DD6A25418D5E6BB44FB6EB90E66E12D
SHA-512:	32480914934142D1FB808CABF9651AF6295228766C39AB22CE4E1BC4E50555F03415E798D5117139AFE1482F7FFE8DE5F1014D5A3A0AF2DB490039621210EA31
Malicious:	false
Preview:	..[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.I.N.D.O.W.S. .N.T.$.".....C.l.a.s.s.=.H.I.D.C.l.a.s.s.....C.l.a.s.s.G.u.i.d.=.{.7.4.5.a.1.7.a.0.-.7.4.d.3.-.1.1.d.0.-.b.6.f.e.-.0.0.a.0.c.9.0.f.5.7.d.a.}.....P.r.o.v.i.d.e.r.=.%.P.r.o.v.i.d.e.r.S.t.r.i.n.g.%.....D.r.i.v.e.r.V.e.r. .=. .0.4./.0.3./.2.0.2.3.,.2.1...4...5.3...4.8.8.....C.a.t.a.l.o.g.F.i.l.e.=.w.u.d.f...c.a.t.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .C.l.a.s.s. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........;.[.C.l.a.s.s.I.n.s.t.a.l.l.3.2.].....;.A.d.d.r.e.g.=.F.I.D.O.C.l.a.s.s.R.e.g.........;.[.F.I.D.O.C.l.a.s.s.R.e.g.].....;.H.K.R.,.,.,.0.,.%.C.l.a.s.s.N.a.m.e.%.....;.H.K.R.,.,.I.c.o.n.,.,.-.5.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .D.e.v.i.c.e. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.S.t.r.i.n.g.%.=.I.D.m.e.l.o.n.,. .N.T.a.m.d.6.4...6...3.........[.I.D.m.e.l.o.n...N.T.a.m.d.6.4...6...3.].....%.D.e.v.i.c.

C:\Users\user\AppData\Local\Temp\{e57175bf-8fbc-764b-ad7a-50e1a8f38e0f}\SETD337.tmp

Download File

Process:	C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
File Type:	data
Category:	dropped
Size (bytes):	11622
Entropy (8bit):	7.262321244095951
Encrypted:	false
SSDEEP:	192:1fMl5zkpJC4eRe4fh8uEwFQbdxUNQlO8X01k9z3AXL9Wa38i:1Xp7Aeo8uExUKlO8R9zGpWa3z
MD5:	F99106D82F0FF3A7CEDEF078919DD359
SHA1:	C4281154C3B52B32467AB042B460333623033F3B
SHA-256:	51FA1FC1D6CBA95C28E0AA3D622DFEBF925548ACB5440CC3CD865ED1DDBCDC9F
SHA-512:	8F8DB7AC371C52F7C9622AADE894027B509D5EBD7FB75ED1C8813A7B1A01634EFCD25CEC0B8842E9FCC175550C39F3509A11D036F1247DF0E8E2F4B79E8790FA
Malicious:	false
Preview:	0.-b..*.H........-S0.-O...1.0...`.H.e......0..k..+.....7.....\0..X0...+.....7........ppwO..<.X.7+..230920084942Z0...+.....7.....0...0.... ..x...h.......+C..T...D.n..f.-1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..x...h.......+C..T...D.n..f.-0.....G.i..I7....K3U...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0.... 2...F.[n.P.6.O.h...3in..=...?..@1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 2...F.[n.P.6.O.h...3in..=...?..@0....:........B~......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>.

C:\Users\user\AppData\Local\Temp\{e57175bf-8fbc-764b-ad7a-50e1a8f38e0f}\accesskeyfidovhid.inf (copy)

Download File

Process:	C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	4836
Entropy (8bit):	3.7387330079455343
Encrypted:	false
SSDEEP:	48:rRxR/zoP0dlUlyFxloQPxWmxxvVARfmwCfi6gDVkf3iQLt97Hu6/OgTgy7dCrXL5:rh/z9YRfmwCfiTQR97O4p4v9lsqs0sI
MD5:	8A71F48313969317868E08E1B8009DEF
SHA1:	3AE7FDACC7BEF1ECCDBEE2427E97ED90EFE2CF04
SHA-256:	09BB78FDE1F9681AACAA95880DB62B439DD6A25418D5E6BB44FB6EB90E66E12D
SHA-512:	32480914934142D1FB808CABF9651AF6295228766C39AB22CE4E1BC4E50555F03415E798D5117139AFE1482F7FFE8DE5F1014D5A3A0AF2DB490039621210EA31
Malicious:	false
Preview:	..[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.I.N.D.O.W.S. .N.T.$.".....C.l.a.s.s.=.H.I.D.C.l.a.s.s.....C.l.a.s.s.G.u.i.d.=.{.7.4.5.a.1.7.a.0.-.7.4.d.3.-.1.1.d.0.-.b.6.f.e.-.0.0.a.0.c.9.0.f.5.7.d.a.}.....P.r.o.v.i.d.e.r.=.%.P.r.o.v.i.d.e.r.S.t.r.i.n.g.%.....D.r.i.v.e.r.V.e.r. .=. .0.4./.0.3./.2.0.2.3.,.2.1...4...5.3...4.8.8.....C.a.t.a.l.o.g.F.i.l.e.=.w.u.d.f...c.a.t.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .C.l.a.s.s. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........;.[.C.l.a.s.s.I.n.s.t.a.l.l.3.2.].....;.A.d.d.r.e.g.=.F.I.D.O.C.l.a.s.s.R.e.g.........;.[.F.I.D.O.C.l.a.s.s.R.e.g.].....;.H.K.R.,.,.,.0.,.%.C.l.a.s.s.N.a.m.e.%.....;.H.K.R.,.,.I.c.o.n.,.,.-.5.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .D.e.v.i.c.e. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.S.t.r.i.n.g.%.=.I.D.m.e.l.o.n.,. .N.T.a.m.d.6.4...6...3.........[.I.D.m.e.l.o.n...N.T.a.m.d.6.4...6...3.].....%.D.e.v.i.c.

C:\Users\user\AppData\Local\Temp\{e57175bf-8fbc-764b-ad7a-50e1a8f38e0f}\wudf.cat (copy)

Download File

Process:	C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
File Type:	data
Category:	dropped
Size (bytes):	11622
Entropy (8bit):	7.262321244095951
Encrypted:	false
SSDEEP:	192:1fMl5zkpJC4eRe4fh8uEwFQbdxUNQlO8X01k9z3AXL9Wa38i:1Xp7Aeo8uExUKlO8R9zGpWa3z
MD5:	F99106D82F0FF3A7CEDEF078919DD359
SHA1:	C4281154C3B52B32467AB042B460333623033F3B
SHA-256:	51FA1FC1D6CBA95C28E0AA3D622DFEBF925548ACB5440CC3CD865ED1DDBCDC9F
SHA-512:	8F8DB7AC371C52F7C9622AADE894027B509D5EBD7FB75ED1C8813A7B1A01634EFCD25CEC0B8842E9FCC175550C39F3509A11D036F1247DF0E8E2F4B79E8790FA
Malicious:	false
Preview:	0.-b..*.H........-S0.-O...1.0...`.H.e......0..k..+.....7.....\0..X0...+.....7........ppwO..<.X.7+..230920084942Z0...+.....7.....0...0.... ..x...h.......+C..T...D.n..f.-1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..x...h.......+C..T...D.n..f.-0.....G.i..I7....K3U...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0.... 2...F.[n.P.6.O.h...3in..=...?..@1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 2...F.[n.P.6.O.h...3in..=...?..@0....:........B~......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDmelon\Accesskey Website.lnk

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Jul 21 03:35:35 2024, mtime=Sun Jul 21 03:35:35 2024, atime=Sun Jul 21 03:35:35 2024, length=48, window=hide
Category:	dropped
Size (bytes):	1294
Entropy (8bit):	4.599982412544224
Encrypted:	false
SSDEEP:	24:8mr3e2h0Exv0dOE4Z+ksGW9VoWdUAOlab+Nfd22WxWSd22WVVUUlnzHqyFm:8mBZqdOWVZjOla6Nfd8dMWiWyF
MD5:	FCECCECD420ACE47079A6E01E993EA98
SHA1:	13F99FF4BDFDF20666787AA8582FD75A0CBC3769
SHA-256:	C7467B06A37556AF65F45C412733F651564361FBBD817781ABE2E89BC3BC32ED
SHA-512:	BF85F407707F84E7405CD77A5CBABCF8002D576757F13295C021FB66149F3078050E0B481A97CEB4048D77637A43020CC1A0C9FC974EEC3F028EEF6B0303FCF0
Malicious:	false
Preview:	L..................F.... ......m'......m'......m'...0............................P.O. .:i.....+00.../C:\.....................1......Xi$..PROGRA~2.........O.I.Xi$....................V.....z...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....V.1......Xi$..IDmelon.@.......Xi$.Xi$..........................z...I.D.m.e.l.o.n.....\.1......Xr$..ACCESS~1..D.......Xi$.Xr$...........................Sv.A.c.c.e.s.s.k.e.y.....x.2.0....Xr$ .ACCESS~1.URL..\.......Xr$.Xr$.....C....................B.e.A.c.c.e.s.s.k.e.y. .w.e.b.s.i.t.e...u.r.l.......m...............-.......l..............g.....C:\Program Files (x86)\IDmelon\Accesskey\Accesskey website.url..V.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.D.m.e.l.o.n.\.A.c.c.e.s.s.k.e.y.\.A.c.c.e.s.s.k.e.y. .w.e.b.s.i.t.e...u.r.l.(.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.D.m.e.l.o.n.\.A.c.c.e.s.s.k.e.y.........*................@Z\|...K.J.........`.......X.......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDmelon\Accesskey.lnk

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Jul 7 11:53:40 2024, mtime=Sun Jul 21 03:35:16 2024, atime=Sun Jul 7 11:53:40 2024, length=228392, window=hide
Category:	dropped
Size (bytes):	1269
Entropy (8bit):	4.598817995773257
Encrypted:	false
SSDEEP:	24:8mRhh0Exv0dOE4Z+kw5WsK0WGcADlab+sxd22WxWGqgd22WVVUUlnzvqyFm:8mRhZqdO6FPDla6AdlgdMWiOyF
MD5:	30AC5AFF99C01A92D4FC3532BEF390B5
SHA1:	E6682409F302DF9CA5E8A82600C51E63B67301CB
SHA-256:	A038C595D82CCA301EA06A7F633227E69808EADFAD3105FF140981C39F10114A
SHA-512:	CBFD63857FABC5FDA4B924EF4048A0A029A186BA1C7635D792B54C2B7425AE9C82E791E332883CA05F807E9A93304DF10BA776B23228C315120D98C49DC7053E
Malicious:	false
Preview:	L..................F.... .......l.....b'.......l...(\|...........................P.O. .:i.....+00.../C:\.....................1......Xi$..PROGRA~2.........O.I.Xi$....................V.....z...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....V.1......Xi$..IDmelon.@.......Xi$.Xi$..........................z...I.D.m.e.l.o.n.....\.1......Xo$..ACCESS~1..D.......Xi$.Xo$...........................?..A.c.c.e.s.s.k.e.y.....n.2.(\|...X.f .ACCESS~1.EXE..R.......X.f.Xi$..............................A.c.c.e.s.s.k.e.y.C.l.i...e.x.e.......h...............-.......g..............g.....C:\Program Files (x86)\IDmelon\Accesskey\AccesskeyCli.exe..Q.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.D.m.e.l.o.n.\.A.c.c.e.s.s.k.e.y.\.A.c.c.e.s.s.k.e.y.C.l.i...e.x.e.(.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.D.m.e.l.o.n.\.A.c.c.e.s.s.k.e.y.........*................@Z\|...K.J.........`.......X.......141700...........hT..CrF.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IDmelon\Uninstall Accesskey.lnk

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sun Jul 21 03:35:35 2024, mtime=Sun Jul 21 03:35:35 2024, atime=Sun Jul 21 03:35:35 2024, length=175053, window=hide
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	4.640652829998599
Encrypted:	false
SSDEEP:	24:8mVh0Exv0dOE4Z+ksGWpSbHUAGlab+Bkd22WTvgd22WVVUUlnz7qyFm:8mVZqdO0GDGla6BkdSvgdMWi6yF
MD5:	575EC00A1351248564EA80BBA7187A8C
SHA1:	395650A78603C28FDBCB65957A34E7B88740F105
SHA-256:	0042F4D22633CADC3ECA45DB10CFD9445532650A5CD1C7BDB5C206D4412BA47D
SHA-512:	E1642E8E7C2567559FA3630794D8CE8174B9292A8D24DD308C003DB9ED5B6D1AAE2199207E06187AEC2BAFF4851AC690AFF4D8E3BE466D4D6FF4C86E85BF8C6B
Malicious:	false
Preview:	L..................F.... ....H.m'......m'......m'...............................P.O. .:i.....+00.../C:\.....................1......Xi$..PROGRA~2.........O.I.Xi$....................V.....z...P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.7.....V.1......Xi$..IDmelon.@.......Xi$.Xi$..........................z...I.D.m.e.l.o.n.....\.1......Xr$..ACCESS~1..D.......Xi$.Xr$...........................Sv.A.c.c.e.s.s.k.e.y.....h.2.....Xr$ .UNINST~1.EXE..L.......Xr$.Xr$.....C....................E.q.u.n.i.n.s.t.a.l.l...e.x.e.......e...............-.......d..............g.....C:\Program Files (x86)\IDmelon\Accesskey\uninstall.exe..N.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.D.m.e.l.o.n.\.A.c.c.e.s.s.k.e.y.\.u.n.i.n.s.t.a.l.l...e.x.e.(.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.I.D.m.e.l.o.n.\.A.c.c.e.s.s.k.e.y.........*................@Z\|...K.J.........`.......X.......141700...........hT..CrF.f4... ..T..b..

C:\Windows\INF\oem4.inf

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	4836
Entropy (8bit):	3.7387330079455343
Encrypted:	false
SSDEEP:	48:rRxR/zoP0dlUlyFxloQPxWmxxvVARfmwCfi6gDVkf3iQLt97Hu6/OgTgy7dCrXL5:rh/z9YRfmwCfiTQR97O4p4v9lsqs0sI
MD5:	8A71F48313969317868E08E1B8009DEF
SHA1:	3AE7FDACC7BEF1ECCDBEE2427E97ED90EFE2CF04
SHA-256:	09BB78FDE1F9681AACAA95880DB62B439DD6A25418D5E6BB44FB6EB90E66E12D
SHA-512:	32480914934142D1FB808CABF9651AF6295228766C39AB22CE4E1BC4E50555F03415E798D5117139AFE1482F7FFE8DE5F1014D5A3A0AF2DB490039621210EA31
Malicious:	false
Preview:	..[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.I.N.D.O.W.S. .N.T.$.".....C.l.a.s.s.=.H.I.D.C.l.a.s.s.....C.l.a.s.s.G.u.i.d.=.{.7.4.5.a.1.7.a.0.-.7.4.d.3.-.1.1.d.0.-.b.6.f.e.-.0.0.a.0.c.9.0.f.5.7.d.a.}.....P.r.o.v.i.d.e.r.=.%.P.r.o.v.i.d.e.r.S.t.r.i.n.g.%.....D.r.i.v.e.r.V.e.r. .=. .0.4./.0.3./.2.0.2.3.,.2.1...4...5.3...4.8.8.....C.a.t.a.l.o.g.F.i.l.e.=.w.u.d.f...c.a.t.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .C.l.a.s.s. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........;.[.C.l.a.s.s.I.n.s.t.a.l.l.3.2.].....;.A.d.d.r.e.g.=.F.I.D.O.C.l.a.s.s.R.e.g.........;.[.F.I.D.O.C.l.a.s.s.R.e.g.].....;.H.K.R.,.,.,.0.,.%.C.l.a.s.s.N.a.m.e.%.....;.H.K.R.,.,.I.c.o.n.,.,.-.5.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .D.e.v.i.c.e. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.S.t.r.i.n.g.%.=.I.D.m.e.l.o.n.,. .N.T.a.m.d.6.4...6...3.........[.I.D.m.e.l.o.n...N.T.a.m.d.6.4...6...3.].....%.D.e.v.i.c.

C:\Windows\INF\setupapi.dev.log

Download File

Process:	C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
File Type:	Generic INItialization configuration [BeginLog]
Category:	dropped
Size (bytes):	50904
Entropy (8bit):	5.031514424084905
Encrypted:	false
SSDEEP:	768:Own95cdyYloiwQ+zf7DaLfgWpuaa1/9YdL1C:O+5cdyeoiwQ+z4Y8uhSzC
MD5:	62C05FC75494C7258C677085DF4D73C6
SHA1:	6907689DF565FDFA4F0F9CC8D0FA8FA321898BB1
SHA-256:	3FF312F9C29408213CDA41DAF5E5DEB2C3F4907CA72B8D1463992BFFE4D79B10
SHA-512:	0D1AC862EC423556DA8BD07BB79CB0182A7566A25188849F1C90F5CDCD09D76B731FAE403E4B7CE5F40CC9138C317BE484CB6B21C9C91A65B36FB28F8C339041
Malicious:	false
Preview:	[Device Install Log].. OS Version = 10.0.19045.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2023/10/03 09:57:02.288]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2023/10/03 09:57:37.904.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.19041.1806.. inf: Catalog File: prnms009.cat.. ump: Import flags: 0x0000000D.. pol: {Driver package policy check} 09:57:37.920.. pol: {Driver package policy check - exit(0x00000000)} 09:57:37.920.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf:

C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}\AccessKeyFidoVhid.dll (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	52944
Entropy (8bit):	6.483483863603903
Encrypted:	false
SSDEEP:	1536:nXVCxosSAPn6cWynO6SUJhUZnY1PdBmz:XVzsZPnNWykLnYBm
MD5:	42BB134409EB5B648998844608434CD7
SHA1:	492284DD87E06372E6DDCA23D64C8B2FC771077B
SHA-256:	0B502F92BF3B6B975D88EA60A2288134C18B3B28BC93A3482ED4C336B7DC674B
SHA-512:	DAF807A2384A22425812DE390CCB33491874E206F5E9F6A9CCD16180D653A9F3DD2D659E1E668A32AAE5E974B800620CF9246355CF6FE02B0172E67BD62B010A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................[..............................F.....F.....F.7....F.....Rich...........................PE..d.....+d.........." ...".P...J.......@...................................................`A............................................X.......x........................8......D...0...8............................~..@............`...............................text...`O.......P.................. ..`.rdata...0...`...2...T..............@..@.data...P...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D...........................@..B................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}\SETD4DA.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	52944
Entropy (8bit):	6.483483863603903
Encrypted:	false
SSDEEP:	1536:nXVCxosSAPn6cWynO6SUJhUZnY1PdBmz:XVzsZPnNWykLnYBm
MD5:	42BB134409EB5B648998844608434CD7
SHA1:	492284DD87E06372E6DDCA23D64C8B2FC771077B
SHA-256:	0B502F92BF3B6B975D88EA60A2288134C18B3B28BC93A3482ED4C336B7DC674B
SHA-512:	DAF807A2384A22425812DE390CCB33491874E206F5E9F6A9CCD16180D653A9F3DD2D659E1E668A32AAE5E974B800620CF9246355CF6FE02B0172E67BD62B010A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................[..............................F.....F.....F.7....F.....Rich...........................PE..d.....+d.........." ...".P...J.......@...................................................`A............................................X.......x........................8......D...0...8............................~..@............`...............................text...`O.......P.................. ..`.rdata...0...`...2...T..............@..@.data...P...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D...........................@..B................................................................................................................................................................................

C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}\SETD4EB.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	4836
Entropy (8bit):	3.7387330079455343
Encrypted:	false
SSDEEP:	48:rRxR/zoP0dlUlyFxloQPxWmxxvVARfmwCfi6gDVkf3iQLt97Hu6/OgTgy7dCrXL5:rh/z9YRfmwCfiTQR97O4p4v9lsqs0sI
MD5:	8A71F48313969317868E08E1B8009DEF
SHA1:	3AE7FDACC7BEF1ECCDBEE2427E97ED90EFE2CF04
SHA-256:	09BB78FDE1F9681AACAA95880DB62B439DD6A25418D5E6BB44FB6EB90E66E12D
SHA-512:	32480914934142D1FB808CABF9651AF6295228766C39AB22CE4E1BC4E50555F03415E798D5117139AFE1482F7FFE8DE5F1014D5A3A0AF2DB490039621210EA31
Malicious:	false
Preview:	..[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.I.N.D.O.W.S. .N.T.$.".....C.l.a.s.s.=.H.I.D.C.l.a.s.s.....C.l.a.s.s.G.u.i.d.=.{.7.4.5.a.1.7.a.0.-.7.4.d.3.-.1.1.d.0.-.b.6.f.e.-.0.0.a.0.c.9.0.f.5.7.d.a.}.....P.r.o.v.i.d.e.r.=.%.P.r.o.v.i.d.e.r.S.t.r.i.n.g.%.....D.r.i.v.e.r.V.e.r. .=. .0.4./.0.3./.2.0.2.3.,.2.1...4...5.3...4.8.8.....C.a.t.a.l.o.g.F.i.l.e.=.w.u.d.f...c.a.t.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .C.l.a.s.s. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........;.[.C.l.a.s.s.I.n.s.t.a.l.l.3.2.].....;.A.d.d.r.e.g.=.F.I.D.O.C.l.a.s.s.R.e.g.........;.[.F.I.D.O.C.l.a.s.s.R.e.g.].....;.H.K.R.,.,.,.0.,.%.C.l.a.s.s.N.a.m.e.%.....;.H.K.R.,.,.I.c.o.n.,.,.-.5.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .D.e.v.i.c.e. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.S.t.r.i.n.g.%.=.I.D.m.e.l.o.n.,. .N.T.a.m.d.6.4...6...3.........[.I.D.m.e.l.o.n...N.T.a.m.d.6.4...6...3.].....%.D.e.v.i.c.

C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}\SETD4FC.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Category:	dropped
Size (bytes):	11622
Entropy (8bit):	7.262321244095951
Encrypted:	false
SSDEEP:	192:1fMl5zkpJC4eRe4fh8uEwFQbdxUNQlO8X01k9z3AXL9Wa38i:1Xp7Aeo8uExUKlO8R9zGpWa3z
MD5:	F99106D82F0FF3A7CEDEF078919DD359
SHA1:	C4281154C3B52B32467AB042B460333623033F3B
SHA-256:	51FA1FC1D6CBA95C28E0AA3D622DFEBF925548ACB5440CC3CD865ED1DDBCDC9F
SHA-512:	8F8DB7AC371C52F7C9622AADE894027B509D5EBD7FB75ED1C8813A7B1A01634EFCD25CEC0B8842E9FCC175550C39F3509A11D036F1247DF0E8E2F4B79E8790FA
Malicious:	false
Preview:	0.-b..*.H........-S0.-O...1.0...`.H.e......0..k..+.....7.....\0..X0...+.....7........ppwO..<.X.7+..230920084942Z0...+.....7.....0...0.... ..x...h.......+C..T...D.n..f.-1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..x...h.......+C..T...D.n..f.-0.....G.i..I7....K3U...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0.... 2...F.[n.P.6.O.h...3in..=...?..@1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 2...F.[n.P.6.O.h...3in..=...?..@0....:........B~......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>.

C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}\accesskeyfidovhid.inf (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	4836
Entropy (8bit):	3.7387330079455343
Encrypted:	false
SSDEEP:	48:rRxR/zoP0dlUlyFxloQPxWmxxvVARfmwCfi6gDVkf3iQLt97Hu6/OgTgy7dCrXL5:rh/z9YRfmwCfiTQR97O4p4v9lsqs0sI
MD5:	8A71F48313969317868E08E1B8009DEF
SHA1:	3AE7FDACC7BEF1ECCDBEE2427E97ED90EFE2CF04
SHA-256:	09BB78FDE1F9681AACAA95880DB62B439DD6A25418D5E6BB44FB6EB90E66E12D
SHA-512:	32480914934142D1FB808CABF9651AF6295228766C39AB22CE4E1BC4E50555F03415E798D5117139AFE1482F7FFE8DE5F1014D5A3A0AF2DB490039621210EA31
Malicious:	false
Preview:	..[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.I.N.D.O.W.S. .N.T.$.".....C.l.a.s.s.=.H.I.D.C.l.a.s.s.....C.l.a.s.s.G.u.i.d.=.{.7.4.5.a.1.7.a.0.-.7.4.d.3.-.1.1.d.0.-.b.6.f.e.-.0.0.a.0.c.9.0.f.5.7.d.a.}.....P.r.o.v.i.d.e.r.=.%.P.r.o.v.i.d.e.r.S.t.r.i.n.g.%.....D.r.i.v.e.r.V.e.r. .=. .0.4./.0.3./.2.0.2.3.,.2.1...4...5.3...4.8.8.....C.a.t.a.l.o.g.F.i.l.e.=.w.u.d.f...c.a.t.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .C.l.a.s.s. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........;.[.C.l.a.s.s.I.n.s.t.a.l.l.3.2.].....;.A.d.d.r.e.g.=.F.I.D.O.C.l.a.s.s.R.e.g.........;.[.F.I.D.O.C.l.a.s.s.R.e.g.].....;.H.K.R.,.,.,.0.,.%.C.l.a.s.s.N.a.m.e.%.....;.H.K.R.,.,.I.c.o.n.,.,.-.5.........;. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=. .D.e.v.i.c.e. .s.e.c.t.i.o.n. .=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....%.M.a.n.u.f.a.c.t.u.r.e.r.S.t.r.i.n.g.%.=.I.D.m.e.l.o.n.,. .N.T.a.m.d.6.4...6...3.........[.I.D.m.e.l.o.n...N.T.a.m.d.6.4...6...3.].....%.D.e.v.i.c.

C:\Windows\System32\DriverStore\Temp\{91c75525-544b-8a4b-be9a-be815d4f29fa}\wudf.cat (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	data
Category:	dropped
Size (bytes):	11622
Entropy (8bit):	7.262321244095951
Encrypted:	false
SSDEEP:	192:1fMl5zkpJC4eRe4fh8uEwFQbdxUNQlO8X01k9z3AXL9Wa38i:1Xp7Aeo8uExUKlO8R9zGpWa3z
MD5:	F99106D82F0FF3A7CEDEF078919DD359
SHA1:	C4281154C3B52B32467AB042B460333623033F3B
SHA-256:	51FA1FC1D6CBA95C28E0AA3D622DFEBF925548ACB5440CC3CD865ED1DDBCDC9F
SHA-512:	8F8DB7AC371C52F7C9622AADE894027B509D5EBD7FB75ED1C8813A7B1A01634EFCD25CEC0B8842E9FCC175550C39F3509A11D036F1247DF0E8E2F4B79E8790FA
Malicious:	false
Preview:	0.-b..*.H........-S0.-O...1.0...`.H.e......0..k..+.....7.....\0..X0...+.....7........ppwO..<.X.7+..230920084942Z0...+.....7.....0...0.... ..x...h.......+C..T...D.n..f.-1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ..x...h.......+C..T...D.n..f.-0.....G.i..I7....K3U...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0.... 2...F.[n.P.6.O.h...3in..=...?..@1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>...F.i.l.e.......,a.c.c.e.s.s.k.e.y.f.i.d.o.v.h.i.d...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... 2...F.[n.P.6.O.h...3in..=...?..@0....:........B~......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0N..+.....7...1@0>.

C:\Windows\System32\catroot2\dberr.txt

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	4404
Entropy (8bit):	5.389927050329088
Encrypted:	false
SSDEEP:	96:QO00eO00erMwUgWUg0B1kE3ZhpJp8ZpkRepk3hpTpbCpEpDk+psNVpsLb:QO00eO00erMwmkB1kAIrN43
MD5:	AAC6A75645258D200ED5FBF42DEAE9ED
SHA1:	E7430024CA6023B2F7AD22C855E6BFCBF46DFC83
SHA-256:	D37899424B7B3B62FD41AA6BDF9F2EB65EEC0E8668F25599249FA98EA12EEFD1
SHA-512:	BA99BCC009BE4393C8C995382DCE2181ED24A48E000DF55DD5C6363310D5708444790BDE401509AE692014F5B4CBD6196E7DA6F15A8AA426981D896978B01499
Malicious:	false
Preview:	CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2083 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2459 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: SyncAllDBs Corruption or Schema Change..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #891 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #1307 encountered JET error -1601..CatalogDB: 08:57:12 03/10/2023: SyncDB:: Sync sta

C:\Windows\System32\drivers\UMDF\AccessKeyFidoVhid.dll (copy)

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	52944
Entropy (8bit):	6.483483863603903
Encrypted:	false
SSDEEP:	1536:nXVCxosSAPn6cWynO6SUJhUZnY1PdBmz:XVzsZPnNWykLnYBm
MD5:	42BB134409EB5B648998844608434CD7
SHA1:	492284DD87E06372E6DDCA23D64C8B2FC771077B
SHA-256:	0B502F92BF3B6B975D88EA60A2288134C18B3B28BC93A3482ED4C336B7DC674B
SHA-512:	DAF807A2384A22425812DE390CCB33491874E206F5E9F6A9CCD16180D653A9F3DD2D659E1E668A32AAE5E974B800620CF9246355CF6FE02B0172E67BD62B010A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................[..............................F.....F.....F.7....F.....Rich...........................PE..d.....+d.........." ...".P...J.......@...................................................`A............................................X.......x........................8......D...0...8............................~..@............`...............................text...`O.......P.................. ..`.rdata...0...`...2...T..............@..@.data...P...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D...........................@..B................................................................................................................................................................................

C:\Windows\System32\drivers\UMDF\SETDB43.tmp

Download File

Process:	C:\Windows\System32\drvinst.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	52944
Entropy (8bit):	6.483483863603903
Encrypted:	false
SSDEEP:	1536:nXVCxosSAPn6cWynO6SUJhUZnY1PdBmz:XVzsZPnNWykLnYBm
MD5:	42BB134409EB5B648998844608434CD7
SHA1:	492284DD87E06372E6DDCA23D64C8B2FC771077B
SHA-256:	0B502F92BF3B6B975D88EA60A2288134C18B3B28BC93A3482ED4C336B7DC674B
SHA-512:	DAF807A2384A22425812DE390CCB33491874E206F5E9F6A9CCD16180D653A9F3DD2D659E1E668A32AAE5E974B800620CF9246355CF6FE02B0172E67BD62B010A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................[..............................F.....F.....F.7....F.....Rich...........................PE..d.....+d.........." ...".P...J.......@...................................................`A............................................X.......x........................8......D...0...8............................~..@............`...............................text...`O.......P.................. ..`.rdata...0...`...2...T..............@..@.data...P...........................@....pdata..............................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D...........................@..B................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.996926513434255
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
File size:	32'784'232 bytes
MD5:	c0d645827131ac1166dbe06d45511323
SHA1:	1dfa4d4a7ad6817f3d774ecf1fea7b6730f6cbac
SHA256:	3b0dc5d40dc74076656f303aa3652910d44ac2cf6492a4a405c6652a4e777714
SHA512:	d7cd126057605d28f5dab766a667a5e6b4a18bb371922df3c60a2f56c3d5555869f1e9734fb703cda1fb73a1551807f968aff060c763024f7fdde695ea00895d
SSDEEP:	786432:15db9hUqgrj2a4Zt4OeuJb394BkSCkhh6CN+v3cMB:15dbvUqYd4L4O/JbKBBBh/N+cMB
TLSH:	267733C877519E36F9FCD3762A61204CFCA86ED37680F40E6405B357EA3F9A249C4A19
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................j.........

File Icon


Icon Hash:	183d47474b433d85

Static PE Info

General

Entrypoint:	0x403552
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x660843FB [Sat Mar 30 16:55:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	08/05/2024 20:43:05 15/06/2025 21:25:45
Subject Chain	CN=IDMELON TECHNOLOGIES INC., O=IDMELON TECHNOLOGIES INC., L=Vancouver, S=British Columbia, C=CA, OID.1.3.6.1.4.1.311.60.2.1.2=British Columbia, OID.1.3.6.1.4.1.311.60.2.1.3=CA, SERIALNUMBER=BC1233812, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	BFF7C718161D1B0634325495D4B5FD56
Thumbprint SHA-1:	02C6A1A590289496DCA4D0C7997872B2081DF44F
Thumbprint SHA-256:	5D1F98182AB7C9B075B727E829DBB46C0C7A69ECEC32C5C9C7230713EDA617BA
Serial:	5D1D6B9CF96BC0FC88A26BE6

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007FE4CCC987EAh
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007FE4CCC987B8h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [004347B8h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8608	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x49000	0x1afb8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1f42d40	0x1228
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x68f8	0x6a00	595406ea4e71ef6f8675a1bd30bcc8f9	False	0.6703272405660378	data	6.482222402519068	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1464	0x1600	a995b118b38426885fc6ccaa984c8b7a	False	0.4314630681818182	data	4.969091535632612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2a818	0x600	7a91ec9f1c18e608c3f3f503ba4191c1	False	0.5221354166666666	data	4.165541189894117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x14000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x49000	0x1afb8	0x1b000	b2ca111a8128155706cf577de71e383f	False	0.1403175636574074	data	3.615451346061621	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x492f8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 8504 x 8504 px/m	English	United States	0.04499881698805158
RT_ICON	0x59b20	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 8504 x 8504 px/m	English	United States	0.08384506376948513
RT_ICON	0x5dd48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 8504 x 8504 px/m	English	United States	0.11784232365145228
RT_ICON	0x602f0	0x1c6b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9774570446735396
RT_ICON	0x61f60	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 8504 x 8504 px/m	English	United States	0.16674484052532834
RT_ICON	0x63008	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 8504 x 8504 px/m	English	United States	0.32092198581560283
RT_DIALOG	0x63470	0x202	data	English	United States	0.4085603112840467
RT_DIALOG	0x63678	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x63770	0xa0	data	English	United States	0.60625
RT_DIALOG	0x63810	0xee	data	English	United States	0.6302521008403361
RT_GROUP_ICON	0x63900	0x5a	data	English	United States	0.7777777777777778
RT_VERSION	0x63960	0x224	data	English	United States	0.5145985401459854
RT_MANIFEST	0x63b88	0x42e	XML 1.0 document, ASCII text, with very long lines (1070), with no line terminators	English	United States	0.5130841121495328

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 21, 2024 06:35:25.468653917 CEST	49732	443	192.168.2.4	34.214.245.150
Jul 21, 2024 06:35:25.468691111 CEST	443	49732	34.214.245.150	192.168.2.4
Jul 21, 2024 06:35:25.468808889 CEST	49732	443	192.168.2.4	34.214.245.150
Jul 21, 2024 06:35:25.482989073 CEST	49732	443	192.168.2.4	34.214.245.150
Jul 21, 2024 06:35:25.483006954 CEST	443	49732	34.214.245.150	192.168.2.4
Jul 21, 2024 06:35:26.404171944 CEST	443	49732	34.214.245.150	192.168.2.4
Jul 21, 2024 06:35:26.404248953 CEST	49732	443	192.168.2.4	34.214.245.150
Jul 21, 2024 06:35:26.408513069 CEST	49732	443	192.168.2.4	34.214.245.150
Jul 21, 2024 06:35:26.408528090 CEST	443	49732	34.214.245.150	192.168.2.4
Jul 21, 2024 06:35:26.408929110 CEST	443	49732	34.214.245.150	192.168.2.4
Jul 21, 2024 06:35:26.463233948 CEST	49732	443	192.168.2.4	34.214.245.150
Jul 21, 2024 06:35:26.509139061 CEST	49732	443	192.168.2.4	34.214.245.150
Jul 21, 2024 06:35:26.552577019 CEST	443	49732	34.214.245.150	192.168.2.4
Jul 21, 2024 06:35:26.682492971 CEST	443	49732	34.214.245.150	192.168.2.4
Jul 21, 2024 06:35:26.694915056 CEST	49732	443	192.168.2.4	34.214.245.150
Jul 21, 2024 06:35:26.694938898 CEST	443	49732	34.214.245.150	192.168.2.4
Jul 21, 2024 06:35:26.971168041 CEST	443	49732	34.214.245.150	192.168.2.4
Jul 21, 2024 06:35:26.971244097 CEST	49732	443	192.168.2.4	34.214.245.150
Jul 21, 2024 06:35:26.971273899 CEST	443	49732	34.214.245.150	192.168.2.4
Jul 21, 2024 06:35:26.971385002 CEST	443	49732	34.214.245.150	192.168.2.4
Jul 21, 2024 06:35:26.971431017 CEST	49732	443	192.168.2.4	34.214.245.150
Jul 21, 2024 06:35:26.981785059 CEST	49732	443	192.168.2.4	34.214.245.150

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 21, 2024 06:35:25.255194902 CEST	55828	53	192.168.2.4	1.1.1.1
Jul 21, 2024 06:35:25.458638906 CEST	53	55828	1.1.1.1	192.168.2.4

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Type
Jul 21, 2024 06:35:39.238286018 CEST	192.168.2.4	8.8.8.8	f7fd	Echo
Jul 21, 2024 06:35:39.244776011 CEST	8.8.8.8	192.168.2.4	fffd	Echo Reply
Jul 21, 2024 06:35:43.245237112 CEST	192.168.2.4	8.8.8.8	f7fc	Echo
Jul 21, 2024 06:35:43.252011061 CEST	8.8.8.8	192.168.2.4	fffc	Echo Reply
Jul 21, 2024 06:35:47.260957956 CEST	192.168.2.4	8.8.8.8	f7fb	Echo
Jul 21, 2024 06:35:47.267374992 CEST	8.8.8.8	192.168.2.4	fffb	Echo Reply
Jul 21, 2024 06:35:51.276714087 CEST	192.168.2.4	8.8.8.8	f7fa	Echo
Jul 21, 2024 06:35:51.283415079 CEST	8.8.8.8	192.168.2.4	fffa	Echo Reply
Jul 21, 2024 06:35:55.292164087 CEST	192.168.2.4	8.8.8.8	f7f9	Echo
Jul 21, 2024 06:35:55.298891068 CEST	8.8.8.8	192.168.2.4	fff9	Echo Reply
Jul 21, 2024 06:35:59.308401108 CEST	192.168.2.4	8.8.8.8	f7f8	Echo
Jul 21, 2024 06:35:59.508060932 CEST	8.8.8.8	192.168.2.4	fff8	Echo Reply
Jul 21, 2024 06:36:03.329509020 CEST	192.168.2.4	8.8.8.8	f7f7	Echo
Jul 21, 2024 06:36:03.337055922 CEST	8.8.8.8	192.168.2.4	fff7	Echo Reply
Jul 21, 2024 06:36:07.339082956 CEST	192.168.2.4	8.8.8.8	f7f6	Echo
Jul 21, 2024 06:36:07.345227957 CEST	8.8.8.8	192.168.2.4	fff6	Echo Reply
Jul 21, 2024 06:36:11.353713036 CEST	192.168.2.4	8.8.8.8	f7f5	Echo
Jul 21, 2024 06:36:11.360093117 CEST	8.8.8.8	192.168.2.4	fff5	Echo Reply
Jul 21, 2024 06:36:15.357193947 CEST	192.168.2.4	8.8.8.8	f7f4	Echo
Jul 21, 2024 06:36:15.364824057 CEST	8.8.8.8	192.168.2.4	fff4	Echo Reply
Jul 21, 2024 06:36:19.370167017 CEST	192.168.2.4	8.8.8.8	f7f3	Echo
Jul 21, 2024 06:36:19.377428055 CEST	8.8.8.8	192.168.2.4	fff3	Echo Reply
Jul 21, 2024 06:36:23.370456934 CEST	192.168.2.4	8.8.8.8	f7f2	Echo
Jul 21, 2024 06:36:23.376945019 CEST	8.8.8.8	192.168.2.4	fff2	Echo Reply
Jul 21, 2024 06:36:27.370343924 CEST	192.168.2.4	8.8.8.8	f7f1	Echo
Jul 21, 2024 06:36:27.376730919 CEST	8.8.8.8	192.168.2.4	fff1	Echo Reply
Jul 21, 2024 06:36:31.381580114 CEST	192.168.2.4	8.8.8.8	f7f0	Echo
Jul 21, 2024 06:36:31.388252020 CEST	8.8.8.8	192.168.2.4	fff0	Echo Reply
Jul 21, 2024 06:36:35.381098032 CEST	192.168.2.4	8.8.8.8	f7ef	Echo
Jul 21, 2024 06:36:35.387454033 CEST	8.8.8.8	192.168.2.4	ffef	Echo Reply
Jul 21, 2024 06:36:39.395757914 CEST	192.168.2.4	8.8.8.8	f7ee	Echo
Jul 21, 2024 06:36:39.402232885 CEST	8.8.8.8	192.168.2.4	ffee	Echo Reply
Jul 21, 2024 06:36:39.514332056 CEST	192.168.2.4	8.8.8.8	f7ed	Echo
Jul 21, 2024 06:36:39.520581961 CEST	8.8.8.8	192.168.2.4	ffed	Echo Reply
Jul 21, 2024 06:36:41.808069944 CEST	192.168.2.4	8.8.8.8	f7ec	Echo
Jul 21, 2024 06:36:41.816571951 CEST	8.8.8.8	192.168.2.4	ffec	Echo Reply
Jul 21, 2024 06:36:43.605217934 CEST	192.168.2.4	8.8.8.8	f7eb	Echo
Jul 21, 2024 06:36:43.611576080 CEST	8.8.8.8	192.168.2.4	ffeb	Echo Reply
Jul 21, 2024 06:36:46.434509039 CEST	192.168.2.4	8.8.8.8	f7ea	Echo
Jul 21, 2024 06:36:46.441016912 CEST	8.8.8.8	192.168.2.4	ffea	Echo Reply
Jul 21, 2024 06:36:49.495451927 CEST	192.168.2.4	8.8.8.8	f7e9	Echo
Jul 21, 2024 06:36:49.501930952 CEST	8.8.8.8	192.168.2.4	ffe9	Echo Reply
Jul 21, 2024 06:36:50.139195919 CEST	192.168.2.4	8.8.8.8	f7e8	Echo
Jul 21, 2024 06:36:50.145598888 CEST	8.8.8.8	192.168.2.4	ffe8	Echo Reply
Jul 21, 2024 06:36:54.149024010 CEST	192.168.2.4	8.8.8.8	f7e7	Echo
Jul 21, 2024 06:36:54.155702114 CEST	8.8.8.8	192.168.2.4	ffe7	Echo Reply
Jul 21, 2024 06:36:55.511099100 CEST	192.168.2.4	8.8.8.8	f7e6	Echo
Jul 21, 2024 06:36:55.517607927 CEST	8.8.8.8	192.168.2.4	ffe6	Echo Reply
Jul 21, 2024 06:36:59.519040108 CEST	192.168.2.4	8.8.8.8	f7e5	Echo
Jul 21, 2024 06:36:59.526762009 CEST	8.8.8.8	192.168.2.4	ffe5	Echo Reply
Jul 21, 2024 06:37:01.573579073 CEST	192.168.2.4	8.8.8.8	f7e4	Echo
Jul 21, 2024 06:37:01.579963923 CEST	8.8.8.8	192.168.2.4	ffe4	Echo Reply
Jul 21, 2024 06:37:05.576323032 CEST	192.168.2.4	8.8.8.8	f7e3	Echo
Jul 21, 2024 06:37:05.583128929 CEST	8.8.8.8	192.168.2.4	ffe3	Echo Reply
Jul 21, 2024 06:37:06.342524052 CEST	192.168.2.4	8.8.8.8	f7e2	Echo
Jul 21, 2024 06:37:06.349123001 CEST	8.8.8.8	192.168.2.4	ffe2	Echo Reply
Jul 21, 2024 06:37:07.074496031 CEST	192.168.2.4	8.8.8.8	f7e1	Echo
Jul 21, 2024 06:37:07.080987930 CEST	8.8.8.8	192.168.2.4	ffe1	Echo Reply
Jul 21, 2024 06:37:11.082616091 CEST	192.168.2.4	8.8.8.8	f7e0	Echo
Jul 21, 2024 06:37:11.089118004 CEST	8.8.8.8	192.168.2.4	ffe0	Echo Reply
Jul 21, 2024 06:37:11.854916096 CEST	192.168.2.4	8.8.8.8	f7df	Echo
Jul 21, 2024 06:37:11.861134052 CEST	8.8.8.8	192.168.2.4	ffdf	Echo Reply
Jul 21, 2024 06:37:14.918550014 CEST	192.168.2.4	8.8.8.8	f7de	Echo
Jul 21, 2024 06:37:14.925329924 CEST	8.8.8.8	192.168.2.4	ffde	Echo Reply
Jul 21, 2024 06:37:15.058505058 CEST	192.168.2.4	8.8.8.8	f7dd	Echo
Jul 21, 2024 06:37:15.065285921 CEST	8.8.8.8	192.168.2.4	ffdd	Echo Reply
Jul 21, 2024 06:37:15.154512882 CEST	192.168.2.4	8.8.8.8	f7dc	Echo
Jul 21, 2024 06:37:15.161123037 CEST	8.8.8.8	192.168.2.4	ffdc	Echo Reply
Jul 21, 2024 06:37:17.090500116 CEST	192.168.2.4	8.8.8.8	f7db	Echo
Jul 21, 2024 06:37:17.097043991 CEST	8.8.8.8	192.168.2.4	ffdb	Echo Reply
Jul 21, 2024 06:37:21.090504885 CEST	192.168.2.4	8.8.8.8	f7da	Echo
Jul 21, 2024 06:37:21.097064018 CEST	8.8.8.8	192.168.2.4	ffda	Echo Reply
Jul 21, 2024 06:37:23.355067968 CEST	192.168.2.4	8.8.8.8	f7d9	Echo
Jul 21, 2024 06:37:23.361496925 CEST	8.8.8.8	192.168.2.4	ffd9	Echo Reply
Jul 21, 2024 06:37:23.651870012 CEST	192.168.2.4	8.8.8.8	f7d8	Echo
Jul 21, 2024 06:37:23.658175945 CEST	8.8.8.8	192.168.2.4	ffd8	Echo Reply
Jul 21, 2024 06:37:27.659151077 CEST	192.168.2.4	8.8.8.8	f7d7	Echo
Jul 21, 2024 06:37:27.665544033 CEST	8.8.8.8	192.168.2.4	ffd7	Echo Reply
Jul 21, 2024 06:37:31.261543036 CEST	192.168.2.4	8.8.8.8	f7d6	Echo
Jul 21, 2024 06:37:31.267900944 CEST	8.8.8.8	192.168.2.4	ffd6	Echo Reply
Jul 21, 2024 06:37:35.266547918 CEST	192.168.2.4	8.8.8.8	f7d5	Echo
Jul 21, 2024 06:37:35.273160934 CEST	8.8.8.8	192.168.2.4	ffd5	Echo Reply
Jul 21, 2024 06:37:36.418545961 CEST	192.168.2.4	8.8.8.8	f7d4	Echo
Jul 21, 2024 06:37:36.425097942 CEST	8.8.8.8	192.168.2.4	ffd4	Echo Reply
Jul 21, 2024 06:37:40.430550098 CEST	192.168.2.4	8.8.8.8	f7d3	Echo
Jul 21, 2024 06:37:40.437068939 CEST	8.8.8.8	192.168.2.4	ffd3	Echo Reply
Jul 21, 2024 06:37:43.294548035 CEST	192.168.2.4	8.8.8.8	f7d2	Echo
Jul 21, 2024 06:37:43.301178932 CEST	8.8.8.8	192.168.2.4	ffd2	Echo Reply
Jul 21, 2024 06:37:43.667490959 CEST	192.168.2.4	8.8.8.8	f7d1	Echo
Jul 21, 2024 06:37:43.699852943 CEST	8.8.8.8	192.168.2.4	ffd1	Echo Reply
Jul 21, 2024 06:37:46.901658058 CEST	192.168.2.4	8.8.8.8	f7d0	Echo
Jul 21, 2024 06:37:46.908037901 CEST	8.8.8.8	192.168.2.4	ffd0	Echo Reply
Jul 21, 2024 06:37:49.425477982 CEST	192.168.2.4	8.8.8.8	f7cf	Echo
Jul 21, 2024 06:37:49.431981087 CEST	8.8.8.8	192.168.2.4	ffcf	Echo Reply
Jul 21, 2024 06:37:53.426018953 CEST	192.168.2.4	8.8.8.8	f7ce	Echo
Jul 21, 2024 06:37:53.432614088 CEST	8.8.8.8	192.168.2.4	ffce	Echo Reply
Jul 21, 2024 06:37:56.276632071 CEST	192.168.2.4	8.8.8.8	f7cd	Echo
Jul 21, 2024 06:37:56.283272028 CEST	8.8.8.8	192.168.2.4	ffcd	Echo Reply
Jul 21, 2024 06:37:56.794703007 CEST	192.168.2.4	8.8.8.8	f7cc	Echo
Jul 21, 2024 06:37:56.801384926 CEST	8.8.8.8	192.168.2.4	ffcc	Echo Reply
Jul 21, 2024 06:37:58.042417049 CEST	192.168.2.4	8.8.8.8	f7cb	Echo
Jul 21, 2024 06:37:58.049446106 CEST	8.8.8.8	192.168.2.4	ffcb	Echo Reply
Jul 21, 2024 06:38:00.432837009 CEST	192.168.2.4	8.8.8.8	f7ca	Echo
Jul 21, 2024 06:38:00.439214945 CEST	8.8.8.8	192.168.2.4	ffca	Echo Reply
Jul 21, 2024 06:38:04.440541983 CEST	192.168.2.4	8.8.8.8	f7c9	Echo
Jul 21, 2024 06:38:04.447118044 CEST	8.8.8.8	192.168.2.4	ffc9	Echo Reply
Jul 21, 2024 06:38:08.245246887 CEST	192.168.2.4	8.8.8.8	f7c8	Echo
Jul 21, 2024 06:38:08.252650976 CEST	8.8.8.8	192.168.2.4	ffc8	Echo Reply
Jul 21, 2024 06:38:12.245168924 CEST	192.168.2.4	8.8.8.8	f7c7	Echo
Jul 21, 2024 06:38:12.251795053 CEST	8.8.8.8	192.168.2.4	ffc7	Echo Reply
Jul 21, 2024 06:38:16.260035038 CEST	192.168.2.4	8.8.8.8	f7c6	Echo
Jul 21, 2024 06:38:16.267230034 CEST	8.8.8.8	192.168.2.4	ffc6	Echo Reply
Jul 21, 2024 06:38:20.112237930 CEST	192.168.2.4	8.8.8.8	f7c5	Echo
Jul 21, 2024 06:38:20.118757963 CEST	8.8.8.8	192.168.2.4	ffc5	Echo Reply

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 21, 2024 06:35:25.255194902 CEST	192.168.2.4	1.1.1.1	0xc429	Standard query (0)	skm.idmelon.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 21, 2024 06:35:25.458638906 CEST	1.1.1.1	192.168.2.4	0xc429	No error (0)	skm.idmelon.com	k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 21, 2024 06:35:25.458638906 CEST	1.1.1.1	192.168.2.4	0xc429	No error (0)	k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.com		34.214.245.150	A (IP address)	IN (0x0001)	false
Jul 21, 2024 06:35:25.458638906 CEST	1.1.1.1	192.168.2.4	0xc429	No error (0)	k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.com		52.88.128.255	A (IP address)	IN (0x0001)	false
Jul 21, 2024 06:35:25.458638906 CEST	1.1.1.1	192.168.2.4	0xc429	No error (0)	k8s-ingress-d93558caa8-947706621.us-west-2.elb.amazonaws.com		52.35.62.19	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

skm.idmelon.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	34.214.245.150	443	5064	C:\Program Files (x86)\IDmelon\Accesskey\Service.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-21 04:35:26 UTC	318	OUT	POST /apis/access-key-cli/v1/apps HTTP/1.1 Accept: application/json, text/json, text/x-json, text/javascript, application/xml, text/xml User-Agent: RestSharp/110.2.0.0 Content-Type: application/json Host: skm.idmelon.com Content-Length: 348 Expect: 100-continue Accept-Encoding: gzip Connection: Keep-Alive
2024-07-21 04:35:26 UTC	25	IN	HTTP/1.1 100 Continue
2024-07-21 04:35:26 UTC	348	OUT	Data Raw: 7b 22 75 6e 69 71 75 65 49 64 22 3a 22 58 52 46 34 43 54 36 53 52 50 48 45 41 31 36 30 56 4e 35 54 56 37 36 36 41 59 48 43 52 56 42 51 51 39 34 4a 5a 41 56 50 32 32 48 30 41 59 58 46 43 4e 5a 47 22 2c 22 6f 73 22 3a 7b 22 6e 61 6d 65 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 31 39 30 34 35 22 7d 2c 22 61 70 70 76 65 72 73 69 6f 6e 22 3a 22 32 2e 37 2e 30 2e 30 22 2c 22 50 43 4e 61 6d 65 22 3a 22 31 34 31 37 30 30 22 2c 22 75 73 65 72 4e 61 6d 65 22 3a 22 53 59 53 54 45 4d 22 2c 22 64 65 76 69 63 65 49 64 22 3a 6e 75 6c 6c 2c 22 70 75 62 6c 69 63 4b 65 79 22 3a 22 30 34 37 35 35 38 39 64 39 35 38 35 34 62 64 37 66 30 65 37 39 39 32 61 66 63 35 61 33 61 35 61 66 32 33 30 63 63 36 Data Ascii: {"uniqueId":"XRF4CT6SRPHEA160VN5TV766AYHCRVBQQ94JZAVP22H0AYXFCNZG","os":{"name":"Microsoft Windows 10 Pro","version":"19045"},"appversion":"2.7.0.0","PCName":"141700","userName":"SYSTEM","deviceId":null,"publicKey":"0475589d95854bd7f0e7992afc5a3a5af230cc6
2024-07-21 04:35:26 UTC	1788	IN	HTTP/1.1 200 OK Date: Sun, 21 Jul 2024 04:35:26 GMT Content-Type: application/json; charset=utf-8 Content-Length: 496 Connection: close Set-Cookie: AWSALB=Xs9D2OK848Xgenn3n8sK2KoBXbpVgqzDC5vuiHfEaLX8oCD7onX5l/2y14eZTwbLxG/MmPvEggDIMjAjcHHQcQc38pFdAk2JGtGwGfDRVEFa6u0L9Lz6jZP36s1p; Expires=Sun, 28 Jul 2024 04:35:26 GMT; Path=/ Set-Cookie: AWSALBCORS=Xs9D2OK848Xgenn3n8sK2KoBXbpVgqzDC5vuiHfEaLX8oCD7onX5l/2y14eZTwbLxG/MmPvEggDIMjAjcHHQcQc38pFdAk2JGtGwGfDRVEFa6u0L9Lz6jZP36s1p; Expires=Sun, 28 Jul 2024 04:35:26 GMT; Path=/; SameSite=None; Secure Access-Control-Allow-Origin: * Content-Security-Policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Origin-Agent-Cluster: ?1 Referrer-Policy: no-referrer Strict-Transport-Security: max-age=15552000; includeSubDomains X-Content-Type-Options: nosniff X-DNS-Prefetch-Control: off X-Download-Options: noopen X-Frame-Options: SAMEORIGIN X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 0 ETag: W/"1f0-25PXIOn9fDbQ2YJMxD70CnVoy6Q" {"appId":"669c900e0431ff000837d547","PCName":"141700","ip":"8.46.123.33","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyIjp7ImNyZWF0ZWRBdCI6MTcyMTUzNjUyNjg4MCwiX2lkIjoiNjY5YzkwMGUwNDMxZmYwMDA4MzdkNTQ3In0sImlwIjoiOC40Ni4xMjMuMzMiLCJ1c2VyQWdlbnQiOiJSZXN0U2hhcnAvMTEwLjIuMC4wIiwiaWF0IjoxNzIxNTM2NTI2fQ.lAFTXKb0Zv2nI1iLvPNnotIrLG7Meqmmz8NGQKY_sKg","publicKey":"04e80ad41dd32e8b28bfd640e6d08e4bbea84d7f8bbb3e03797c3673e5f4b2f236faad80ab6cfa5169a1047ff1b558fcebaf87b8ef788dbb27b2c0fdde32b84623"}

Target ID:	0
Start time:	00:35:11
Start date:	21/07/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"
Imagebase:	0x400000
File size:	32'784'232 bytes
MD5 hash:	C0D645827131AC1166DBE06D45511323
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:35:18
Start date:	21/07/2024
Path:	C:\Windows\SysWOW64\setx.exe
Wow64 process (32bit):	true
Commandline:	setx /M IDmelonMode access-key
Imagebase:	0x400000
File size:	46'592 bytes
MD5 hash:	5B700BC00E451033B2F9EEF349A91D1C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:35:18
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:35:18
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyService "C:\Program Files (x86)\IDmelon\Accesskey\Service.exe"
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:35:18
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:35:18
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Application "C:\Program Files (x86)\IDmelon\Accesskey"\Service.exe
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:35:18
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:35:19
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey"
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:35:19
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:35:19
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log"
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:35:19
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:35:19
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\service_logs.log"
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:35:19
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:35:19
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Description "Coordinates the communications for using IDmelon solution as a roaming authenticator"
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:35:19
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:35:20
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStdoutCreationDisposition 4
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:35:20
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	00:35:20
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppStderrCreationDisposition 4
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	00:35:20
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	00:35:20
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateFiles 1
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	00:35:20
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	00:35:20
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateOnline 0
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	00:35:20
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	00:35:21
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateSeconds 14400
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	00:35:21
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	00:35:21
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService AppRotateBytes 5000000
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	00:35:21
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	00:35:21
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyService Start SERVICE_AUTO_START
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	00:35:21
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	00:35:21
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" restart AccesskeyService
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	00:35:21
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	00:35:21
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe"
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	00:35:22
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	00:35:22
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\Service.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\Service.exe"
Imagebase:	0x19d22290000
File size:	165'928 bytes
MD5 hash:	9E99F6F2DC43830D3959E55EDDDDB422
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	00:35:22
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	00:35:23
Start date:	21/07/2024
Path:	C:\Windows\System32\dsregcmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\dsregcmd.exe" /status
Imagebase:	0x7ff634ad0000
File size:	468'992 bytes
MD5 hash:	866989AA656CF67780143376C12DF510
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	00:35:23
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" status AccesskeyService
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	00:35:23
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	00:35:24
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" start AccesskeyService
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	00:35:24
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	00:35:24
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccesskeyHid
Imagebase:	0x7ff694610000
File size:	83'456 bytes
MD5 hash:	6EA4F64D02AE236A6B60E5E665079A89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	00:35:24
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	00:35:24
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" remove root\AccessKeyFidoVhid
Imagebase:	0x7ff694610000
File size:	83'456 bytes
MD5 hash:	6EA4F64D02AE236A6B60E5E665079A89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	00:35:24
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	00:35:24
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\Driver\devcon.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\driver\devcon.exe" install "C:\Program Files (x86)\IDmelon\Accesskey\driver\accesskeyfidovhid.inf" root\AccessKeyFidoVhid
Imagebase:	0x7ff694610000
File size:	83'456 bytes
MD5 hash:	6EA4F64D02AE236A6B60E5E665079A89
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	00:35:25
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	00:35:26
Start date:	21/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	00:35:26
Start date:	21/07/2024
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{e57175bf-8fbc-764b-ad7a-50e1a8f38e0f}\accesskeyfidovhid.inf" "9" "4196477d7" "0000000000000168" "WinSta0\Default" "0000000000000100" "208" "c:\program files (x86)\idmelon\accesskey\driver"
Imagebase:	0x7ff72a770000
File size:	337'920 bytes
MD5 hash:	294990C88B9D1FE0A54A1FA8BF4324D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	00:35:27
Start date:	21/07/2024
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe "2" "211" "ROOT\HIDCLASS\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:50ab71fe221ae399:AccessKeyFidoVhid:21.4.53.488:root\accesskeyfidovhid," "4196477d7" "0000000000000168"
Imagebase:	0x7ff72a770000
File size:	337'920 bytes
MD5 hash:	294990C88B9D1FE0A54A1FA8BF4324D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	00:35:28
Start date:	21/07/2024
Path:	C:\Windows\System32\drivers\WUDFRd.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	315'392 bytes
MD5 hash:	0B7A5464602DA68DA6BEFC2A1B5BE4C5
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	53
Start time:	00:35:28
Start date:	21/07/2024
Path:	C:\Windows\System32\drivers\mshidumdf.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	12'288 bytes
MD5 hash:	9E90FE6DF363D2427A5C773120E7B27D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	54
Start time:	00:35:28
Start date:	21/07/2024
Path:	C:\Windows\System32\WUDFHost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WUDFHost.exe" -HostGUID:{193a1820-d9ac-4997-8c55-be817523f6aa} -IoEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-3ba73f07-7082-44ba-ac25-62d6a3756b80 -SystemEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-0c2aa50f-a6b5-49c5-8b4d-5aa353434dea -IoCancelEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-d4f7a26f-e897-4801-9374-f1c601e77e78 -NonStateChangingEventPortName:\UMDFCommunicationPorts\WUDF\HostProcess-ec48fbad-1509-4711-bef9-62c3b1e095c0 -LifetimeId:a4533485-4f57-41b2-936a-ec5cac55ccfb -DeviceGroupId:WudfDefaultDevicePool -HostArg:0
Imagebase:	0x7ff7e7d50000
File size:	271'872 bytes
MD5 hash:	00E2EF3D2C9309CA4135195A049CC79C
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	55
Start time:	00:35:28
Start date:	21/07/2024
Path:	C:\Windows\System32\drvinst.exe
Wow64 process (32bit):	false
Commandline:	DrvInst.exe "1" "0" "HID\HIDCLASS\1&2d595ca7&0&0000" "" "" "4eeb73e57" "0000000000000000"
Imagebase:	0x7ff72a770000
File size:	337'920 bytes
MD5 hash:	294990C88B9D1FE0A54A1FA8BF4324D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	00:35:30
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" install AccesskeyReaderService "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe"
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	00:35:30
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	00:35:30
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService Application "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\accesskey-reader-service.exe"
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	00:35:30
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	00:35:30
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppDirectory "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader"
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	00:35:30
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	00:35:30
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStdout "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\service_logs.log"
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	00:35:30
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	00:35:31
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStderr "C:\Program Files (x86)\IDmelon\Accesskey\accesskey-reader\service_logs.log"
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	00:35:31
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	00:35:31
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService Description "IDmelon Accesskey reader service which is responsible for reading Accesskey IDs"
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	00:35:31
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	00:35:31
Start date:	21/07/2024
Path:	C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe" set AccesskeyReaderService AppStdoutCreationDisposition 4
Imagebase:	0x140000000
File size:	373'288 bytes
MD5 hash:	17DE7869B1B721B3FFF9DBE111CAAFF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	00:35:31
Start date:	21/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	29.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.6%
Total number of Nodes:	1353
Total number of Limit Nodes:	45

Executed Functions

Function 00403552 Relevance: 86.2, APIs: 33, Strings: 16, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403575
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 004035A0
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 004035B3
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040364C
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403689
OleInitialize.OLE32(00000000), ref: 00403690
SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 004036AF
GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036C4
CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe",00000020,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036FD
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403835
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403852
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403866
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040386E
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403887
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040389B
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403974

Part of subcall function 00406577: lstrcpynW.KERNEL32(?,?,00000400,004036C4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406584

wsprintfW.USER32 ref: 004039D1
GetFileAttributesW.KERNEL32(00437800,C:\Users\user\AppData\Local\Temp\), ref: 00403A04
DeleteFileW.KERNEL32(00437800), ref: 00403A10
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A3E

Part of subcall function 00406337: MoveFileExW.KERNEL32(?,?,00000005,00405E35,?,00000000,000000F1,?,?,?,?,?), ref: 00406341

CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,00437800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A54

Part of subcall function 00405B5A: CreateProcessW.KERNEL32(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B83
Part of subcall function 00405B5A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B90

Part of subcall function 004068D4: FindFirstFileW.KERNELBASE(74DF3420,0042FAB8,C:\,00405F97,C:\,C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068DF
Part of subcall function 004068D4: FindClose.KERNEL32(00000000), ref: 004068EB

ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A9D
OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AA2
ExitProcess.KERNEL32 ref: 00403ABF
CloseHandle.KERNEL32(00000000,00438000,00438000,?,00437800,00000000), ref: 00403AC6
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AE2
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AE9
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AFE
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B21
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B46
ExitProcess.KERNEL32 ref: 00403B69

Part of subcall function 00405B25: CreateDirectoryW.KERNELBASE(?,00000000,00403545,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00405B2B

Strings

"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe", xrefs: 004036CA, 004036D0, 004036E5, 004038C3
SeShutdownPrivilege, xrefs: 00403AF8
Error launching installer, xrefs: 0040391D
\Temp, xrefs: 0040384C
C:\Program Files (x86)\IDmelon\Accesskey, xrefs: 00403947
TEMP, xrefs: 0040387A
UXTHEME, xrefs: 00403640, 00403645, 0040364B
TMP, xrefs: 00403882
Low, xrefs: 00403868
NSIS Error, xrefs: 004036B5
1033, xrefs: 00403896
C:\Users\user\AppData\Local\Temp\, xrefs: 0040382A, 0040382F, 00403845, 00403851, 00403860, 0040386D, 00403879, 00403881, 0040396F, 004039F0, 00403A1C, 00403A3D, 00403A46
C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, xrefs: 00403A4F
C:\Program Files (x86)\IDmelon, xrefs: 0040381A, 0040393C, 00403989, 00403997
~nsu%X.tmp, xrefs: 004039C8
C:\Users\user\Desktop, xrefs: 00403992

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"$1033$C:\Program Files (x86)\IDmelon$C:\Program Files (x86)\IDmelon\Accesskey$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 2017177436-3056925620
Opcode ID: e7e0cd5b0ef4c9577908e2ee54baf6434358d7d27fb2459445cbf059cdb406f7
Instruction ID: 854c728f01c0035939758d15b123b9002cb8995d15bf2fdbd915a0a46deb4321
Opcode Fuzzy Hash: e7e0cd5b0ef4c9577908e2ee54baf6434358d7d27fb2459445cbf059cdb406f7
Instruction Fuzzy Hash: 6DF1F470604301ABD320AF659D05B6B7EE8EB8570AF10483FF581B22D1DB7DDA458B6E

Function 0040573B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405799
GetDlgItem.USER32(?,000003EE), ref: 004057A8
GetClientRect.USER32(?,?), ref: 004057E5
GetSystemMetrics.USER32(00000002), ref: 004057EC
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040580D
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040581E
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405831
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040583F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405852
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405874
ShowWindow.USER32(?,00000008), ref: 00405888
GetDlgItem.USER32(?,000003EC), ref: 004058A9
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004058B9
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058D2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058DE
GetDlgItem.USER32(?,000003F8), ref: 004057B7

Part of subcall function 0040452B: SendMessageW.USER32(00000028,?,00000001,00404356), ref: 00404539

GetDlgItem.USER32(?,000003EC), ref: 004058FB
CreateThread.KERNELBASE(00000000,00000000,Function_000056CF,00000000), ref: 00405909
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405910
ShowWindow.USER32(00000000), ref: 00405934
ShowWindow.USER32(?,00000008), ref: 00405939
ShowWindow.USER32(00000008), ref: 00405983
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004059B7
CreatePopupMenu.USER32 ref: 004059C8
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059DC
GetWindowRect.USER32(?,?), ref: 004059FC
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405A15
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A4D
OpenClipboard.USER32(00000000), ref: 00405A5D
EmptyClipboard.USER32 ref: 00405A63
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A6F
GlobalLock.KERNEL32(00000000), ref: 00405A79
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A8D
GlobalUnlock.KERNEL32(00000000), ref: 00405AAD
SetClipboardData.USER32(0000000D,00000000), ref: 00405AB8
CloseClipboard.USER32 ref: 00405ABE

Strings

{, xrefs: 004059A1

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: a6b03d6253f0693a7e446d599fbd443ff6998c32a83cf6a7614abef3e4004c11
Instruction ID: d3b07f9c2581fb6b60ef1a2666babd9f8dcdaaa8066b0d43d813b8afd8e95190
Opcode Fuzzy Hash: a6b03d6253f0693a7e446d599fbd443ff6998c32a83cf6a7614abef3e4004c11
Instruction Fuzzy Hash: 03B159B0900608FFDF11AF60DD89AAE7B79FB48355F00813AFA45BA1A0C7785A51DF58

Function 00405C83 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"), ref: 00405CAC
lstrcatW.KERNEL32(0042EA70,\*.*), ref: 00405CF4
lstrcatW.KERNEL32(?,0040A014), ref: 00405D17
lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"), ref: 00405D1D
FindFirstFileW.KERNELBASE(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"), ref: 00405D2D
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DCD
FindClose.KERNEL32(00000000), ref: 00405DDC

Strings

\*.*, xrefs: 00405CEE
"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe", xrefs: 00405C8C
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C90
pB, xrefs: 00405CDC

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"$C:\Users\user\AppData\Local\Temp\$\*.*$pB
API String ID: 2035342205-375994177
Opcode ID: 06b40870d9db2984f76d7466e756925df4fbec91ebb4a1c75f6c7faa270cb809
Instruction ID: 26a84cf893ecfac7fe2d2a8ab9ced37764d13583991ceadb599b2dfedf858990
Opcode Fuzzy Hash: 06b40870d9db2984f76d7466e756925df4fbec91ebb4a1c75f6c7faa270cb809
Instruction Fuzzy Hash: 8E41B030800A18B6CB21AB65DC4DAAF7778EF42718F10813BF851711D1DB7C4A82DEAE

Function 004068D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(74DF3420,0042FAB8,C:\,00405F97,C:\,C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 004068DF
FindClose.KERNEL32(00000000), ref: 004068EB

Strings

C:\, xrefs: 004068D4

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction ID: 1cf04926a4a3889f6b92b588199f87985a57aa1d1812818edfb9113e4ef6e03f
Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction Fuzzy Hash: 53D012725162209BC240673CBD0C84B7A58AF253317518A3AF46AF61E0DB348C639699

Function 004021CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040224E

Strings

C:\Program Files (x86)\IDmelon\Accesskey, xrefs: 0040228E

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Program Files (x86)\IDmelon\Accesskey
API String ID: 542301482-2077697000
Opcode ID: 99423ef168fa0dc7d563ab215b90f00d26a2448a52d76e49bcb10065e06d2d2e
Instruction ID: 879178e2914a864b6efeea5842d2d3985b85c893096dfa9a9f6c7732eb85e553
Opcode Fuzzy Hash: 99423ef168fa0dc7d563ab215b90f00d26a2448a52d76e49bcb10065e06d2d2e
Instruction Fuzzy Hash: D1412571A00209AFCB00DFE4CA89A9D7BB5FF48318B20457EF505EB2D1DB799981CB54

Function 00403FF7 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404033
ShowWindow.USER32(?), ref: 00404053
GetWindowLongW.USER32(?,000000F0), ref: 00404065
ShowWindow.USER32(?,00000004), ref: 0040407E
DestroyWindow.USER32 ref: 00404092
SetWindowLongW.USER32(?,00000000,00000000), ref: 004040AB
GetDlgItem.USER32(?,?), ref: 004040CA
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040DE
IsWindowEnabled.USER32(00000000), ref: 004040E5
GetDlgItem.USER32(?,00000001), ref: 00404190
GetDlgItem.USER32(?,00000002), ref: 0040419A
SetClassLongW.USER32(?,000000F2,?), ref: 004041B4
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404205
GetDlgItem.USER32(?,00000003), ref: 004042AB
ShowWindow.USER32(00000000,?), ref: 004042CC
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042DE
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042F9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040430F
EnableMenuItem.USER32(00000000), ref: 00404316
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040432E
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404341
lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040436B
SetWindowTextW.USER32(?,0042CA68), ref: 0040437F
ShowWindow.USER32(?,0000000A), ref: 004044B3

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$CallbackDispatcherMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
String ID:
API String ID: 3964124867-0
Opcode ID: 85e06a1bfb462d71b49bda8b571905cea54c43c8c85ee92c4a54339351a5f343
Instruction ID: 8cad316efbf8f9c89f6feec2797fb874042f4abab253e3557332251604c97906
Opcode Fuzzy Hash: 85e06a1bfb462d71b49bda8b571905cea54c43c8c85ee92c4a54339351a5f343
Instruction Fuzzy Hash: C6C1A1B1500204BBDB206F61EE89E2B3AA8FB85755F01453EF751B51F0CB39A8529B2D

Function 00403C49 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040696B: GetModuleHandleA.KERNEL32(?,00000020,?,00403662,0000000C,?,?,?,?,?,?,?,?), ref: 0040697D
Part of subcall function 0040696B: GetProcAddress.KERNEL32(00000000,?), ref: 00406998

lstrcatW.KERNEL32(1033,0042CA68), ref: 00403CCA
lstrlenW.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files (x86)\IDmelon,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,74DF3420), ref: 00403D4A
lstrcmpiW.KERNEL32(?,.exe,Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files (x86)\IDmelon,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D5D
GetFileAttributesW.KERNEL32(Remove folder: ), ref: 00403D68
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\IDmelon), ref: 00403DB1

Part of subcall function 004064BE: wsprintfW.USER32 ref: 004064CB

RegisterClassW.USER32(004336A0), ref: 00403DEE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403E06
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E3B
ShowWindow.USER32(00000005,00000000), ref: 00403E71
GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E9D
GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403EAA
RegisterClassW.USER32(004336A0), ref: 00403EB3
DialogBoxParamW.USER32(?,00000000,00403FF7,00000000), ref: 00403ED2

Strings

"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe", xrefs: 00403C4C
_Nb, xrefs: 00403DCD, 00403E35
RichEdit, xrefs: 00403EA4
RichEd32, xrefs: 00403E85
Control Panel\Desktop\ResourceLocale, xrefs: 00403C7D
.DEFAULT\Control Panel\International, xrefs: 00403CB5
Remove folder: , xrefs: 00403D11, 00403D1A, 00403D28, 00403D77, 00403D7D
.exe, xrefs: 00403D57
1033, xrefs: 00403C69, 00403CC5
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C4E
RichEdit20W, xrefs: 00403E95, 00403E9B
RichEd20, xrefs: 00403E77
C:\Program Files (x86)\IDmelon, xrefs: 00403CD9, 00403CE1, 00403D84, 00403D8A, 00403D9A

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Program Files (x86)\IDmelon$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-3268727705
Opcode ID: 5e20c267018cc28429e7407a64d751b23d4fe7797b8e7b228d04f4c9996f5690
Instruction ID: c722afd28cb3ad108a11d8546cd61d6ece1c23d3a169ae69e987cf65e7f86a01
Opcode Fuzzy Hash: 5e20c267018cc28429e7407a64d751b23d4fe7797b8e7b228d04f4c9996f5690
Instruction Fuzzy Hash: 7961C370500700BED620AF66AD46F2B3A6CEB85B5AF40053FF945B22E2DB7C5941CA6D

Function 004030A2 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004030B3
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,00000400), ref: 004030CF

Part of subcall function 00406067: GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,80000000,00000003), ref: 0040606B
Part of subcall function 00406067: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040608D

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,80000000,00000003), ref: 0040311B
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403251

Strings

soft, xrefs: 00403190
"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe", xrefs: 004030A8
C:\Users\user\AppData\Local\Temp\, xrefs: 004030A9
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403278
Error launching installer, xrefs: 004030F2
Null, xrefs: 00403199
C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe, xrefs: 004030B9, 004030C8, 004030DC, 004030FC
Inst, xrefs: 00403187
C:\Users\user\Desktop, xrefs: 004030FD, 00403102, 00403108

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2171173163
Opcode ID: f372480b0837c6c57a2d238aa6b96231c33c595cef11dcb5259494f9e9f0d70c
Instruction ID: 55eb758a8cc994b5b8f5e8324c308f37a69edd03a8198e206d37cac48cd63750
Opcode Fuzzy Hash: f372480b0837c6c57a2d238aa6b96231c33c595cef11dcb5259494f9e9f0d70c
Instruction Fuzzy Hash: E9519171900204AFDB209FA5DD86B9E7EACEB09356F20417BF504B62D1C7789F408BAD

Function 004065B4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Remove folder: ,00000400), ref: 004066D6
GetWindowsDirectoryW.KERNEL32(Remove folder: ,00000400,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\,?,?,00000000,00000000,00425A20,74DF23A0), ref: 004066EC
SHGetPathFromIDListW.SHELL32(00000000,Remove folder: ), ref: 0040674A
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406753
lstrcatW.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 0040677E
lstrlenW.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\,?,?,00000000,00000000,00425A20,74DF23A0), ref: 004067D8

Strings

Remove folder: , xrefs: 004065E1, 0040669B, 004066A2, 004066A6, 004066BF, 004066C0, 004066D5, 004066EB, 0040671C, 00406748, 0040677D, 00406783, 004067A0, 004067B3, 004067D1, 004067D7, 004067E0, 00406815
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406778
Software\Microsoft\Windows\CurrentVersion, xrefs: 004066A7
Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\, xrefs: 004065D8

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-117590677
Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction ID: fc4c1bf1ff31ba1b34cdfc75387d7881e57296f2874843d1a5ebc397bafcf832
Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction Fuzzy Hash: D16135716042009BD720AF24DD80B6B76E8EF85328F12453FF647B32D0DB7D9961865E

Function 004032D9 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403343
GetTickCount.KERNEL32 ref: 004033EA
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403413
wsprintfW.USER32 ref: 00403426

Strings

*B, xrefs: 00403304
A, xrefs: 004034A3
... %d%%, xrefs: 00403420
ZB, xrefs: 004033C7, 004033E2, 0040345F
A, xrefs: 00403399

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ ZB$ A$ A$... %d%%
API String ID: 551687249-3856725213
Opcode ID: eaa593b87575a6ec937a1f138dd1ec6c9bfb619ef7c698298e3bc5a85a372825
Instruction ID: 3a086bfa1ae904988031f2e91e2ff9394e13111a018eeb379290de00703e2b75
Opcode Fuzzy Hash: eaa593b87575a6ec937a1f138dd1ec6c9bfb619ef7c698298e3bc5a85a372825
Instruction Fuzzy Hash: 2F519F71900219DBCB11DF65DA44B9E7FB8AF44766F10413BE810BB2D1C7789A40CBA9

Function 00401794 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017D5
CompareFileTime.KERNEL32(-00000014,?,show,show,00000000,00000000,show,C:\Program Files (x86)\IDmelon\Accesskey,?,?,00000031), ref: 004017FA

Part of subcall function 00406577: lstrcpynW.KERNEL32(?,?,00000400,004036C4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406584

Part of subcall function 004055FC: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\,00000000,00425A20,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000,?), ref: 00405634
Part of subcall function 004055FC: lstrlenW.KERNEL32(0040343D,Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\,00000000,00425A20,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000), ref: 00405644
Part of subcall function 004055FC: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\,0040343D), ref: 00405657
Part of subcall function 004055FC: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\), ref: 00405669
Part of subcall function 004055FC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040568F
Part of subcall function 004055FC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004056A9
Part of subcall function 004055FC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004056B7

Strings

show, xrefs: 004017B2, 004017BB, 004017C8, 004017DA, 004017E6, 0040181C, 00401832, 00401850, 0040188C, 0040190D, 00401916, 00401920, 0040192B
C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp, xrefs: 00401846, 00401864
C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\InstallOptions.dll, xrefs: 0040185A, 00401876
C:\Program Files (x86)\IDmelon\Accesskey, xrefs: 004017C3

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Program Files (x86)\IDmelon\Accesskey$C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp$C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\InstallOptions.dll$show
API String ID: 1941528284-2025781149
Opcode ID: 86d07d04b1d7bc420b44533fa191de8f1a63e7a8af8a14afb7d0afcb2e6aa1a2
Instruction ID: 896c0c78208a39cbb5dd39340d0745d1a2bf2ace5f7797069eceb710e9101d93
Opcode Fuzzy Hash: 86d07d04b1d7bc420b44533fa191de8f1a63e7a8af8a14afb7d0afcb2e6aa1a2
Instruction Fuzzy Hash: 4C41B671900108BACB117BB5DD85DBE7AB9EF45328F21423FF412B10E2D73C8A919A2D

Function 004055FC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\,00000000,00425A20,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000,?), ref: 00405634
lstrlenW.KERNEL32(0040343D,Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\,00000000,00425A20,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000), ref: 00405644
lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\,0040343D), ref: 00405657
SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\), ref: 00405669
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040568F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004056A9
SendMessageW.USER32(?,00001013,?,00000000), ref: 004056B7

Strings

Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\, xrefs: 0040561D, 0040562D, 00405633, 00405656, 00405662

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\
API String ID: 2531174081-4199893219
Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction ID: 60923f6e922cea494a698f26c75bee70e53a21f42b4b77269416c2a585f1ce57
Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction Fuzzy Hash: 9A21A171900258BACB119FA5ED449DFBFB4EF45310F50843AF908B22A0C3794A40CFA8

Function 00402975 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
GlobalFree.KERNEL32(?), ref: 00402A2B
GlobalFree.KERNELBASE(00000000), ref: 00402A3E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: aeea345b9e496e3d3fafa1617fda85685875a2e3d5cd25ef925516c77ed6eae9
Instruction ID: fd7949a1005e62e73a365a75524f2bbb059e9229dbd09bef2f8decdc6a7611be
Opcode Fuzzy Hash: aeea345b9e496e3d3fafa1617fda85685875a2e3d5cd25ef925516c77ed6eae9
Instruction Fuzzy Hash: FA31A271D00124BBCF21AFA5CE89D9E7E79AF45324F14423AF421762E1CB798D418FA8

Function 00402ECE Relevance: 9.1, APIs: 6, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99
RegDeleteKeyExW.KERNELBASE(?,?,00100020,00000000,00000003,?,?), ref: 00402FAF

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseDeleteEnum$Value
String ID:
API String ID: 3807931542-0
Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction ID: 446d876c474c9d83549856ad9cac23e68bb7371358ae7480bd0e7fa7c4692e5e
Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction Fuzzy Hash: 1D212A7150010ABFDF129F90CE89EEF7A7DEB54388F110076B909B21E0E7B58E54AA64

Function 004068FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406912
wsprintfW.USER32 ref: 0040694D
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406961

Strings

%s%S.dll, xrefs: 00406947
UXTHEME, xrefs: 00406904

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: 6d7bab0cfc2d48cbbbe6bb2f91b005b1c0391479526b60628745523d5c0137a7
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 66F02B71501129A7CF10AB68DD0EF9F376CAB00304F10447AA646F10E0EB7CDB69CB98

Function 00401C68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0

Strings

!, xrefs: 00401CA4

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: a637eb720a8cb25f7279c4c7dfa93e68b81a041eba1bee5adc213dda34b2fd0f
Instruction ID: 1a2acd516b32d4a8bba1f086ee74ddb70cdd2400578aaa813c3bd98b8eca9c32
Opcode Fuzzy Hash: a637eb720a8cb25f7279c4c7dfa93e68b81a041eba1bee5adc213dda34b2fd0f
Instruction Fuzzy Hash: 1121A071D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF501B61D0D7B88941DB98

Function 004024AF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp,00000023,00000011,00000002), ref: 004024FA
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp,00000000,00000011,00000002), ref: 0040253A
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp,00000000,00000011,00000002), ref: 00402622

Strings

C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp, xrefs: 004024EB, 004024F9, 00402510, 00402524, 0040252F

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp
API String ID: 2655323295-482291397
Opcode ID: 1ee84d76f42b9e83beb61e37e14ca78df45b1a10c6f610f11eef06d316a7ff26
Instruction ID: 9ef1a868ac7dccf2a0d827ba333ec8444b87bd6dca13d8647f6a5f0896484b93
Opcode Fuzzy Hash: 1ee84d76f42b9e83beb61e37e14ca78df45b1a10c6f610f11eef06d316a7ff26
Instruction Fuzzy Hash: DF11B131D00119BEEF00AFA1DE4AAAEB6B4EF44318F20443FF404B61D1D7B88E009A68

Function 00405F4E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406577: lstrcpynW.KERNEL32(?,?,00000400,004036C4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406584

Part of subcall function 00405EF1: CharNextW.USER32(?,?,C:\,?,00405F65,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"), ref: 00405EFF
Part of subcall function 00405EF1: CharNextW.USER32(00000000), ref: 00405F04
Part of subcall function 00405EF1: CharNextW.USER32(00000000), ref: 00405F1C

lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"), ref: 00405FA7
GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405FB7

Strings

C:\, xrefs: 00405F54, 00405F59, 00405F5F, 00405FA0, 00405FA6, 00405FAE, 00405FB6
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F4E

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3049482934
Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction ID: 6a7a19aedd3560da6e477bd72522a8c235124595f9c35bb96c459409ca5d5c37
Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction Fuzzy Hash: 28F0F42A105E6369C622333A5C05AAF1954CE86324B5A453FBC91F22C5CF3C8A42CDBE

Function 00406096 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004060B4
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403550,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C), ref: 004060CF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040609B
nsa, xrefs: 004060A3

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 0f0e971a11aa9000600537ad3b21051f2e76e4828209a3ca974843c19b3e0847
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: B5F09076B40204BBEB00CF69ED05F9EB7ACEBA5750F11803AE901F7180E6B099648768

Function 004015E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405EF1: CharNextW.USER32(?,?,C:\,?,00405F65,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"), ref: 00405EFF
Part of subcall function 00405EF1: CharNextW.USER32(00000000), ref: 00405F04
Part of subcall function 00405EF1: CharNextW.USER32(00000000), ref: 00405F1C

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F

Part of subcall function 00405ACB: CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405B0D

SetCurrentDirectoryW.KERNELBASE(?,C:\Program Files (x86)\IDmelon\Accesskey,?,00000000,000000F0), ref: 00401672

Strings

C:\Program Files (x86)\IDmelon\Accesskey, xrefs: 00401665

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Program Files (x86)\IDmelon\Accesskey
API String ID: 1892508949-2077697000
Opcode ID: 522b783c9de46c7eb01671ee67dcdc22f4b8e2acc15c0cd2b2b5e6563b12514b
Instruction ID: 104414052cab316a424bfe0d2ff1de268c148956b102069c6a2fab9df067ebf3
Opcode Fuzzy Hash: 522b783c9de46c7eb01671ee67dcdc22f4b8e2acc15c0cd2b2b5e6563b12514b
Instruction Fuzzy Hash: 0911BE31804514ABCF206FA5CD01AAE36B0EF14368B25493BE941B22F1C63A4A41DA5D

Function 00406445 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,Remove folder: ,?,00000000,004066B6,80000002), ref: 0040648B
RegCloseKey.KERNELBASE(?), ref: 00406496

Strings

Remove folder: , xrefs: 0040644C

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseQueryValue
String ID: Remove folder:
API String ID: 3356406503-1958208860
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 39ab2095516423f533248995afa5b88f9e2e33bd0920f2eea258779ff0fd120f
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: AB017C72500209AADF21CF51CC09EDB3BACFB55364F01803AFD1AA21A0D778D964DBA8

Function 00403BB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,00403B8C,00403AA2,?,?,00000008,0000000A,0000000C), ref: 00403BCE
GlobalFree.KERNEL32(00000000), ref: 00403BD5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403BB4

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction ID: 378dd3650374f781d23bf779db5809bbac3881e8a2166d277484928c36cee721
Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction Fuzzy Hash: 20E08C336204205BC6311F15AE05B1A77786F89B2AF01402AE8407B2628BB47C528FC8

Function 004020FD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402128

Part of subcall function 004055FC: lstrlenW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\,00000000,00425A20,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000,?), ref: 00405634
Part of subcall function 004055FC: lstrlenW.KERNEL32(0040343D,Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\,00000000,00425A20,74DF23A0,?,?,?,?,?,?,?,?,?,0040343D,00000000), ref: 00405644
Part of subcall function 004055FC: lstrcatW.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\,0040343D), ref: 00405657
Part of subcall function 004055FC: SetWindowTextW.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\), ref: 00405669
Part of subcall function 004055FC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040568F
Part of subcall function 004055FC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004056A9
Part of subcall function 004055FC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004056B7

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402139
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004021B6

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: a9a1cb99ff15f1357771582dd7df8513af6aefa9ca18d0a30a4eed977a1c7e10
Instruction ID: ae41dde4eff0046a081fa93f434b6203791b13f397c20c3345ef6f3f33f6a532
Opcode Fuzzy Hash: a9a1cb99ff15f1357771582dd7df8513af6aefa9ca18d0a30a4eed977a1c7e10
Instruction Fuzzy Hash: 4B21A131904104EACF10AFA5CF89A9E7A71BF44369F30413BF105B91E5CBBD99829A2D

Function 00401BC0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00693DA8), ref: 00401C30
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C42

Strings

show, xrefs: 00401BE7, 00401BED, 00401C07

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFree
String ID: show
API String ID: 3394109436-839833857
Opcode ID: b2bf5aa3fb98d5d7659b4efbfb09c2738223d3c1d5b8947c58a47baf3ffb3ed2
Instruction ID: b741a03fd702b7c6772e3f95c256d95ec8b7de3af2fdc922703a565136a7d287
Opcode Fuzzy Hash: b2bf5aa3fb98d5d7659b4efbfb09c2738223d3c1d5b8947c58a47baf3ffb3ed2
Instruction Fuzzy Hash: 9521F372904150EBDB20ABA4EE85E6E33B8AB04718715063FF542B72D5C7BCE8409B9D

Function 00405C3B Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00406042: GetFileAttributesW.KERNELBASE(?,?,00405C47,?,?,00000000,00405E1D,?,?,?,?), ref: 00406047
Part of subcall function 00406042: SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040605B

RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405E1D), ref: 00405C56
DeleteFileW.KERNELBASE(?,?,?,00000000,00405E1D), ref: 00405C5E
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C76

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
Instruction ID: c82196251123d647324ab779b7bb87df945e5a0710881db1f7e3845477fa960f
Opcode Fuzzy Hash: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
Instruction Fuzzy Hash: 96E0E53220D79116E21067305A4CB5F2998DF86724F05093AF892B11C1DB78494A8AAE

Function 004044CF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000408,?,00000000,0040412E), ref: 004044ED

Strings

x, xrefs: 004044CF

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: x
API String ID: 3850602802-2363233923
Opcode ID: 940325285312ba596bb559440598d7c93f49923121e0d523c76edeea93f158b3
Instruction ID: 727aaa30b1a0279700c4ddf998542a6092130f4ca847e2a016c42ef825c52627
Opcode Fuzzy Hash: 940325285312ba596bb559440598d7c93f49923121e0d523c76edeea93f158b3
Instruction Fuzzy Hash: 62C012B1180200BECB105B80DE01F067B60E7A4B02F11A439F380240B087706862DB0C

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C

Function 00402459 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040247B
RegCloseKey.ADVAPI32(00000000), ref: 00402484

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 88532daaf68fc495be88ee40bdce2257086fb46b70832e880cbbaed8aa0e1354
Instruction ID: 8c17455a9467dbb84b7eb3278e4b377a62f271589af7dc4cff81b1a675067d18
Opcode Fuzzy Hash: 88532daaf68fc495be88ee40bdce2257086fb46b70832e880cbbaed8aa0e1354
Instruction Fuzzy Hash: 6CF06832A045219BDB10BBA5DA8E5AE62A5AB44354F11443FE502B71C1CAF84D02977D

Function 004056CF Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004056DF

Part of subcall function 00404542: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404554

OleUninitialize.OLE32(00000404,00000000), ref: 0040572B

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
Instruction ID: 52f38fc7938b2997ebb4afee836ba7d943988f66c47461a03c1f49ca59b4ab2d
Opcode Fuzzy Hash: bbf0263ab9fe446523fd7f753457698ace2b8a2c52ebc29179148d008809b166
Instruction Fuzzy Hash: 2AF02E72400610DBE7016B94AD02BA373A8FBC53A5F05503EFF89B32E0CB3658018B5D

Function 00405ACB Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405B0D
GetLastError.KERNEL32 ref: 00405B1B

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction ID: 83f907d2df1d2810bbbe2cf052e9f9ea9028798b61a5f10ffece60f544324ce8
Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction Fuzzy Hash: 44F0F4B0D1060EDBDB00DFA4D6497EFBBB4AB04309F00812AD941B6281D7B89248CBA9

Function 00401F03 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401F21
EnableWindow.USER32(00000000,00000000), ref: 00401F2C

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 220038190f5765e08acb68cab3f819293a66988b7b4b21bab0f24e91f41eee4f
Instruction ID: 14a8ef39102396d835bb54982d99b4aace68b6eedf0c4e81be07541ee7d8ceed
Opcode Fuzzy Hash: 220038190f5765e08acb68cab3f819293a66988b7b4b21bab0f24e91f41eee4f
Instruction Fuzzy Hash: FEE04F76908610DFE748EBA4AE499EEB3F4EF80365B20197FE001F11D1DBB94D00966D

Function 0040696B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403662,0000000C,?,?,?,?,?,?,?,?), ref: 0040697D
GetProcAddress.KERNEL32(00000000,?), ref: 00406998

Part of subcall function 004068FB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406912
Part of subcall function 004068FB: wsprintfW.USER32 ref: 0040694D
Part of subcall function 004068FB: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406961

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: fa9529b661a20328ef717d54741181462d2da8a99b8882de0ad3477ad76f042b
Instruction ID: f16a4ad3e9102b165210d3f50f6adbe363033f5fe81171ed8a06a41b6d2757eb
Opcode Fuzzy Hash: fa9529b661a20328ef717d54741181462d2da8a99b8882de0ad3477ad76f042b
Instruction Fuzzy Hash: F1E08673504311AAD6105B759D0492772E89F89750302443EF986F2140DB38EC32A6AE

Function 00402C2A Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,?), ref: 00402C39
InvalidateRect.USER32(?), ref: 00402C49

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID:
API String ID: 909852535-0
Opcode ID: cfe8654151a7fb919b36f8ec236feca4529e6266032f4a9ef2e5c0ddbf65b270
Instruction ID: 92b7ebcd256046620b39c8ea217ab7c3c79192c04b2b2643f27b5f3eae77931e
Opcode Fuzzy Hash: cfe8654151a7fb919b36f8ec236feca4529e6266032f4a9ef2e5c0ddbf65b270
Instruction Fuzzy Hash: 9EE0ECB2650504FFEB15DB94EE85DAEB7B9EB80355B00047EF101E1060D7745D91DB28

Function 00406067 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,80000000,00000003), ref: 0040606B
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040608D

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 00406042 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C47,?,?,00000000,00405E1D,?,?,?,?), ref: 00406047
SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040605B

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction ID: a0ae240d833e004fe72580c92a9f2193965d94811d262e1a0a63bc04ff00b3bc
Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction Fuzzy Hash: 7ED0C972504220AFC2102728AE0889BBB55DB542717028A35F8A9A22B0CB304CA68694

Function 00403B6F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403AA2,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B7A

Strings

C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\, xrefs: 00403B8E

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\
API String ID: 2962429428-1540193091
Opcode ID: ae973bb0dca4e4815b90d97470301ae31a1ae4600fd43aa67c366af3984d4a62
Instruction ID: 1b7086e6f2e4317af50c710f47857d00c701bc700238930339e1f9ec47f16c49
Opcode Fuzzy Hash: ae973bb0dca4e4815b90d97470301ae31a1ae4600fd43aa67c366af3984d4a62
Instruction Fuzzy Hash: 38C0223010070086F0202F389E0FA183A24670073DBA08329B0B8F00F3CF7C164C841D

Function 00405B25 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403545,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00405B2B
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B39

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 2532c664264170c07cbc731aa09703a23e3881c092aaf3b019fc47175ec23a7b
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 98C04C70604906DAD7505F219F087177960AB50741F158439A6C7F40A0DA74A455D92D

Function 004016A0 Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 004016BB

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 28dc5c50ebc12032345a7729cf35481b8c8bbd71f25d5d2fe63a1407a727cbb2
Instruction ID: b5cd7fb0f8cac405fb011e9cf8ea0a60cc8dc6b6af2237c550085c2a5a912803
Opcode Fuzzy Hash: 28dc5c50ebc12032345a7729cf35481b8c8bbd71f25d5d2fe63a1407a727cbb2
Instruction Fuzzy Hash: 1DF0903160812293CB1077B55F0ED9F26A49F8137CB21063FB112B21E1D6BCC902926E

Function 004023D7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040240E

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction ID: ca2f62041d63e4abf833ada0eb3473e8090594299762c22e2e4a91b8788c92d6
Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction Fuzzy Hash: CEE086319105266BDB103AF20ECE9BE2058AF48308B24093FF512B61C2DEFC8C42567D

Function 00406412 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E7C,00000000,?,?), ref: 0040643B

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction ID: 173efcb61436e01de2ec3b268cd8b302251cd5bc368a703a1804e99dfb897165
Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction Fuzzy Hash: 51E0BF72010109BFEF095F60DD4AD7B3A1DE708610B11852EF906D5051E6B5A9705675

Function 00406119 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034BD,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040612D

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 5447fabf40714e60d37a3b8d529c829a5aab84dab7567664cea5a9789522ebfd
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: DFE08C3221021ABBDF109E518C00EEB3B6CEB003A0F014432FD26E7050D630E86097A4

Function 004060EA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403507,00000000,00000000,0040332B,000000FF,00000004,00000000,00000000,00000000), ref: 004060FE

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: 2902185137110ca2ffdb2282e3c832ce644deeff7f1201e2b4f2572205eed693
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: D0E08C3221021AABCF109E508C01EEB3BACFF043A0F014432FD12EB042D230E9229BA4

Function 004063E4 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,00406472,?,?,?,?,Remove folder: ,?,00000000), ref: 00406408

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: 12ce3b422fe6a0da393528f22193a7488631f194d1dbc4d2354a9349d97d7052
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 34D0123204020DBBEF115F90DD01FAB3B1DEB08310F018836FE06A4091D776D570A758

Function 004015C8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015D3

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bd9eef0ddba76f96e5ede74a4073dc30a0544dd5bf06428a66fa2d1577afb889
Instruction ID: cd4f68ad1bc4df61111a8e6125a37bec327b368bc2224c93a9ffc6bdd58994c4
Opcode Fuzzy Hash: bd9eef0ddba76f96e5ede74a4073dc30a0544dd5bf06428a66fa2d1577afb889
Instruction Fuzzy Hash: 74D05B72B08101D7DB00DBE89B49A9E77A4DB50378B31853BD111F11D4D7B8C545A71D

Function 004044F6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,?,00000000), ref: 00404510

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
Instruction ID: 97ac48dd61a0b469960c63b80490aac8c8cd18122c4a3518691629518e2bbf09
Opcode Fuzzy Hash: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
Instruction Fuzzy Hash: 2DC08C31008200BFE241A704CC42F0FB3ECEF9031AF00C42EB05CE00D6C6B495208A26

Function 00404542 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404554

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
Instruction ID: 6ad8b1d984edffd0e08e34c6f36dd165e1dcb54a73607e2b540eae92d4c67d50
Opcode Fuzzy Hash: 8dc2ea4a8cffd810c80330d43262312fa0f844130cc7d84a637c392e617d0b66
Instruction Fuzzy Hash: ACC04C717402007BDA209F549D49F1777546790702F1495397351E51E0C674E550D61C

Function 0040350A Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403267,?), ref: 00403518

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 0040452B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404356), ref: 00404539

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
Instruction ID: 777369a795cbaa9bd4fd16da76cbada5404ff361b75e364c58eeef3f96c31ac9
Opcode Fuzzy Hash: 5e23afa4ba150cac51e31494d2c9f0ee7f8efb4361c8cf2b7a73957f204a5961
Instruction Fuzzy Hash: 6BB09235181600AADA115B40DE09F867BA2E7A4701F029438B340640B0CBB210A0DB08

Function 00404518 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,004042EF), ref: 00404522

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
Instruction ID: 186c68f4495094c0cebc3eb7279f68ffc90812dad8dfd9e689695b78415bb769
Opcode Fuzzy Hash: faa9f1bbc6a73408ed15535010d366895e2d742fa65bef251b9024de670fa5bb
Instruction Fuzzy Hash: 43A00176544A04ABCE12EB50EF4990ABB62BBA4B01B618879A285514388B325921EB19

Non-executed Functions

Function 004049E7 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404A36
SetWindowTextW.USER32(00000000,?), ref: 00404A60
SHBrowseForFolderW.SHELL32(?), ref: 00404B11
CoTaskMemFree.OLE32(00000000), ref: 00404B1C
lstrcmpiW.KERNEL32(Remove folder: ,0042CA68,00000000,?,?), ref: 00404B4E
lstrcatW.KERNEL32(?,Remove folder: ), ref: 00404B5A
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B6C

Part of subcall function 00405BBB: GetDlgItemTextW.USER32(?,?,00000400,00404BA3), ref: 00405BCE

Part of subcall function 00406825: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00406888
Part of subcall function 00406825: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406897
Part of subcall function 00406825: CharNextW.USER32(?,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 0040689C
Part of subcall function 00406825: CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 004068AF

GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C2F
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C4A

Part of subcall function 00404DA3: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E44
Part of subcall function 00404DA3: wsprintfW.USER32 ref: 00404E4D
Part of subcall function 00404DA3: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E60

Strings

Remove folder: , xrefs: 00404B48, 00404B4D, 00404B58
A, xrefs: 00404B0A
C:\Program Files (x86)\IDmelon, xrefs: 00404B37

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Program Files (x86)\IDmelon$Remove folder:
API String ID: 2624150263-2023687464
Opcode ID: 716f91307e0c0206c4811f73cf3aa40f2f43fcc6cf09981b0470e9a043fb6368
Instruction ID: 819d6111372f9eb468737b2dc9595d459319e5efb98401d1644bfd8e85b56d65
Opcode Fuzzy Hash: 716f91307e0c0206c4811f73cf3aa40f2f43fcc6cf09981b0470e9a043fb6368
Instruction Fuzzy Hash: 14A180B1901208ABDB11EFA5DD45BAFB7B8EF84314F11803BF601B62D1D77C9A418B69

Function 00402930 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040293F

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
Instruction ID: 26e9208e2aa2ebd90a7e98889f3239c7d6ed4a815a584e9a2b1206afb1357c73
Opcode Fuzzy Hash: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
Instruction Fuzzy Hash: D1F08C71A04105AAD700EBE4EE499AEB378EF14324F20017BE112F31E5D7B89E509B2E

Function 00406DE6 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction ID: 02047a1f5ab1e1ae91636e32b2ea393de8a2dfbdc7c3bc720fead707395ef2b6
Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction Fuzzy Hash: 74E19A71A0470ADFCB24CF58C890BAABBF5FF44305F15852EE496A72D1E738AA51CB05

Function 004075BD Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction ID: 0a97e2f3c77d8a3c51360fc4da6bbcda8fc4cde0dfaec3b210e24d05d93e5961
Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction Fuzzy Hash: 46C14872E042198BCF18DF68C4905EEB7B2BF88354F25866AD856B7380D734A942CF95

Function 00404F63 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F7B
GetDlgItem.USER32(?,00000408), ref: 00404F86
GlobalAlloc.KERNEL32(00000040,?), ref: 00404FD0
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FE7
SetWindowLongW.USER32(?,000000FC,00405570), ref: 00405000
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00405014
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405026
SendMessageW.USER32(?,00001109,00000002), ref: 0040503C
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405048
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040505A
DeleteObject.GDI32(00000000), ref: 0040505D
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405088
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405094
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040512F
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040515F

Part of subcall function 0040452B: SendMessageW.USER32(00000028,?,00000001,00404356), ref: 00404539

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405173
GetWindowLongW.USER32(?,000000F0), ref: 004051A1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004051AF
ShowWindow.USER32(?,00000005), ref: 004051BF
SendMessageW.USER32(?,00000419,00000000,?), ref: 004052BA
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040531F
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405334
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405358
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405378
ImageList_Destroy.COMCTL32(?), ref: 0040538D
GlobalFree.KERNEL32(?), ref: 0040539D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405416
SendMessageW.USER32(?,00001102,?,?), ref: 004054BF
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054CE
InvalidateRect.USER32(?,00000000,00000001), ref: 004054F9
ShowWindow.USER32(?,00000000), ref: 00405547
GetDlgItem.USER32(?,000003FE), ref: 00405552
ShowWindow.USER32(00000000), ref: 00405559

Strings

M, xrefs: 00405117
, xrefs: 00405531
N, xrefs: 004051F8

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 90cd5b96e7067808b838d0f88060242d92195fc86ed4621a895529849429e476
Instruction ID: 2b71226c2ce540754c325362a134889399d6c5c4637dca841463e5b600fa6882
Opcode Fuzzy Hash: 90cd5b96e7067808b838d0f88060242d92195fc86ed4621a895529849429e476
Instruction Fuzzy Hash: 8802AD70900608AFDF20DFA8DD85AAF7BB5FB45314F10817AE611BA2E1D7798A41CF58

Function 004046B5 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404753
GetDlgItem.USER32(?,000003E8), ref: 00404767
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404784
GetSysColor.USER32(?), ref: 00404795
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004047A3
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004047B1
lstrlenW.KERNEL32(?), ref: 004047B6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047C3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047D8
GetDlgItem.USER32(?,0000040A), ref: 00404831
SendMessageW.USER32(00000000), ref: 00404838
GetDlgItem.USER32(?,000003E8), ref: 00404863
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004048A6
LoadCursorW.USER32(00000000,00007F02), ref: 004048B4
SetCursor.USER32(00000000), ref: 004048B7
LoadCursorW.USER32(00000000,00007F00), ref: 004048D0
SetCursor.USER32(00000000), ref: 004048D3
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404902
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404914

Strings

Remove folder: , xrefs: 00404892
N, xrefs: 00404851
,F@, xrefs: 004048BF

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: ,F@$N$Remove folder:
API String ID: 3103080414-938614624
Opcode ID: ffd7346a229d966f7877475afaa511d8b27e78dae7af650fbb9c2f9128a087cb
Instruction ID: ccb0ec9a7d9d767aff215416cd1a2e620de701fb5c4a8d8609e67ea5798c0c5e
Opcode Fuzzy Hash: ffd7346a229d966f7877475afaa511d8b27e78dae7af650fbb9c2f9128a087cb
Instruction Fuzzy Hash: 046192F1900209BFDB10AF64DD85EAA7B69FB84315F00853AFB05B65E0C778A951CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4

Function 004061BD Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406358,?,?), ref: 004061F8
GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 00406201

Part of subcall function 00405FCC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FDC
Part of subcall function 00405FCC: lstrlenA.KERNEL32(00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040600E

GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 0040621E
wsprintfA.USER32 ref: 0040623C
GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406277
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406286
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004062BE
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 00406314
GlobalFree.KERNEL32(00000000), ref: 00406325
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040632C

Part of subcall function 00406067: GetFileAttributesW.KERNELBASE(00000003,004030E2,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,80000000,00000003), ref: 0040606B
Part of subcall function 00406067: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040608D

Strings

[Rename], xrefs: 004062A6, 004062B8
%ls=%ls, xrefs: 00406232

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: b6131911dca260ac1acd8a9d51529d53a14599eca6d80b74622841643bb82037
Instruction ID: 21ba76f912769f78f8e3df01d85e3e27af82f360ac84a16f7af8f01611abcd2b
Opcode Fuzzy Hash: b6131911dca260ac1acd8a9d51529d53a14599eca6d80b74622841643bb82037
Instruction Fuzzy Hash: 66314330240325BBD2206B659D48F6B3B6CDF45708F16043EFD42B62C2DA3C982486BD

Function 00406825 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00406888
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406897
CharNextW.USER32(?,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 0040689C
CharPrevW.USER32(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,0040352D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 004068AF

Strings

*?|<>/":, xrefs: 00406877
"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe", xrefs: 00406869
C:\Users\user\AppData\Local\Temp\, xrefs: 00406826

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2445662262
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: bedb2e6347f460b6a244a356934bd0223db9426f0f89d28790e15ec7ef568a4f
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: C911B66780221295DB303B148C40A7762A8AF59754F56C43FED86732C0E77C5C9282AD

Function 0040455D Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040457A
GetSysColor.USER32(00000000), ref: 004045B8
SetTextColor.GDI32(?,00000000), ref: 004045C4
SetBkMode.GDI32(?,?), ref: 004045D0
GetSysColor.USER32(?), ref: 004045E3
SetBkColor.GDI32(?,?), ref: 004045F3
DeleteObject.GDI32(?), ref: 0040460D
CreateBrushIndirect.GDI32(?), ref: 00404617

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 3bf72a8e0ffa46ee4049c610ab3cabbd6d50cfb344f29d4a8179c655b9565abb
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 5C2165B1500B04ABC7319F38DE08B577BF4AF41715F04892EEA96A26E0D739D944CB54

Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040277D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1

Part of subcall function 00406148: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040615E

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D

Strings

9, xrefs: 00402760

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: e6852b5c5fbfd8bc876860f3b14f1bcaed0b753dd9a04d4db6e12186382bd870
Instruction ID: d1aefac9689752b6b3ea6a4f87dd4281ecbe68d6f3974aa7f4e2ef829afcd0bd
Opcode Fuzzy Hash: e6852b5c5fbfd8bc876860f3b14f1bcaed0b753dd9a04d4db6e12186382bd870
Instruction Fuzzy Hash: 66510C75D04119AADF20EFD4CA85AAEBBB9FF44304F14817BE501B62D0D7B89D828B58

Function 00404EB1 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404ECC
GetMessagePos.USER32 ref: 00404ED4
ScreenToClient.USER32(?,?), ref: 00404EEE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404F00
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F26

Strings

f, xrefs: 00404F02

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: fe1e2a7802b6c51c8f018a14413b1ee553013da7dc16083b389f375565560bf3
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: 20015E71900219BADB00DB94DD85BFEBBBCAF95711F10412BBB51B61D0C7B4AA418BA4

Function 00401E73 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E76
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
ReleaseDC.USER32(?,00000000), ref: 00401EA9
CreateFontIndirectW.GDI32(0040CDF0), ref: 00401EF8

Strings

MS Shell Dlg, xrefs: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: MS Shell Dlg
API String ID: 3808545654-76309092
Opcode ID: d16b9d3e65f9976eb005c53eb2d4e9b3ac670e2d85412e8b50a51612330472b7
Instruction ID: 32ce691c062fdf7882ca7c79f7dc95dd78c7e40f541a0607bb82830de01dd458
Opcode Fuzzy Hash: d16b9d3e65f9976eb005c53eb2d4e9b3ac670e2d85412e8b50a51612330472b7
Instruction Fuzzy Hash: 3C017171905250EFE7005BB4EE49BDD3FA4AB19301F208A7AF142B61E2CBB904458BED

Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
MulDiv.KERNEL32(01F42D36,00000064,01F43F68), ref: 00403001
wsprintfW.USER32 ref: 00403011
SetWindowTextW.USER32(?,?), ref: 00403021
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033

Strings

verifying installer: %d%%, xrefs: 0040300B

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction ID: de78d71e2fb772fb87643f85aa6fa794cb5f2d0f129fd79c7e15704eeb750e6f
Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction Fuzzy Hash: 85014F71640208BBEF209F60DD49FEE3B79AB04344F008039FA02B51D0DBB996559B59

Function 00401DA6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401DBF
GetClientRect.USER32(?,?), ref: 00401E0A
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
DeleteObject.GDI32(00000000), ref: 00401E5E

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 81c9bb8771d2fff4a04963bae7b32cf8a9b6882c20dc3426dc9c78dd315e4f46
Instruction ID: c57303c31a56d7bc8f2a0c5af16d3cdd50a2ae23bf22298ce01a5789fd7b985b
Opcode Fuzzy Hash: 81c9bb8771d2fff4a04963bae7b32cf8a9b6882c20dc3426dc9c78dd315e4f46
Instruction Fuzzy Hash: B9211972900119AFCB05DF98DE45AEEBBB5EB08354F14003AFA45F62A0D7789D81DB98

Function 00404DA3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E44
wsprintfW.USER32 ref: 00404E4D
SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E60

Strings

%u.%u%s%s, xrefs: 00404E2E

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction ID: f1ad69e943298bab6ea0b6c220370dbc78873d19d133ff1b34b391d97265b774
Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction Fuzzy Hash: 3011EB336041287BDB10566DAC45E9E329CDF85374F250237FE25F21D5E978C92182E8

Function 00405EF1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\,?,00405F65,C:\,C:\,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405CA3,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe"), ref: 00405EFF
CharNextW.USER32(00000000), ref: 00405F04
CharNextW.USER32(00000000), ref: 00405F1C

Strings

C:\, xrefs: 00405EF2

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction ID: 0a1f1b5a9c7109d9782da40e5c64a20d368bd089a9add51530d5bf68f03dfa04
Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction Fuzzy Hash: 98F09062D00A2795DA31B7645C85A7766BCEB593A0B00807BE601B72C0D7BC48818EDA

Function 00405E46 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040353F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00405E4C
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040353F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040383C,?,00000008,0000000A,0000000C), ref: 00405E56
lstrcatW.KERNEL32(?,0040A014), ref: 00405E68

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E46

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: f2f0f64a112d89f35c11d852d44423d34ca235ab8761dbed5ccf1744ff487032
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: C2D05E31101534AAC6116F54AD04DDB62AC9E46384381483BF541B20A5C778595186FD

Function 00402663 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\InstallOptions.dll), ref: 004026BA

Strings

C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp, xrefs: 004026A8
C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\InstallOptions.dll, xrefs: 0040267E, 004026A3, 004026B5, 00402701

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp$C:\Users\user\AppData\Local\Temp\nsk9B0F.tmp\InstallOptions.dll
API String ID: 1659193697-3046679440
Opcode ID: a4ab9620505a7c85356e9c2108c39dfcc9113724b8f7ebba52d5104abcb2633f
Instruction ID: 2d8dd356423beb748054ff885628a6ea3dfbd93006732d19d47d72bde2aed11d
Opcode Fuzzy Hash: a4ab9620505a7c85356e9c2108c39dfcc9113724b8f7ebba52d5104abcb2633f
Instruction Fuzzy Hash: 3C11EB71A00315ABCB106FB19E466AE7761AF40748F21443FF502B71C1EAFD8891676E

Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040321C,00000001), ref: 00403051
GetTickCount.KERNEL32 ref: 0040306F
CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
ShowWindow.USER32(00000000,00000005), ref: 0040309A

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: dba963b85b565a1be4b34eea4ba853e9dad76a83014f6dce089c5eda9641480c
Instruction ID: e0f0fd039426b51c9db09d8e0aed7b7b9f53d87474512ec8403aba9b2c913b41
Opcode Fuzzy Hash: dba963b85b565a1be4b34eea4ba853e9dad76a83014f6dce089c5eda9641480c
Instruction Fuzzy Hash: 93F05470602A21ABC6216F50FE09A9B7B69FB45B12B41043AF545B11ACCB384891CB9D

Function 00405570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040559F
CallWindowProcW.USER32(?,?,?,?), ref: 004055F0

Part of subcall function 00404542: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404554

Strings

, xrefs: 00405580

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction ID: f144bc20a23b2fc1dad06cc698734642626ca736bc3518a3bbd7873959a32aa8
Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction Fuzzy Hash: 21017171100608BBDF219F11DD84A9F376BEB84794F204037FA027A1D9C7398D529A69

Function 00405E92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,80000000,00000003), ref: 00405E98
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe,80000000,00000003), ref: 00405EA8

Strings

C:\Users\user\Desktop, xrefs: 00405E92

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: f09b3c5ebc87e5286f4ae90cf2a9e4f9baad7a67d9a69d6c991adc66958b5f71
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: 40D05EB28019209ED3226B04EC0499F73A8EF123107868826E980A61A5D7785D818AEC

Function 00405FCC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FDC
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FF4
CharNextA.USER32(00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406005
lstrlenA.KERNEL32(00000000,?,00000000,004062B1,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040600E

Memory Dump Source

Source File: 00000000.00000002.2060903488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2060886979.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060921863.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2060938460.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2061055445.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: b896d6fd3cda69cb85c158c7a33f171d68b8f81fed19edc6c2f6f75b2124ada4
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: 64F0F631104418FFC702DFA5DD00D9EBBA8EF45350B2200B9E841FB250D674DE11AB68

Analysis Process: nssm.exePID: 2520, Parent PID: 5460COMMON

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.2%
Total number of Nodes:	735
Total number of Limit Nodes:	45

Executed Functions

Function 000000014000D2D0 Relevance: 123.1, APIs: 40, Strings: 30, Instructions: 619registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32 ref: 000000014000D36B
RegCloseKey.ADVAPI32 ref: 000000014000D374

Strings

AppRotateDelay, xrefs: 000000014000DBB2, 000000014000DBC8
AppStdout, xrefs: 000000014000D7DA, 000000014000D7F0, 000000014000D814, 000000014000D831, 000000014000D854, 000000014000D871, 000000014000D897, 000000014000D8B4, 000000014000D8D3, 000000014000D8F3
AppEnvironmentExtra, xrefs: 000000014000DC97, 000000014000DCCC, 000000014000DCF0
AppRedirectHook, xrefs: 000000014000DA83, 000000014000DA9C
AppRotateSeconds, xrefs: 000000014000DB1C, 000000014000DB32
Application, xrefs: 000000014000D346
AppTimestampLog, xrefs: 000000014000DA51, 000000014000DA6A
AppNoConsole, xrefs: 000000014000DBE1, 000000014000DBFA
AppAffinity, xrefs: 000000014000D48E, 000000014000D4AC, 000000014000D50E
AppStopMethodConsole, xrefs: 000000014000D5F1, 000000014000D607
AppRotateOnline, xrefs: 000000014000DAE7, 000000014000DB00
AppPriority, xrefs: 000000014000D417, 000000014000D42D
AppThrottle, xrefs: 000000014000D5BB, 000000014000D5D1
AppStopMethodWindow, xrefs: 000000014000D627, 000000014000D63D
AppKillProcessTree, xrefs: 000000014000D68C, 000000014000D6A5
AppRotateFiles, xrefs: 000000014000DAB5, 000000014000DACE
AppRestartDelay, xrefs: 000000014000D585, 000000014000D59B
AppDirectory, xrefs: 000000014000D3CE
AppParameters, xrefs: 000000014000D38B
CreationDisposition, xrefs: 000000014000D746, 000000014000D763, 000000014000D84D, 000000014000D86A, 000000014000D993, 000000014000D9B0
FlagsAndAttributes, xrefs: 000000014000D789, 000000014000D7A6, 000000014000D890, 000000014000D8AD, 000000014000D9D6, 000000014000D9F3
AppRotateBytesHigh, xrefs: 000000014000DB80, 000000014000DB96
AppStopMethodThreads, xrefs: 000000014000D65D, 000000014000D673
CopyAndTruncate, xrefs: 000000014000D8CC, 000000014000D8EC, 000000014000DA12, 000000014000DA32
AppStopMethodSkip, xrefs: 000000014000D52D, 000000014000D543
AppStdin, xrefs: 000000014000D6D3, 000000014000D6E9, 000000014000D70D, 000000014000D72A, 000000014000D74D, 000000014000D76A, 000000014000D790, 000000014000D7AD
AppStderr, xrefs: 000000014000D920, 000000014000D936, 000000014000D95A, 000000014000D977, 000000014000D99A, 000000014000D9B7, 000000014000D9DD, 000000014000D9FA, 000000014000DA19, 000000014000DA39
AppRotateBytes, xrefs: 000000014000DB4E, 000000014000DB64
ShareMode, xrefs: 000000014000D706, 000000014000D723, 000000014000D80D, 000000014000D82A, 000000014000D953, 000000014000D970
AppEnvironment, xrefs: 000000014000DC22, 000000014000DC51, 000000014000DC75

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: CloseDelete
String ID: AppAffinity$AppDirectory$AppEnvironment$AppEnvironmentExtra$AppKillProcessTree$AppNoConsole$AppParameters$AppPriority$AppRedirectHook$AppRestartDelay$AppRotateBytes$AppRotateBytesHigh$AppRotateDelay$AppRotateFiles$AppRotateOnline$AppRotateSeconds$AppStderr$AppStdin$AppStdout$AppStopMethodConsole$AppStopMethodSkip$AppStopMethodThreads$AppStopMethodWindow$AppThrottle$AppTimestampLog$Application$CopyAndTruncate$CreationDisposition$FlagsAndAttributes$ShareMode
API String ID: 453069226-2212462884
Opcode ID: d6f40d484542d60e602315e057a830b834a1cf69aa439974fe36276ad11cd41d
Instruction ID: 5f1e44c56ca19a9d09426f40c55942bea94d1b5e1f951be96c332341e708dae6
Opcode Fuzzy Hash: d6f40d484542d60e602315e057a830b834a1cf69aa439974fe36276ad11cd41d
Instruction Fuzzy Hash: 27524AB5214B4281FA66DB27B841BE93361B74D7D8F84512BBF0A076B5DF78CA48C720

Function 000000014000A2E0 Relevance: 58.1, APIs: 9, Strings: 24, Instructions: 347
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140001D10: GetConsoleWindow.KERNELBASE ref: 0000000140001D14
Part of subcall function 0000000140001D10: GetWindowThreadProcessId.USER32 ref: 0000000140001D27
Part of subcall function 0000000140001D10: GetCurrentProcessId.KERNEL32 ref: 0000000140001D31

_snwprintf_s.LIBCMT ref: 000000014000A33B
PathQuoteSpacesW.SHLWAPI ref: 000000014000A347
GetModuleFileNameW.KERNEL32 ref: 000000014000A35C
GetModuleFileNameW.KERNEL32 ref: 000000014000A371
PathQuoteSpacesW.SHLWAPI ref: 000000014000A37E

Part of subcall function 0000000140017CC0: GetConsoleOutputCP.KERNEL32(?,?,?,?,000000014000A2FE), ref: 0000000140017CC4
Part of subcall function 0000000140017CC0: SetConsoleOutputCP.KERNEL32(?,?,?,?,000000014000A2FE), ref: 0000000140017CD5

TlsAlloc.KERNEL32 ref: 000000014000A73F
GetStdHandle.KERNEL32 ref: 000000014000A75E
StartServiceCtrlDispatcherW.ADVAPI32 ref: 000000014000A797
GetLastError.KERNEL32 ref: 000000014000A7A1

Part of subcall function 0000000140009FB0: GetConsoleWindow.KERNEL32 ref: 0000000140009FB8
Part of subcall function 0000000140009FB0: GetStdHandle.KERNEL32 ref: 0000000140009FC8
Part of subcall function 0000000140009FB0: GetProcessWindowStation.USER32 ref: 0000000140009FD3

Strings

dump, xrefs: 000000014000A61B
install, xrefs: 000000014000A555
restart, xrefs: 000000014000A42A
NSSM, xrefs: 000000014000A3AF, 000000014000A770
"C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe", xrefs: 000000014000A321, 000000014000A340
set, xrefs: 000000014000A5D3
start, xrefs: 000000014000A3D3
list, xrefs: 000000014000A633
stop, xrefs: 000000014000A3FD
64-bit, xrefs: 000000014000A3A1
reset, xrefs: 000000014000A5EB
rotate, xrefs: 000000014000A528
unset, xrefs: 000000014000A603
remove, xrefs: 000000014000A683
continue, xrefs: 000000014000A49E
get, xrefs: 000000014000A5BB
edit, xrefs: 000000014000A5A3
status, xrefs: 000000014000A4CB
processes, xrefs: 000000014000A65B
pause, xrefs: 000000014000A471
statuscode, xrefs: 000000014000A4F8
%s %s %s %s, xrefs: 000000014000A3B6
2017-04-26, xrefs: 000000014000A39A
2.24-101-g897c7ad, xrefs: 000000014000A3A8

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: ConsoleWindow$Process$FileHandleModuleNameOutputPathQuoteSpaces$AllocCtrlCurrentDispatcherErrorLastServiceStartStationThread_snwprintf_s
String ID: "C:\Program Files (x86)\IDmelon\Accesskey\nssm.exe"$%s %s %s %s$2.24-101-g897c7ad$2017-04-26$64-bit$NSSM$continue$dump$edit$get$install$list$pause$processes$remove$reset$restart$rotate$set$start$status$statuscode$stop$unset
API String ID: 3367203220-4093838077
Opcode ID: 0cc89f18b1057b5a72a2ee583f9768e88b6792957dfbdf81a853be53e10b8232
Instruction ID: 475713a89709ce93db3c9404fee735fe112960effc50d923b9116429dcfb75de
Opcode Fuzzy Hash: 0cc89f18b1057b5a72a2ee583f9768e88b6792957dfbdf81a853be53e10b8232
Instruction Fuzzy Hash: F1E16CB0600A4686FB16FB73F9657E923A1EB497D8F404426BB194B2F6EF78C945C340

Function 0000000140012160 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 220
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_snwprintf_s.LIBCMT ref: 0000000140012208
GetProcessHeap.KERNEL32 ref: 0000000140012258
HeapAlloc.KERNEL32 ref: 0000000140012266

Strings

LocalSystem, xrefs: 0000000140012392
canon, xrefs: 0000000140012285
edit_service(), xrefs: 000000014001227E

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$AllocProcess_snwprintf_s
String ID: LocalSystem$canon$edit_service()
API String ID: 3659976305-2564672073
Opcode ID: c2f84ec46b8393c74ca8ca84993f5637c0292e65ffba0c481b9bd538b89089a5
Instruction ID: e3b5c0a1dd0221c7c68a33bde828070b828dc71daee6d23759004c629932d6ba
Opcode Fuzzy Hash: c2f84ec46b8393c74ca8ca84993f5637c0292e65ffba0c481b9bd538b89089a5
Instruction Fuzzy Hash: ACA17E72204B8192EB26DB22E4443DA73A1F788BD4F444126FB99477A5DF39C965C700

Function 0000000140002530 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultLangID.KERNELBASE(?,?,?,?,?,?,00000000,00000001400026CE,?,?,?,00000000,0000000140001065), ref: 0000000140002538
FormatMessageW.KERNELBASE ref: 0000000140002567
FormatMessageW.KERNEL32 ref: 0000000140002599
GetProcessHeap.KERNEL32 ref: 00000001400025A3
HeapAlloc.KERNEL32 ref: 00000001400025B2
_snwprintf_s.LIBCMT ref: 00000001400025D4

Strings

system error %lu, xrefs: 00000001400025B8

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: FormatHeapMessage$AllocDefaultLangProcessUser_snwprintf_s
String ID: system error %lu
API String ID: 1301441402-1824642319
Opcode ID: aaa1bbfdd9c70fa5ff9d64c30cbb850859592f88a9e14e0967e5c3d2bea55925
Instruction ID: 8ac30a1a1620e7ed145e822f26d1194f441ec5727b48fbd65988fd17af8cf97c
Opcode Fuzzy Hash: aaa1bbfdd9c70fa5ff9d64c30cbb850859592f88a9e14e0967e5c3d2bea55925
Instruction Fuzzy Hash: 60118271614B8182E721DF62F814796B791FB8C7A9F004238AB9943BE4EF3CC5488B00

Function 00000001400133A0 Relevance: 10.6, APIs: 7, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fecfab8ebf54e75fb7e5ea40beadd711431b0205b0aaf5941a53d812bb5c10a
Instruction ID: 7bc4927bec7be680e73558176a6a3dd42dc0bfe2cbad2d4f784c91d458048ab8
Opcode Fuzzy Hash: 3fecfab8ebf54e75fb7e5ea40beadd711431b0205b0aaf5941a53d812bb5c10a
Instruction Fuzzy Hash: 02416D71204A8086E766EB22F4453DE73A4FB88BD0F544125FBAE87BA6EF3DC5558700

Function 000000014000B870 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 82
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_snwprintf_s.LIBCMT ref: 000000014000B8B0
RegCreateKeyExW.KERNELBASE ref: 000000014000B917
GetLastError.KERNEL32 ref: 000000014000B921

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Strings

eventlog registry, xrefs: 000000014000B8C5
create_messages(), xrefs: 000000014000B8BE
SYSTEM\CurrentControlSet\Services\EventLog\Application\%s, xrefs: 000000014000B896
EventMessageFile, xrefs: 000000014000B97C
NSSM, xrefs: 000000014000B88F
TypesSupported, xrefs: 000000014000B998

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Event$Source$CreateDeregisterErrorLastRegisterReport_snwprintf_s
String ID: EventMessageFile$NSSM$SYSTEM\CurrentControlSet\Services\EventLog\Application\%s$TypesSupported$create_messages()$eventlog registry
API String ID: 3915943028-129066941
Opcode ID: 38f3f3b6c8bfc54d669350a2e0a1a664d129324a3bdfb289b21d3487b642f25c
Instruction ID: 65ade5d21c82d8a5f2cf4e8821feba2f506391910815b1a365cbf720ff84dd66
Opcode Fuzzy Hash: 38f3f3b6c8bfc54d669350a2e0a1a664d129324a3bdfb289b21d3487b642f25c
Instruction Fuzzy Hash: 0E416271204B8186E721CB62F4917DA73A5F78C7A4F404315F79947AA8DB3CC509CB00

Function 000000014000BA30 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 97
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000014000B710: _snwprintf_s.LIBCMT ref: 000000014000B73C

RegCreateKeyExW.KERNELBASE ref: 000000014000BADD
GetLastError.KERNEL32 ref: 000000014000BAE7

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Strings

create_exit_action(), xrefs: 000000014000BA7F
AppExit, xrefs: 000000014000BA60, 000000014000BB6B
NSSM_REG_EXIT, xrefs: 000000014000BA86

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Event$Source$CreateDeregisterErrorLastRegisterReport_snwprintf_s
String ID: AppExit$NSSM_REG_EXIT$create_exit_action()
API String ID: 3915943028-2079778180
Opcode ID: 72daa3fbc5d415ad54047c881a5534a5db6ebd6bceb6f11fdf2c9258942a3b44
Instruction ID: ccaac05e6ae8247f9b9043b8869667f207f6f4575daf8edcbf1287825eb9e7ed
Opcode Fuzzy Hash: 72daa3fbc5d415ad54047c881a5534a5db6ebd6bceb6f11fdf2c9258942a3b44
Instruction Fuzzy Hash: E6415F71208B8186EB61CB62F8857DAB3A5F78C794F440226BB9D43BA9DF78C545CB00

Function 0000000140018F98 Relevance: 13.6, APIs: 9, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_lock.LIBCMT ref: 0000000140018FC1
DecodePointer.KERNEL32 ref: 0000000140018FF4
DecodePointer.KERNEL32 ref: 0000000140019011
DecodePointer.KERNEL32 ref: 0000000140019050
DecodePointer.KERNEL32 ref: 0000000140019069
DecodePointer.KERNEL32 ref: 0000000140019078
_initterm.LIBCMT ref: 00000001400190B7
_initterm.LIBCMT ref: 00000001400190CA
ExitProcess.KERNEL32 ref: 0000000140019103

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: DecodePointer$_initterm$ExitProcess_lock
String ID:
API String ID: 2551688548-0
Opcode ID: ec79b0a8b6d411056a24b8aba7a4874d8e85f0765a7b56a25bc0f7be61cd2043
Instruction ID: c03ffe64fd4b435e30c5ae8a24083b9de1078ef0a929f37934195ca75bf9864d
Opcode Fuzzy Hash: ec79b0a8b6d411056a24b8aba7a4874d8e85f0765a7b56a25bc0f7be61cd2043
Instruction Fuzzy Hash: 6F416D31216A9085FA539B17F8443D96295F78C7C4F144429FB4D4B7BAEF3AC992C740

Function 0000000140013B00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140010290: GetProcessHeap.KERNEL32(?,?,?,?,?,0000000140004171), ref: 0000000140010296
Part of subcall function 0000000140010290: RtlAllocateHeap.NTDLL(?,?,?,?,?,0000000140004171), ref: 00000001400102AA

_snwprintf_s.LIBCMT ref: 0000000140013B41
_snwprintf_s.LIBCMT ref: 0000000140013BC9

Part of subcall function 00000001400026B0: _vfwprintf_p.LIBCMT ref: 00000001400026E1
Part of subcall function 00000001400026B0: LocalFree.KERNELBASE(?,?,?,00000000,0000000140001065), ref: 00000001400026E9

Strings

pre_install_service(), xrefs: 0000000140013B6C
service, xrefs: 0000000140013B73

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap_snwprintf_s$AllocateFreeLocalProcess_vfwprintf_p
String ID: pre_install_service()$service
API String ID: 1864752748-3337766052
Opcode ID: a4fe2850516496a6d6bef16b651254128269590410b47283ba75cfab8d25e80a
Instruction ID: 1f3a638b6378999b6819d25118dd32754412a06506d8dd69f99bcf8c10b9a7c2
Opcode Fuzzy Hash: a4fe2850516496a6d6bef16b651254128269590410b47283ba75cfab8d25e80a
Instruction Fuzzy Hash: 9051C272614A8582EA12EB26E4013DA6365F7487F4F455322BFBA5B7E6DF39C542C300

Function 0000000140019FF0 Relevance: 7.7, APIs: 5, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 000000014001A015

Part of subcall function 000000014001A34C: Sleep.KERNEL32(?,?,?,000000014001C657,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A391

GetFileType.KERNEL32 ref: 000000014001A192

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID:
API String ID: 1527402494-0
Opcode ID: 5b4f25ddc331ad848b09e89fc693490d3fec4779a9e2ba7ae0bc686f3b222f91
Instruction ID: 7a3fca090f6ba9f5ab9e1a2497757437a20a6ef231ed88d5b265d648ccddedd5
Opcode Fuzzy Hash: 5b4f25ddc331ad848b09e89fc693490d3fec4779a9e2ba7ae0bc686f3b222f91
Instruction Fuzzy Hash: 3F916F31604A8085E7528B2AD84879937A5F30B7F4F658B25EB794B3F1DB7EC886C311

Function 0000000140019E44 Relevance: 7.6, APIs: 5, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_FF_MSGBANNER.LIBCMT ref: 0000000140019ED1
_FF_MSGBANNER.LIBCMT ref: 0000000140019EFC
_RTC_Initialize.LIBCMT ref: 0000000140019F15
GetCommandLineW.KERNEL32 ref: 0000000140019F2E
_cinit.LIBCMT ref: 0000000140019F6E

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: CommandInitializeLine_cinit
String ID:
API String ID: 2063639010-0
Opcode ID: ecf82f526bca1e36555f0eff5cfb9770f1d094e6865a6b65b2518921b59a087b
Instruction ID: 49bd52d0a6cb84c4fc261c0c752a8ca64d3d73b004f0ff5055fbb52a34e6a74c
Opcode Fuzzy Hash: ecf82f526bca1e36555f0eff5cfb9770f1d094e6865a6b65b2518921b59a087b
Instruction Fuzzy Hash: 6B41113160474186F763ABA7A4913E932A1AB9D3C4F54043DBB458F2F7DB3AC941C711

Function 0000000140010290 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,0000000140004171), ref: 0000000140010296
RtlAllocateHeap.NTDLL(?,?,?,?,?,0000000140004171), ref: 00000001400102AA

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Strings

alloc_nssm_service(), xrefs: 00000001400102BB
service, xrefs: 00000001400102C2

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Event$HeapSource$AllocateDeregisterProcessRegisterReport
String ID: alloc_nssm_service()$service
API String ID: 3449932736-2157636798
Opcode ID: 340dcb3ea64f2eaa611f07df5ba2ae7dbefa44cddf1a4083a5f2c707a3498489
Instruction ID: 68c9e48bc270ec39d5ec3dc1802da48655ef9d9f8276d5f31e599d5297850325
Opcode Fuzzy Hash: 340dcb3ea64f2eaa611f07df5ba2ae7dbefa44cddf1a4083a5f2c707a3498489
Instruction Fuzzy Hash: 5EE0D834611B9982FF029F62A4143DA6390A74D784F480029EE894B375EF3CC9498B00

Function 0000000140001D10 Relevance: 6.0, APIs: 4, Instructions: 19
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 0000000140001D14
GetWindowThreadProcessId.USER32 ref: 0000000140001D27
GetCurrentProcessId.KERNEL32 ref: 0000000140001D31
FreeConsole.KERNELBASE ref: 0000000140001D44

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: ConsoleProcessWindow$CurrentFreeThread
String ID:
API String ID: 3525601419-0
Opcode ID: 29e15103fe5f831a4dd6db545d7f1efa3da3bd332465f4f0af65380b46d4571c
Instruction ID: 8be19064b400df3bdc88df37d5e9ee8f6c9001a69cbb9b9d9eb637b770bdfd16
Opcode Fuzzy Hash: 29e15103fe5f831a4dd6db545d7f1efa3da3bd332465f4f0af65380b46d4571c
Instruction Fuzzy Hash: 9CE0E675A11581D3EE56AF23B8453D923A0BB9CB81FC45019F7464B674EF3CD9498710

Function 000000014000B770 Relevance: 4.6, APIs: 3, Instructions: 61
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE ref: 000000014000B7BC
RegOpenKeyExW.ADVAPI32 ref: 000000014000B7E2
GetLastError.KERNEL32 ref: 000000014000B7FD

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: CreateErrorLastOpen
String ID:
API String ID: 2883820896-0
Opcode ID: 426f83eaa0c046e117805a459ac9e79b35227a8f246da0bf843b4684c48776b8
Instruction ID: 07820c114393a1c3651ebc684bf4408ed366b49354d521bc99e9e45516614059
Opcode Fuzzy Hash: 426f83eaa0c046e117805a459ac9e79b35227a8f246da0bf843b4684c48776b8
Instruction Fuzzy Hash: 6E21A176600B4186E761CF6BB89476A72A5F788BD4F584234EF88437B5CF38C811C704

Function 000000014000EE10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32(?,?,?,?,00000001400133C9), ref: 000000014000EE20

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Strings

ServicesActive, xrefs: 000000014000EE17

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Event$Source$DeregisterManagerOpenRegisterReport
String ID: ServicesActive
API String ID: 2921005559-3071072050
Opcode ID: f8b1cc4c245f662c5fbfc86ec2cd82fe25e88d529c2b183d9024c7d0f0ce16cb
Instruction ID: 7bf288e408de665aed5aeb23dc28e3206f15ed75b00312d32a24d07a7a484b57
Opcode Fuzzy Hash: f8b1cc4c245f662c5fbfc86ec2cd82fe25e88d529c2b183d9024c7d0f0ce16cb
Instruction Fuzzy Hash: 19E0C2F07116D041FBAB9733A8957E91191530E380F88142EB6091B2E1E53DC4895700

Function 0000000140020558 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,00000001,0000000140019F3F), ref: 000000014002056C
FreeEnvironmentStringsW.KERNEL32(?,?,00000001,0000000140019F3F), ref: 00000001400205C3

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 52b48ba027309c268b512042e826b0040b0b68e810d38ab844d28889a68a6781
Instruction ID: 27a3e792f96817a0e8cf10094a7cce5f9e20a5dc5851357d12ae0bf73b465cf9
Opcode Fuzzy Hash: 52b48ba027309c268b512042e826b0040b0b68e810d38ab844d28889a68a6781
Instruction Fuzzy Hash: 82018B32705B5085EE616F63A55539B67A0E74CFC0F4C8425FF49077A6EA3CC9C18740

Function 000000014000BFC0 Relevance: 3.0, APIs: 2, Instructions: 42
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegSetValueExW.KERNELBASE(?,?,?,?,?,000000014000D166), ref: 000000014000C002
GetLastError.KERNEL32(?,?,?,?,?,000000014000D166), ref: 000000014000C017

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: ErrorLastValue
String ID:
API String ID: 1151882462-0
Opcode ID: f126e78fb2dcacfabb8a301fae63ef6e246f4beabb4efec4ad6e6b4439e68fb8
Instruction ID: 83cb7a815068fcf4ab2de7cbf73c3f9a6832888872b2b956c7e89c07b6edc9bc
Opcode Fuzzy Hash: f126e78fb2dcacfabb8a301fae63ef6e246f4beabb4efec4ad6e6b4439e68fb8
Instruction Fuzzy Hash: 93012B7170468042E7118B3AF450B9BA260F789BF8F584324FFAA43BE5DA3CC9414700

Function 00000001400026B0 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140002530: GetUserDefaultLangID.KERNELBASE(?,?,?,?,?,?,00000000,00000001400026CE,?,?,?,00000000,0000000140001065), ref: 0000000140002538
Part of subcall function 0000000140002530: FormatMessageW.KERNELBASE ref: 0000000140002567
Part of subcall function 0000000140002530: FormatMessageW.KERNEL32 ref: 0000000140002599
Part of subcall function 0000000140002530: GetProcessHeap.KERNEL32 ref: 00000001400025A3
Part of subcall function 0000000140002530: HeapAlloc.KERNEL32 ref: 00000001400025B2
Part of subcall function 0000000140002530: _snwprintf_s.LIBCMT ref: 00000001400025D4

_vfwprintf_p.LIBCMT ref: 00000001400026E1
LocalFree.KERNELBASE(?,?,?,00000000,0000000140001065), ref: 00000001400026E9

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: FormatHeapMessage$AllocDefaultFreeLangLocalProcessUser_snwprintf_s_vfwprintf_p
String ID:
API String ID: 2711435474-0
Opcode ID: b9e2fb73056956266d8f65f75a8af008741aaaf4afbe52a6e07819eac5454351
Instruction ID: 6d7d810d7111ec690abced4b0f3e6a2a606c685bad1816cb6f56e965f88532a0
Opcode Fuzzy Hash: b9e2fb73056956266d8f65f75a8af008741aaaf4afbe52a6e07819eac5454351
Instruction Fuzzy Hash: FAE04F7260578042DD0ADB1779503A9A291AB8C7C1F484828BF8907755EF3CC6948740

Function 00000001400205EC Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(?,?,?,?,0000000140019EC4), ref: 00000001400205FE
HeapSetInformation.KERNEL32 ref: 0000000140020628

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: edb88e91396a61cd8c355dff496fc69843bdaca4606bf3ee0219da364ff22c02
Instruction ID: 9ee7d56fb08d5f3afb1ad26f4d176171cdeb2e2a73566ed9e3bf0c6f6fa99c57
Opcode Fuzzy Hash: edb88e91396a61cd8c355dff496fc69843bdaca4606bf3ee0219da364ff22c02
Instruction Fuzzy Hash: 76E08675B22B9083F78ADB22E85979962A0F78C781F90502DFB49037A4DF3CC5558B00

Function 000000014001A2E0 Relevance: 2.5, APIs: 2, Instructions: 30sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000000014001A2FF

Part of subcall function 00000001400206EC: _FF_MSGBANNER.LIBCMT ref: 000000014002071C
Part of subcall function 00000001400206EC: RtlAllocateHeap.NTDLL(?,?,00000000,000000014001A304,?,?,00000000,000000014001A895,?,?,00000000,000000014001A93F), ref: 0000000140020741
Part of subcall function 00000001400206EC: _errno.LIBCMT ref: 0000000140020765
Part of subcall function 00000001400206EC: _errno.LIBCMT ref: 0000000140020770

Sleep.KERNEL32(?,?,00000000,000000014001A895,?,?,00000000,000000014001A93F,?,?,?,?,?,?,00000000,000000014001C67C), ref: 000000014001A316

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: _errno$AllocateHeapSleepmalloc
String ID:
API String ID: 4275769124-0
Opcode ID: d487568a586992d1fcb55698f8c4441f09e4e55957370627acfcf2ddf9cad006
Instruction ID: 4142fe8a63bf8884d36fe6fdc3d1457c7defd5a6f16963f854cf87769d59775e
Opcode Fuzzy Hash: d487568a586992d1fcb55698f8c4441f09e4e55957370627acfcf2ddf9cad006
Instruction Fuzzy Hash: 61F0F636205B8486EA469F17A8403AD72A1F79CBD0F140225FBA90B765CF3DCD928700

Non-executed Functions

Function 00000001400070A0 Relevance: 170.2, APIs: 63, Strings: 34, Instructions: 443memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400070DE
HeapAlloc.KERNEL32 ref: 00000001400070F0
GetSystemTimeAsFileTime.KERNEL32 ref: 0000000140007140
EnterCriticalSection.KERNEL32 ref: 000000014000714D
_snwprintf_s.LIBCMT ref: 000000014000717A
SetEnvironmentVariableW.KERNEL32 ref: 000000014000718E
SetEnvironmentVariableW.KERNEL32 ref: 000000014000719E
SetEnvironmentVariableW.KERNEL32 ref: 00000001400071AE
SetEnvironmentVariableW.KERNEL32 ref: 00000001400071CA
SetEnvironmentVariableW.KERNEL32 ref: 00000001400071FB
SetEnvironmentVariableW.KERNEL32 ref: 0000000140007210
SetEnvironmentVariableW.KERNEL32 ref: 0000000140007224
SetEnvironmentVariableW.KERNEL32 ref: 0000000140007238
SetEnvironmentVariableW.KERNEL32 ref: 000000014000724C
GetCurrentProcessId.KERNEL32 ref: 0000000140007252
_snwprintf_s.LIBCMT ref: 0000000140007273
SetEnvironmentVariableW.KERNEL32 ref: 0000000140007287
_snwprintf_s.LIBCMT ref: 00000001400072CA
SetEnvironmentVariableW.KERNEL32 ref: 00000001400072DE
SetEnvironmentVariableW.KERNEL32 ref: 000000014000730A
_snwprintf_s.LIBCMT ref: 00000001400073F0
SetEnvironmentVariableW.KERNEL32 ref: 0000000140007404
SetEnvironmentVariableW.KERNEL32 ref: 0000000140007418

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Strings

NSSM_COMMAND_LINE, xrefs: 000000014000755B
NSSM_APPLICATION_PID, xrefs: 00000001400072D7, 000000014000731C
NSSM_THROTTLE_COUNT, xrefs: 0000000140007511
%s (%s/%s), xrefs: 000000014000770D
NSSM_START_COUNT, xrefs: 000000014000749B
nssm_hook(), xrefs: 0000000140007103
NSSM_BUILD_DATE, xrefs: 0000000140007245
hook, xrefs: 000000014000710A
NSSM_EXIT_COUNT, xrefs: 00000001400074D6
NSSM_VERSION, xrefs: 0000000140007231
NSSM_TRIGGER, xrefs: 00000001400071C0, 00000001400071D9
NSSM_PID, xrefs: 0000000140007280
nssm_hook, xrefs: 00000001400077E7
NSSM_SERVICE_NAME, xrefs: 000000014000740E
NSSM_ACTION, xrefs: 00000001400071A4
NSSM_HOOK_VERSION, xrefs: 0000000140007187
NSSM_APPLICATION_RUNTIME, xrefs: 00000001400072F0, 0000000140007356, 0000000140007387
h, xrefs: 0000000140007638
NSSM_DEADLINE, xrefs: 00000001400073FD
NSSM_CONFIGURATION, xrefs: 000000014000721D
64-bit, xrefs: 0000000140007216
Start, xrefs: 0000000140007329
"%s" %s, xrefs: 0000000140007531
NSSM_RUNTIME, xrefs: 0000000140007299
Pre, xrefs: 000000014000733C
NSSM_EXE, xrefs: 0000000140007206
NSSM_SERVICE_DISPLAYNAME, xrefs: 0000000140007425
NSSM_EXITCODE, xrefs: 0000000140007303, 000000014000736A, 00000001400073C1
NSSM_EVENT, xrefs: 0000000140007194
NSSM_START_REQUESTED_COUNT, xrefs: 0000000140007460
%lu, xrefs: 0000000140007160, 0000000140007260, 00000001400072B7, 00000001400073A1, 00000001400073D9, 0000000140007440, 000000014000747B, 00000001400074B6, 00000001400074F1
2017-04-26, xrefs: 000000014000723E
2.24-101-g897c7ad, xrefs: 000000014000722A
NSSM_LAST_CONTROL, xrefs: 00000001400071F1

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: EnvironmentVariable$_snwprintf_s$Event$HeapProcessSourceTime$AllocCriticalCurrentDeregisterEnterFileRegisterReportSectionSystem
String ID: "%s" %s$%lu$%s (%s/%s)$2.24-101-g897c7ad$2017-04-26$64-bit$NSSM_ACTION$NSSM_APPLICATION_PID$NSSM_APPLICATION_RUNTIME$NSSM_BUILD_DATE$NSSM_COMMAND_LINE$NSSM_CONFIGURATION$NSSM_DEADLINE$NSSM_EVENT$NSSM_EXE$NSSM_EXITCODE$NSSM_EXIT_COUNT$NSSM_HOOK_VERSION$NSSM_LAST_CONTROL$NSSM_PID$NSSM_RUNTIME$NSSM_SERVICE_DISPLAYNAME$NSSM_SERVICE_NAME$NSSM_START_COUNT$NSSM_START_REQUESTED_COUNT$NSSM_THROTTLE_COUNT$NSSM_TRIGGER$NSSM_VERSION$Pre$Start$h$hook$nssm_hook$nssm_hook()
API String ID: 1580475628-2341226502
Opcode ID: 294eb9d4a23a78c2de3f36ec37dab0aad2ddc9e726d8f4d6a7593e092b17f7c3
Instruction ID: 1c3f5b841a22e28915dda55d46f00e8888b02ddfce4e8b72b9f71ca216febfb4
Opcode Fuzzy Hash: 294eb9d4a23a78c2de3f36ec37dab0aad2ddc9e726d8f4d6a7593e092b17f7c3
Instruction Fuzzy Hash: 27323E71604A8691EB22DB22F8517DA7361F7887D4F80422AFB9D476B9DF3CCA49C710

Function 000000014000DD40 Relevance: 72.2, APIs: 17, Strings: 24, Instructions: 491registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(00000003,00000000,?,00000003,00000000,0000000140010A23), ref: 000000014000DE27

Strings

AppDirectory, xrefs: 000000014000DEBF, 000000014000DF3E, 000000014000DF6C
AppParameters, xrefs: 000000014000DE43, 000000014000DE80
AppRotateDelay, xrefs: 000000014000E2CB
AppEnvironmentExtra, xrefs: 000000014000DDCD
AppRedirectHook, xrefs: 000000014000E131
AppRotateBytesHigh, xrefs: 000000014000E2A8
AppRotateSeconds, xrefs: 000000014000E25C
AppStopMethodThreads, xrefs: 000000014000E4E5
Application, xrefs: 000000014000DDFE
AppTimestampLog, xrefs: 000000014000E1E0
AppStopMethodSkip, xrefs: 000000014000E3D5, 000000014000E421, 000000014000E44D
AppNoConsole, xrefs: 000000014000E2F1
NSSM, xrefs: 000000014000E41A
AppAffinity, xrefs: 000000014000DF98
AppStopMethodConsole, xrefs: 000000014000E491
AppRotateOnline, xrefs: 000000014000E192
AppPriority, xrefs: 000000014000E0E0, 000000014000E10E
AppRotateBytes, xrefs: 000000014000E285
AppThrottle, xrefs: 000000014000E3A8
AppStopMethodWindow, xrefs: 000000014000E4BB
AppEnvironment, xrefs: 000000014000DD98
AppKillProcessTree, xrefs: 000000014000E50D
AppRotateFiles, xrefs: 000000014000E160
AppRestartDelay, xrefs: 000000014000E382

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Close
String ID: AppAffinity$AppDirectory$AppEnvironment$AppEnvironmentExtra$AppKillProcessTree$AppNoConsole$AppParameters$AppPriority$AppRedirectHook$AppRestartDelay$AppRotateBytes$AppRotateBytesHigh$AppRotateDelay$AppRotateFiles$AppRotateOnline$AppRotateSeconds$AppStopMethodConsole$AppStopMethodSkip$AppStopMethodThreads$AppStopMethodWindow$AppThrottle$AppTimestampLog$Application$NSSM
API String ID: 3535843008-3506916582
Opcode ID: a3178ec04ad4e68e416fe25619a2ffa94c5c1b4cf00600d989723d11c9e5fa88
Instruction ID: c7805839bb8358a959a768a10e243be2ff9b259aeb2623d0bf795c7c7b3a558e
Opcode Fuzzy Hash: a3178ec04ad4e68e416fe25619a2ffa94c5c1b4cf00600d989723d11c9e5fa88
Instruction Fuzzy Hash: D432B1F2208AC5C5EB22DF62B4417DA77A0F788BC8F84412AFB89576A9DB3CC545C711

Function 000000014000F500 Relevance: 72.1, APIs: 34, Strings: 7, Instructions: 330memoryregistryserviceCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 000000014000F5E6
GetLastError.KERNEL32 ref: 000000014000F5F0

Part of subcall function 00000001400026B0: _vfwprintf_p.LIBCMT ref: 00000001400026E1
Part of subcall function 00000001400026B0: LocalFree.KERNELBASE(?,?,?,00000000,0000000140001065), ref: 00000001400026E9

ChangeServiceConfigW.ADVAPI32 ref: 000000014000F98D
GetProcessHeap.KERNEL32 ref: 000000014000F99C
HeapFree.KERNEL32 ref: 000000014000F9AA
GetLastError.KERNEL32 ref: 000000014000F9B0
GetProcessHeap.KERNEL32 ref: 000000014000F9DB
HeapFree.KERNEL32 ref: 000000014000F9E9
GetProcessHeap.KERNEL32 ref: 000000014000F9F4
HeapFree.KERNEL32 ref: 000000014000FA02
CloseServiceHandle.ADVAPI32 ref: 000000014000FA0B

Part of subcall function 000000014000EE10: OpenSCManagerW.ADVAPI32(?,?,?,?,00000001400133C9), ref: 000000014000EE20

Strings

SYSTEM\CurrentControlSet\Control\ServiceGroupOrder, xrefs: 000000014000F5CA, 000000014000F605, 000000014000F6F2, 000000014000F758
groups, xrefs: 000000014000F686
%s\%s: %s, xrefs: 000000014000F6F9, 000000014000F75F
%s: %s, xrefs: 000000014000F853
List, xrefs: 000000014000F63D, 000000014000F6B9, 000000014000F6EB, 000000014000F751
%s: %s, xrefs: 000000014000F60C
set_service_dependencies(), xrefs: 000000014000F67F

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$Free$Process$ErrorLastOpenService$ChangeCloseConfigHandleLocalManager_vfwprintf_p
String ID: %s: %s$%s: %s$%s\%s: %s$List$SYSTEM\CurrentControlSet\Control\ServiceGroupOrder$groups$set_service_dependencies()
API String ID: 717911963-3133791794
Opcode ID: 54557dc6fc8c01a7130147166d68acc7474a2c037710422b00090d6a8d766381
Instruction ID: d7ce32b5b10f061c7e7195f09d254de381534975a8cdc810ca296d842c87e0db
Opcode Fuzzy Hash: 54557dc6fc8c01a7130147166d68acc7474a2c037710422b00090d6a8d766381
Instruction Fuzzy Hash: B5E191B1601A4581EA22DB63B8147EA63A1FB8DBD4F448119FF5E43BB9EF38C945D700

Function 0000000140012E00 Relevance: 40.5, APIs: 13, Strings: 10, Instructions: 296COMMON

Download Yara Rule

Strings

N, xrefs: 0000000140013030
Start, xrefs: 000000014001301F, 0000000140013083, 0000000140013327
E, xrefs: 0000000140012F81
command line, xrefs: 0000000140012F23
"%s" %s, xrefs: 0000000140012EF1
Pre, xrefs: 0000000140013018, 000000014001307C
start_service, xrefs: 0000000140012F1C, 00000001400132BF
h, xrefs: 0000000140012E72
%lu, xrefs: 0000000140013047
Post, xrefs: 0000000140013320

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID: N$"%s" %s$%lu$E$Post$Pre$Start$command line$h$start_service
API String ID: 0-2674916716
Opcode ID: 61a6d97d03bd1b107dd6fa5df021d69fdc1368fe82631b5aaab015d8bca59c8c
Instruction ID: 023993fa0f7560711ba82d2caa2d9202a0fbac83a1b829d0283cea075c44361b
Opcode Fuzzy Hash: 61a6d97d03bd1b107dd6fa5df021d69fdc1368fe82631b5aaab015d8bca59c8c
Instruction Fuzzy Hash: 97E160B2504AD182E762DF22A4513DE73A0F788BD8F544226FB894B6AADF3CC545CB50

Function 0000000140002B50 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 178windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140002B91
SendMessageW.USER32 ref: 0000000140002BA5
GetDlgItem.USER32 ref: 0000000140002BB7
SendMessageW.USER32 ref: 0000000140002BCE
SendMessageW.USER32 ref: 0000000140002C2A
SendMessageW.USER32 ref: 0000000140002C5A
SendMessageW.USER32 ref: 0000000140002C8D
SendMessageW.USER32 ref: 0000000140002CBD

Part of subcall function 0000000140002530: GetUserDefaultLangID.KERNELBASE(?,?,?,?,?,?,00000000,00000001400026CE,?,?,?,00000000,0000000140001065), ref: 0000000140002538
Part of subcall function 0000000140002530: FormatMessageW.KERNELBASE ref: 0000000140002567
Part of subcall function 0000000140002530: FormatMessageW.KERNEL32 ref: 0000000140002599
Part of subcall function 0000000140002530: GetProcessHeap.KERNEL32 ref: 00000001400025A3
Part of subcall function 0000000140002530: HeapAlloc.KERNEL32 ref: 00000001400025B2
Part of subcall function 0000000140002530: _snwprintf_s.LIBCMT ref: 00000001400025D4

SendMessageW.USER32 ref: 0000000140002CF0
SendMessageW.USER32 ref: 0000000140002D1E
SendMessageW.USER32 ref: 0000000140002D50
SendMessageW.USER32 ref: 0000000140002D80
SendMessageW.USER32 ref: 0000000140002DA2
_snwprintf_s.LIBCMT ref: 0000000140002DC7
GetDlgItemTextW.USER32 ref: 0000000140002DF3
SetEnvironmentVariableW.KERNEL32 ref: 0000000140002E06
GetEnvironmentVariableW.KERNEL32 ref: 0000000140002E21
SetDlgItemTextW.USER32 ref: 0000000140002E47

Strings

Pre, xrefs: 0000000140002C30, 0000000140002D28, 0000000140002D56
NSSM_HOOK_%s_%s, xrefs: 0000000140002DA8
Resume, xrefs: 0000000140002CCC
Change, xrefs: 0000000140002C93
Post, xrefs: 0000000140002C69, 0000000140002CFA, 0000000140002D86

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Message$Send$Item$EnvironmentFormatHeapTextVariable_snwprintf_s$AllocDefaultLangProcessUser
String ID: Change$NSSM_HOOK_%s_%s$Post$Pre$Resume
API String ID: 2959201675-3454526459
Opcode ID: 2f41eb6af505d12dd21b44215bfd44072d8710aa8027056f3b4481a60488a377
Instruction ID: 4d61490fa284bf38201bd411ba8695437f9e61230d5e4b6a083a814ca1fc796a
Opcode Fuzzy Hash: 2f41eb6af505d12dd21b44215bfd44072d8710aa8027056f3b4481a60488a377
Instruction Fuzzy Hash: 98717F71305A8192F766DB22F9247DA2361E78DBC8F501029FB4E07AB5DF39CD4A8701

Function 0000000140020A2C Relevance: 39.0, APIs: 21, Strings: 1, Instructions: 468COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140020A7D
_errno.LIBCMT ref: 0000000140020A84

Strings

U, xrefs: 000000014002103B

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: __doserrno_errno
String ID: U
API String ID: 921712934-4171548499
Opcode ID: 74c5f7fb8baae198cacb24aad5bbcbe68e136ebc3b0815143d4b2bb7719c7451
Instruction ID: 76fb5729cbaa013820f51bb000bfef4f3fcad7bac76d669b73782e902e55697a
Opcode Fuzzy Hash: 74c5f7fb8baae198cacb24aad5bbcbe68e136ebc3b0815143d4b2bb7719c7451
Instruction Fuzzy Hash: 3712023220478586EB228F66E4443EEB7A1F38CBC4F55411AFB8947AB6DB3DD945CB00

Function 0000000140008E20 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 348fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32 ref: 0000000140008E87
IsTextUnicode.ADVAPI32 ref: 00000001400091DB
WriteFile.KERNEL32 ref: 0000000140009212
GetLastError.KERNEL32 ref: 000000014000921C

Strings

MoveFile(), xrefs: 00000001400090AA
CopyFile(), xrefs: 000000014000903A

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: File$ErrorHandleInformationLastTextUnicodeWrite
String ID: CopyFile()$MoveFile()
API String ID: 3620008457-2845297855
Opcode ID: d06a1913474329db8f6a3aa3d548f31daddee877e2bca60e31014723715ace4d
Instruction ID: 911a94780f45dd87590bef11f4ac37bd3019a58644ce44482c958d09773acbbb
Opcode Fuzzy Hash: d06a1913474329db8f6a3aa3d548f31daddee877e2bca60e31014723715ace4d
Instruction Fuzzy Hash: 95F159B2208A8196EB25DF22F5403DAB3A1F78DBD4F544119FB8943BA9DF38D954CB00

Function 000000014000EE50 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 190memoryserviceCOMMON

Download Yara Rule

APIs

OpenServiceW.ADVAPI32 ref: 000000014000EE86
GetServiceDisplayNameW.ADVAPI32 ref: 000000014000EEB9
GetServiceKeyNameW.ADVAPI32 ref: 000000014000EEDF
GetLastError.KERNEL32 ref: 000000014000EEED
GetLastError.KERNEL32 ref: 000000014000EEFA
EnumServicesStatusExW.ADVAPI32 ref: 000000014000EF6E
GetLastError.KERNEL32 ref: 000000014000EF74
GetProcessHeap.KERNEL32 ref: 000000014000EF89
HeapAlloc.KERNEL32 ref: 000000014000EF97
EnumServicesStatusExW.ADVAPI32 ref: 000000014000F01D
GetLastError.KERNEL32 ref: 000000014000F02B
GetProcessHeap.KERNEL32 ref: 000000014000F078
HeapFree.KERNEL32 ref: 000000014000F086
GetLastError.KERNEL32 ref: 000000014000F08C
_snwprintf_s.LIBCMT ref: 000000014000F0E2
GetProcessHeap.KERNEL32 ref: 000000014000F0EB
HeapFree.KERNEL32 ref: 000000014000F0F9
GetProcessHeap.KERNEL32 ref: 000000014000F110
HeapFree.KERNEL32 ref: 000000014000F11E

Strings

open_service(), xrefs: 000000014000EFB1
canonical_name, xrefs: 000000014000F104
ENUM_SERVICE_STATUS_PROCESS, xrefs: 000000014000EFAA

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$ErrorLast$Process$FreeService$EnumNameServicesStatus$AllocDisplayOpen_snwprintf_s
String ID: ENUM_SERVICE_STATUS_PROCESS$canonical_name$open_service()
API String ID: 2015548786-1539203807
Opcode ID: 457023ee60d23c60c41332a15b72afbf33f55e71c4758a42e6d57e6a748a91cc
Instruction ID: 5ee9360cefee841a79e9959a14513cd3d11481ffbf4d78818340a009a2714b5b
Opcode Fuzzy Hash: 457023ee60d23c60c41332a15b72afbf33f55e71c4758a42e6d57e6a748a91cc
Instruction Fuzzy Hash: 79815D75205B8086EB52DB62F4443DAB7A1FB8DBD4F444129FB4A43BA9DF3CC9099B00

Function 0000000140023A88 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023AC5
GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023AE1
GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023B09
EncodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023B12
GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023B28
EncodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023B31
GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023B47
EncodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023B50
GetProcAddress.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023B6E
EncodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023B77
DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023BA9
DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023BB8
DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023C10
DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023C30
DecodePointer.KERNEL32(?,?,?,00000000,?,000000FC,00000000,000000014001DD80,?,?,?,?,?,000000014001DE14), ref: 0000000140023C49

Strings

GetProcessWindowStation, xrefs: 0000000140023B64
GetUserObjectInformationA, xrefs: 0000000140023B36
USER32.DLL, xrefs: 0000000140023ABE
GetActiveWindow, xrefs: 0000000140023AF8
GetLastActivePopup, xrefs: 0000000140023B17
MessageBoxA, xrefs: 0000000140023AD7

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3085332118-232180764
Opcode ID: 394c86fa8740025843811833a4a0878d79852cd341f95afa00973598f09dcfa6
Instruction ID: 963d9139185d25277fa7d6bff1b6dbe887c214cdc387d39ea297937161747b03
Opcode Fuzzy Hash: 394c86fa8740025843811833a4a0878d79852cd341f95afa00973598f09dcfa6
Instruction Fuzzy Hash: D4511630212B4080FE5BEB67B8557E962A5AB8DBC0F64043DBF4E077B5EE78D8818711

Function 0000000140011A80 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 185memoryserviceCOMMON

Download Yara Rule

APIs

EnumServicesStatusExW.ADVAPI32 ref: 0000000140011B3A
GetLastError.KERNEL32 ref: 0000000140011B40
GetLastError.KERNEL32 ref: 0000000140011B4D
GetProcessHeap.KERNEL32 ref: 0000000140011B87
HeapAlloc.KERNEL32 ref: 0000000140011B95
EnumServicesStatusExW.ADVAPI32 ref: 0000000140011C32
GetLastError.KERNEL32 ref: 0000000140011C3F
_snwprintf_s.LIBCMT ref: 0000000140011C8D
GetProcessHeap.KERNEL32 ref: 0000000140011CE6
HeapFree.KERNEL32 ref: 0000000140011CF4
GetLastError.KERNEL32 ref: 0000000140011CFA

Part of subcall function 00000001400026B0: _vfwprintf_p.LIBCMT ref: 00000001400026E1
Part of subcall function 00000001400026B0: LocalFree.KERNELBASE(?,?,?,00000000,0000000140001065), ref: 00000001400026E9

Strings

nssm_service_t, xrefs: 0000000140011D47
%s, xrefs: 0000000140011CAF
all, xrefs: 0000000140011A95
list_nssm_services(), xrefs: 0000000140011BA8, 0000000140011D40
ENUM_SERVICE_STATUS_PROCESS, xrefs: 0000000140011BAF

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: ErrorHeapLast$EnumFreeProcessServicesStatus$AllocLocal_snwprintf_s_vfwprintf_p
String ID: %s$ENUM_SERVICE_STATUS_PROCESS$all$list_nssm_services()$nssm_service_t
API String ID: 1638472356-4196503671
Opcode ID: f4310e37fca4d66cae59513067b94a4934d94d266e052b314e4d01511460c31d
Instruction ID: 220fa191e2712f2fa40922eeb86950ca4a2caa5aec97ef5d5f917f65aa88fd44
Opcode Fuzzy Hash: f4310e37fca4d66cae59513067b94a4934d94d266e052b314e4d01511460c31d
Instruction Fuzzy Hash: 1E814A31204B8186EA26DB62F4403DA77A5FBCD7C4F44412AEB89477BAEF39C949C701

Function 0000000140008480 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 181timefilesleepCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 00000001400084BD
CreateFileW.KERNEL32 ref: 00000001400084E7
GetFileInformationByHandle.KERNEL32 ref: 0000000140008506
SystemTimeToFileTime.KERNEL32 ref: 0000000140008523
CloseHandle.KERNEL32 ref: 000000014000853C
SystemTimeToFileTime.KERNEL32 ref: 0000000140008550
CompareFileTime.KERNEL32 ref: 0000000140008598
GetLastError.KERNEL32 ref: 00000001400085CE
SystemTimeToFileTime.KERNEL32 ref: 000000014000861C
FileTimeToSystemTime.KERNEL32 ref: 000000014000862C
CopyFileW.KERNEL32 ref: 0000000140008676
Sleep.KERNEL32 ref: 00000001400086A3
SetFilePointer.KERNEL32 ref: 00000001400086B4
SetEndOfFile.KERNEL32 ref: 00000001400086BD
CloseHandle.KERNEL32 ref: 00000001400086C6
MoveFileW.KERNEL32 ref: 00000001400086D5
GetLastError.KERNEL32 ref: 000000014000870B

Strings

MoveFile(), xrefs: 00000001400086CE
CopyFile(), xrefs: 000000014000866C
CreateFile(), xrefs: 00000001400085F1

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: File$Time$System$Handle$CloseErrorLast$CompareCopyCreateInformationMovePointerSleep
String ID: CopyFile()$CreateFile()$MoveFile()
API String ID: 3228394015-381917562
Opcode ID: 01af08144f5c24a7e0f72f2537b02be2019094e1b56a6c29d558042bc7711969
Instruction ID: 2c5f9a746a650ff16cd0eb76c04cc0088810d3ecae15e8d67c050bf747509107
Opcode Fuzzy Hash: 01af08144f5c24a7e0f72f2537b02be2019094e1b56a6c29d558042bc7711969
Instruction Fuzzy Hash: 94713D72204B8186E762DB62F8507DAB3A4F789BD4F541119FF8943AB9DF78C948CB00

Function 0000000140012550 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 288serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140009FB0: GetConsoleWindow.KERNEL32 ref: 0000000140009FB8
Part of subcall function 0000000140009FB0: GetStdHandle.KERNEL32 ref: 0000000140009FC8
Part of subcall function 0000000140009FB0: GetProcessWindowStation.USER32 ref: 0000000140009FD3

Part of subcall function 0000000140002430: TlsGetValue.KERNEL32 ref: 0000000140002442
Part of subcall function 0000000140002430: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002458

Part of subcall function 00000001400194C0: _errno.LIBCMT ref: 00000001400194E5

CloseServiceHandle.ADVAPI32 ref: 000000014001296C

Part of subcall function 0000000140002430: TlsSetValue.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002481
Part of subcall function 0000000140002430: GetUserDefaultLangID.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002487
Part of subcall function 0000000140002430: FormatMessageW.KERNEL32 ref: 00000001400024B1
Part of subcall function 0000000140002430: FormatMessageW.KERNEL32 ref: 00000001400024DE
Part of subcall function 0000000140002430: _snwprintf_s.LIBCMT ref: 00000001400024FF

Part of subcall function 0000000140018CF0: _errno.LIBCMT ref: 0000000140018D19

Strings

AppThrottle, xrefs: 00000001400126C2
%s, xrefs: 00000001400127FD
%s: %s: %s, xrefs: 0000000140012774, 00000001400127B1, 0000000140012950, 0000000140012991
%s: %s, xrefs: 000000014001282F

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: FormatHandleMessageValueWindow_errno$AllocCloseConsoleDefaultLangLocalProcessServiceStationUser_snwprintf_s
String ID: %s$%s: %s$%s: %s: %s$AppThrottle
API String ID: 3091485450-1444196156
Opcode ID: ad12e137b0566e539ec48c87203486ce3c3dfc246e838f177d5758311995c6fa
Instruction ID: 6cfbc6d17aabad81b5b106fe63f1999e49cdb119c4a97786fe8d2ec62f0a0950
Opcode Fuzzy Hash: ad12e137b0566e539ec48c87203486ce3c3dfc246e838f177d5758311995c6fa
Instruction Fuzzy Hash: 68B1A53160578582FA26AB63B5447EE67A1BB8CBC4F401029FF4A0B7B6EF3AC5158740

Function 0000000140013D10 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 200sleepregistryserviceCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140010290: GetProcessHeap.KERNEL32(?,?,?,?,?,0000000140004171), ref: 0000000140010296
Part of subcall function 0000000140010290: RtlAllocateHeap.NTDLL(?,?,?,?,?,0000000140004171), ref: 00000001400102AA

Sleep.KERNEL32 ref: 0000000140013D95
_snwprintf_s.LIBCMT ref: 0000000140013DC4
RegisterServiceCtrlHandlerExW.ADVAPI32 ref: 0000000140013E71
GetLastError.KERNEL32 ref: 0000000140013E83
SetServiceStatus.ADVAPI32 ref: 0000000140013EE7
GetServiceDisplayNameW.ADVAPI32 ref: 0000000140013F5C
CloseServiceHandle.ADVAPI32 ref: 0000000140013F65
InitializeCriticalSection.KERNEL32 ref: 0000000140013F7B
CreateWaitableTimerW.KERNEL32 ref: 0000000140013F91
GetLastError.KERNEL32 ref: 0000000140013FA3

Part of subcall function 0000000140002430: TlsGetValue.KERNEL32 ref: 0000000140002442
Part of subcall function 0000000140002430: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002458

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

InitializeCriticalSection.KERNEL32 ref: 0000000140013FD1
GetCurrentProcess.KERNEL32 ref: 0000000140013FEA
CreateThread.KERNEL32 ref: 000000014001402F
GetLastError.KERNEL32 ref: 000000014001403A

Strings

debug, xrefs: 0000000140013D60
service->name, xrefs: 0000000140013DE0
NSSM, xrefs: 0000000140013E6A
service_main(), xrefs: 0000000140013DD9

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Service$ErrorEventLast$CreateCriticalHeapInitializeProcessRegisterSectionSource$AllocAllocateCloseCtrlCurrentDeregisterDisplayHandleHandlerLocalNameReportSleepStatusThreadTimerValueWaitable_snwprintf_s
String ID: NSSM$debug$service->name$service_main()
API String ID: 1666988295-3121758583
Opcode ID: 232ef101459a34ba4e97bc38d354e551541c59c984acad53f48cefa515037594
Instruction ID: 391d97ab9eb6af0e6816f0a333b294f2bc5ca0cf5282711f4ea3fa88c4337364
Opcode Fuzzy Hash: 232ef101459a34ba4e97bc38d354e551541c59c984acad53f48cefa515037594
Instruction Fuzzy Hash: 43A18F71A04B8086F752DF37A8017DA77A0FB4D7C8F48062AAB598B3B5DF398905CB50

Function 0000000140021B40 Relevance: 28.9, APIs: 19, Instructions: 377COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400220F1), ref: 0000000140021BB2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400220F1), ref: 0000000140021BC8
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400220F1), ref: 0000000140021C72
malloc.LIBCMT ref: 0000000140021CE3
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400220F1), ref: 0000000140021D1A
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400220F1), ref: 0000000140021D3F
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400220F1), ref: 0000000140021D8F
malloc.LIBCMT ref: 0000000140021DE2
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400220F1), ref: 0000000140021E1C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400220F1), ref: 0000000140021E5F
free.LIBCMT ref: 0000000140021E70
free.LIBCMT ref: 0000000140021E7E
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400220F1), ref: 0000000140021F0D
malloc.LIBCMT ref: 0000000140021F7B
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400220F1), ref: 0000000140021FC4
free.LIBCMT ref: 000000014002200C
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000001400220F1), ref: 000000014002202C
free.LIBCMT ref: 000000014002203E
free.LIBCMT ref: 0000000140022050

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: String$free$ByteCharMultiWidemalloc$ErrorLast
String ID:
API String ID: 1837315383-0
Opcode ID: bcf4e56cdb41816d9ab4cf6d17006c74b5e0cdac7c2592137a90cf9d59c2fbdf
Instruction ID: d87029fe98a7cd502051614993c32973fbf8f1b99cdc22530c100499747c406a
Opcode Fuzzy Hash: bcf4e56cdb41816d9ab4cf6d17006c74b5e0cdac7c2592137a90cf9d59c2fbdf
Instruction Fuzzy Hash: 54F1B1326006808AEB628F66D8407DD77E1F79CBE8F544629FB5A57BE8DB38CD418700

Function 000000014000A180 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400026B0: _vfwprintf_p.LIBCMT ref: 00000001400026E1
Part of subcall function 00000001400026B0: LocalFree.KERNELBASE(?,?,?,00000000,0000000140001065), ref: 00000001400026E9

GetProcessHeap.KERNEL32 ref: 000000014000A1D6
HeapAlloc.KERNEL32 ref: 000000014000A1EA
GetCommandLineW.KERNEL32 ref: 000000014000A221
_snwprintf_s.LIBCMT ref: 000000014000A23F
ShellExecuteExW.SHELL32 ref: 000000014000A299
GetProcessHeap.KERNEL32 ref: 000000014000A2A9
HeapFree.KERNEL32 ref: 000000014000A2B7

Strings

", xrefs: 000000014000A250
runas, xrefs: 000000014000A1B8
GetCommandLine(), xrefs: 000000014000A204
elevate(), xrefs: 000000014000A1FD
p, xrefs: 000000014000A1BF

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$FreeProcess$AllocCommandExecuteLineLocalShell_snwprintf_s_vfwprintf_p
String ID: "$GetCommandLine()$elevate()$p$runas
API String ID: 568333785-2664397508
Opcode ID: 783b1db419e6da8296bc21220930b56356767060dd0a3c5355d5f8fa1b9bd47e
Instruction ID: 2077ac3bbf38e24c34af6bbde4a8a7d20c8c22cec92f61cf467793f99d6e06a8
Opcode Fuzzy Hash: 783b1db419e6da8296bc21220930b56356767060dd0a3c5355d5f8fa1b9bd47e
Instruction Fuzzy Hash: 96315C71615B9582E7129B22B8047EA33A1F7897E4F404229FB69437E9DF3DC905C740

Function 000000014000A810 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000000014000A814
OpenThreadToken.ADVAPI32 ref: 000000014000A829
GetLastError.KERNEL32 ref: 000000014000A833
ImpersonateSelf.ADVAPI32 ref: 000000014000A845
GetCurrentThread.KERNEL32 ref: 000000014000A84B
OpenThreadToken.ADVAPI32 ref: 000000014000A860
LookupPrivilegeValueW.ADVAPI32 ref: 000000014000A888
AdjustTokenPrivileges.ADVAPI32 ref: 000000014000A8D5
AdjustTokenPrivileges.ADVAPI32 ref: 000000014000A919
CloseHandle.KERNEL32 ref: 000000014000A928

Strings

SeDebugPrivilege, xrefs: 000000014000A877

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: ThreadToken$AdjustCurrentOpenPrivileges$CloseErrorHandleImpersonateLastLookupPrivilegeSelfValue
String ID: SeDebugPrivilege
API String ID: 2095247420-2896544425
Opcode ID: 3e7152db20e3f8e3e4ac19a98164bd4134ace9dbb4197a0a704cf1b4ed9552ec
Instruction ID: 1f60dc984ff7cd1ee9279a057587273100a33775c52be9d20afd9c1c22f79b8e
Opcode Fuzzy Hash: 3e7152db20e3f8e3e4ac19a98164bd4134ace9dbb4197a0a704cf1b4ed9552ec
Instruction Fuzzy Hash: 42310672608B8482EB51DF26F44478AB7A0F789B94F400219F78A43AB8DF3CD549CB40

Function 000000014000ACB0 Relevance: 16.6, APIs: 11, Instructions: 109processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000000014000ACC9
GetLastError.KERNEL32 ref: 000000014000ACD7

Part of subcall function 0000000140002430: TlsGetValue.KERNEL32 ref: 0000000140002442
Part of subcall function 0000000140002430: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002458

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

GetLastError.KERNEL32 ref: 000000014000AD4A
CloseHandle.KERNEL32 ref: 000000014000AD77

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Event$ErrorLastSource$AllocCloseCreateDeregisterHandleLocalRegisterReportSnapshotToolhelp32Value
String ID:
API String ID: 3638057332-0
Opcode ID: 736b111b100a646399828fc1beca10fc05defdbe9cab0c2b345cb83a7c5a2b91
Instruction ID: d4a25d63226701a5820217a3ec4a756d52cdc905e9f9b02ee8c88e4c8cc5a9cb
Opcode Fuzzy Hash: 736b111b100a646399828fc1beca10fc05defdbe9cab0c2b345cb83a7c5a2b91
Instruction Fuzzy Hash: 7F417E7261468086E781DB36F54079A77A1E78DBD4F400229FB9A97BA9EF3CC841CB40

Function 000000014001DBB8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,?,?,000000014001DE14,?,?,?,?,0000000140020721,?,?,00000000,000000014001A304), ref: 000000014001DC7B
GetStdHandle.KERNEL32(?,?,?,?,?,000000014001DE14,?,?,?,?,0000000140020721,?,?,00000000,000000014001A304), ref: 000000014001DD87
WriteFile.KERNEL32 ref: 000000014001DDC1

Strings

..., xrefs: 000000014001DCDE
<program name unknown>, xrefs: 000000014001DC85
Microsoft Visual C++ Runtime Library, xrefs: 000000014001DD6B
Runtime Error!Program: , xrefs: 000000014001DC3A

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 76b32cf82c17dd4405aab22500cf80e41e04892a9192f50629b7580b2b5dfafe
Instruction ID: 4619fa3bf99482af2e3b2e7abf25445da3b72f923f0fd6b82687fc6d9c2ecd06
Opcode Fuzzy Hash: 76b32cf82c17dd4405aab22500cf80e41e04892a9192f50629b7580b2b5dfafe
Instruction Fuzzy Hash: C351FD31310A8242FB26DBA7E9557EA3252B79C7C8F54462ABF494BAF6CF3DC544C200

Function 0000000140018800 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,000000014002116F,?,?,?,00000001,00000000,?,00000001), ref: 000000014001C997
RtlLookupFunctionEntry.KERNEL32(?,?,?,?,?,?,?,?,000000014002116F,?,?,?,00000001,00000000,?,00000001), ref: 000000014001C9B6
RtlVirtualUnwind.KERNEL32 ref: 000000014001CA02
IsDebuggerPresent.KERNEL32 ref: 000000014001CA74
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014001CA8C
UnhandledExceptionFilter.KERNEL32 ref: 000000014001CA99
GetCurrentProcess.KERNEL32 ref: 000000014001CAB2
TerminateProcess.KERNEL32 ref: 000000014001CAC0

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 2c73cabdacd67ecc1ab47cb5ea7a511d34c178d29615d86a7b68e056a520e744
Instruction ID: 68ad1d73d9e93cc6001284d5fa1a39834dd5386839cfa0cf077785c591060cfe
Opcode Fuzzy Hash: 2c73cabdacd67ecc1ab47cb5ea7a511d34c178d29615d86a7b68e056a520e744
Instruction Fuzzy Hash: B231F231105F808AEB629B62F8543DA73A1F78C3D4F60452AEB8E43B75DF38C4948B00

Function 0000000140023864 Relevance: 10.6, APIs: 7, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001400238AA
_errno.LIBCMT ref: 0000000140023918
_errno.LIBCMT ref: 0000000140023923
_errno.LIBCMT ref: 0000000140023957
WideCharToMultiByte.KERNEL32 ref: 00000001400239F2
GetLastError.KERNEL32 ref: 0000000140023A12
_errno.LIBCMT ref: 0000000140023A38

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: _errno$ByteCharErrorLastMultiWide
String ID:
API String ID: 3895584640-0
Opcode ID: de36e9be98680906f13d6fdec89071b2ed5335f68037e9720c0431ee17c4b1d6
Instruction ID: c1f587e2613b7e2320280e204ff58a8efa348b9f757dde8eac3d56b3eb560925
Opcode Fuzzy Hash: de36e9be98680906f13d6fdec89071b2ed5335f68037e9720c0431ee17c4b1d6
Instruction Fuzzy Hash: D35186726047C04AF7729F66E0503EEB790E3897D0F588119F79947AE5DE78CC818B16

Function 000000014001B6C4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014001B703
IsDebuggerPresent.KERNEL32 ref: 000000014001B7A1
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014001B7AB
UnhandledExceptionFilter.KERNEL32 ref: 000000014001B7B6
GetCurrentProcess.KERNEL32 ref: 000000014001B7CC
TerminateProcess.KERNEL32 ref: 000000014001B7DA

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: db0e8556fbde31411f20dd6a3de043652d6dc213d7a28bc9c9def38311efb816
Instruction ID: dbf51be08b14eccf182f8a2a6019e3681ceeefd0d48998f919ae06a8e142e91c
Opcode Fuzzy Hash: db0e8556fbde31411f20dd6a3de043652d6dc213d7a28bc9c9def38311efb816
Instruction Fuzzy Hash: 0A314972208B8182EB259B66F4443DAB3A4F79C784F500129ABCD43AA9EF7CC548CF00

Function 0000000140002840 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32 ref: 0000000140002860
FindResourceExW.KERNEL32 ref: 0000000140002874
GetLastError.KERNEL32 ref: 000000014000287F
FindResourceExW.KERNEL32 ref: 000000014000289C
LoadResource.KERNEL32 ref: 00000001400028AC
CreateDialogIndirectParamW.USER32 ref: 00000001400028C7

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Resource$Find$CreateDefaultDialogErrorIndirectLangLastLoadParamUser
String ID:
API String ID: 940021595-0
Opcode ID: fed401cc8e8f5612569b6891206cde108573bd67a878dd979692201b7d3e6802
Instruction ID: 9944d1bd91ac6ef74c3327299d60d6f918d01a8079eaa409e9ba49cf5d91b016
Opcode Fuzzy Hash: fed401cc8e8f5612569b6891206cde108573bd67a878dd979692201b7d3e6802
Instruction Fuzzy Hash: F601887570578082EB165B63B80479AA360BB4CFC0F18843DAF89437B4DF3CD8418750

Function 0000000140019CB4 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140019CF8

Part of subcall function 000000014001B7EC: DecodePointer.KERNEL32 ref: 000000014001B813

_errno.LIBCMT ref: 0000000140019D25
_errno.LIBCMT ref: 0000000140019D73
_errno.LIBCMT ref: 0000000140019DB9
_errno.LIBCMT ref: 0000000140019DD2

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 9931ccc4ea3a3858abefdf71ca0561b1e710505d0c46915268689c3ffa0de49b
Instruction ID: 44ef4eb01c81118c6643f99bc6a2e946d05f9bc6aed31f978ef6c775e81dc10f
Opcode Fuzzy Hash: 9931ccc4ea3a3858abefdf71ca0561b1e710505d0c46915268689c3ffa0de49b
Instruction Fuzzy Hash: 1631E332B1065442F3279B3BA5827EE6552A78C794F588219FB250FBFACF3AC441C700

Function 000000014000A050 Relevance: 4.5, APIs: 3, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 000000014000A0C0
CheckTokenMembership.ADVAPI32 ref: 000000014000A0D8
FreeSid.ADVAPI32 ref: 000000014000A0E3

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 3be228cc09c29312831331bff11f0d4ef4207261988248bd0618be56e79fc0d1
Instruction ID: 48eee273634d74207520e7cdaf30b75688e279164638d9c4aace6fd17198c53c
Opcode Fuzzy Hash: 3be228cc09c29312831331bff11f0d4ef4207261988248bd0618be56e79fc0d1
Instruction Fuzzy Hash: 1211F872618B808AE752CB26F45434BBBE0F399784F54005AE7C987B69DB3DD109CF40

Function 0000000140023D20 Relevance: 4.5, APIs: 3, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000140023D5F
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140023DA5
UnhandledExceptionFilter.KERNEL32 ref: 0000000140023DB0

Part of subcall function 000000014001DBB8: GetModuleFileNameA.KERNEL32(?,?,?,?,?,000000014001DE14,?,?,?,?,0000000140020721,?,?,00000000,000000014001A304), ref: 000000014001DC7B

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
String ID:
API String ID: 2731829486-0
Opcode ID: 1772c0e6350e5a06dade1ac13ce35099e640e8ea5e04fc13367c51db8d1894a0
Instruction ID: 46ba363e4b0eae91f713770cd299bb224122c89c83ee0360e1bb8fbde21d07a9
Opcode Fuzzy Hash: 1772c0e6350e5a06dade1ac13ce35099e640e8ea5e04fc13367c51db8d1894a0
Instruction Fuzzy Hash: DD014C35214A8481F6669762F4543DA73A1FB8D385F440129BB8E0BAFADF3DC905CB11

Function 00000001400245E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 0000000140024610

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 06faa0f0bb2dc971177e39b3f6ed31a2957b8d98190a0f00278e0934fa454d68
Instruction ID: b5e575d4c44cd20b866f75d5ef2225df689e7b31d630515f6afed79aa59475fa
Opcode Fuzzy Hash: 06faa0f0bb2dc971177e39b3f6ed31a2957b8d98190a0f00278e0934fa454d68
Instruction Fuzzy Hash: 36E06D31618A8085FB32D722E4513CA2750A79D798F800216FB8D476F5DE3CC6098B00

Function 0000000140020180 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 000000014002018B

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 114d92dcbf7d2c8af530ca3185321c199e066624115f7fe8c2d49beb1dc33ef1
Instruction ID: a7c7f3dcdb102532dc9973edfc0c04c9e05a3ec38676fa0d26270a69678edde2
Opcode Fuzzy Hash: 114d92dcbf7d2c8af530ca3185321c199e066624115f7fe8c2d49beb1dc33ef1
Instruction Fuzzy Hash: E7B01230B12840C1D705AB33EC863C012A07F5C340FD00858D20DC2131EA3C89EBC700

Function 0000000140001220 Relevance: 77.3, APIs: 37, Strings: 7, Instructions: 322memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400012AB
HeapAlloc.KERNEL32 ref: 00000001400012B9
GetComputerNameW.KERNEL32 ref: 00000001400012EE
GetProcessHeap.KERNEL32 ref: 0000000140001315
HeapAlloc.KERNEL32 ref: 0000000140001323
LsaClose.ADVAPI32 ref: 0000000140001361
GetProcessHeap.KERNEL32 ref: 00000001400013AE
HeapFree.KERNEL32 ref: 00000001400013BC
LsaClose.ADVAPI32 ref: 00000001400013D5
LsaFreeMemory.ADVAPI32 ref: 00000001400015E9
LsaFreeMemory.ADVAPI32 ref: 00000001400015F3
GetSidIdentifierAuthority.ADVAPI32 ref: 0000000140001621
InitializeSid.ADVAPI32 ref: 0000000140001631
GetLastError.KERNEL32 ref: 000000014000163B
GetProcessHeap.KERNEL32 ref: 0000000140001643
HeapFree.KERNEL32 ref: 0000000140001651
LsaFreeMemory.ADVAPI32 ref: 000000014000165C
LsaFreeMemory.ADVAPI32 ref: 0000000140001666
GetSidSubAuthority.ADVAPI32 ref: 00000001400016A9
GetSidSubAuthority.ADVAPI32 ref: 00000001400016BF
LsaFreeMemory.ADVAPI32 ref: 0000000140001717
LsaFreeMemory.ADVAPI32 ref: 0000000140001721
LsaFreeMemory.ADVAPI32 ref: 0000000140001735
LsaFreeMemory.ADVAPI32 ref: 000000014000173F

Part of subcall function 00000001400026B0: _vfwprintf_p.LIBCMT ref: 00000001400026E1
Part of subcall function 00000001400026B0: LocalFree.KERNELBASE(?,?,?,00000000,0000000140001065), ref: 00000001400026E9

Strings

username_sid(), xrefs: 00000001400013DF
username_sid, xrefs: 0000000140001336, 0000000140001586
SID, xrefs: 000000014000158D
NT Service\, xrefs: 00000001400014D2
expanded, xrefs: 000000014000133D
%s\%s, xrefs: 0000000140001378
LSA_UNICODE_STRING, xrefs: 00000001400013E6

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Free$HeapMemory$Process$Authority$AllocClose$ComputerErrorIdentifierInitializeLastLocalName_vfwprintf_p
String ID: %s\%s$LSA_UNICODE_STRING$NT Service\$SID$expanded$username_sid$username_sid()
API String ID: 69952446-4149950637
Opcode ID: 92efc2b86d5c6147075e5e9320d55aa18b01e5cf5b5004848248b986e7ef1e03
Instruction ID: 50195b4bb22f38393f53dc6e2ddd160500ea8e110de682d4c5e502559bc3d69a
Opcode Fuzzy Hash: 92efc2b86d5c6147075e5e9320d55aa18b01e5cf5b5004848248b986e7ef1e03
Instruction Fuzzy Hash: 53E14E75204A8082EA12EB63E4507DA67A1FBCDBD4F444125FB4E477BADF39C946C700

Function 0000000140022410 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000000140022425

Part of subcall function 000000014001A458: HeapFree.KERNEL32(?,?,00000000,000000014001C690,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A46E
Part of subcall function 000000014001A458: _errno.LIBCMT ref: 000000014001A478
Part of subcall function 000000014001A458: GetLastError.KERNEL32(?,?,00000000,000000014001C690,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A480

free.LIBCMT ref: 000000014002242E
free.LIBCMT ref: 0000000140022437
free.LIBCMT ref: 0000000140022440
free.LIBCMT ref: 0000000140022449
free.LIBCMT ref: 0000000140022452
free.LIBCMT ref: 000000014002245A
free.LIBCMT ref: 0000000140022463
free.LIBCMT ref: 000000014002246C
free.LIBCMT ref: 0000000140022475
free.LIBCMT ref: 000000014002247E
free.LIBCMT ref: 0000000140022487
free.LIBCMT ref: 0000000140022490
free.LIBCMT ref: 0000000140022499
free.LIBCMT ref: 00000001400224A2
free.LIBCMT ref: 00000001400224AB
free.LIBCMT ref: 00000001400224B7
free.LIBCMT ref: 00000001400224C3
free.LIBCMT ref: 00000001400224CF
free.LIBCMT ref: 00000001400224DB
free.LIBCMT ref: 00000001400224E7
free.LIBCMT ref: 00000001400224F3
free.LIBCMT ref: 00000001400224FF
free.LIBCMT ref: 000000014002250B
free.LIBCMT ref: 0000000140022517
free.LIBCMT ref: 0000000140022523
free.LIBCMT ref: 000000014002252F
free.LIBCMT ref: 000000014002253B
free.LIBCMT ref: 0000000140022547
free.LIBCMT ref: 0000000140022553
free.LIBCMT ref: 000000014002255F
free.LIBCMT ref: 000000014002256B
free.LIBCMT ref: 0000000140022577
free.LIBCMT ref: 0000000140022583
free.LIBCMT ref: 000000014002258F
free.LIBCMT ref: 000000014002259B
free.LIBCMT ref: 00000001400225A7
free.LIBCMT ref: 00000001400225B3
free.LIBCMT ref: 00000001400225BF
free.LIBCMT ref: 00000001400225CB
free.LIBCMT ref: 00000001400225D7
free.LIBCMT ref: 00000001400225E3
free.LIBCMT ref: 00000001400225EF

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 0b0a0ae3fdfc1ed0fa13838e4ad93de12d14e6b930d1803b0b0efe21a5381680
Instruction ID: 8d2492f42c3375f3df4473a04d93de8bff90f0277a39e01c48f8c640fe808fed
Opcode Fuzzy Hash: 0b0a0ae3fdfc1ed0fa13838e4ad93de12d14e6b930d1803b0b0efe21a5381680
Instruction Fuzzy Hash: 59417432A1158883FA57BB77C8563EC1320ABCAB84F444231BB5D6F6B7CEB5C8459360

Function 000000014000B2D0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 236processCOMMON

Download Yara Rule

APIs

_snwprintf_s.LIBCMT ref: 000000014000B33D
_snwprintf_s.LIBCMT ref: 000000014000B362
OpenProcess.KERNEL32 ref: 000000014000B3B0
_snwprintf_s.LIBCMT ref: 000000014000B3E1
GetExitCodeProcess.KERNEL32 ref: 000000014000B443
GetLastError.KERNEL32 ref: 000000014000B461
CloseHandle.KERNEL32 ref: 000000014000B49C
CloseHandle.KERNEL32 ref: 000000014000B4E8
CreateToolhelp32Snapshot.KERNEL32 ref: 000000014000B52D
GetLastError.KERNEL32 ref: 000000014000B53B

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

GetLastError.KERNEL32 ref: 000000014000B599

Part of subcall function 0000000140002430: TlsGetValue.KERNEL32 ref: 0000000140002442
Part of subcall function 0000000140002430: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002458

CloseHandle.KERNEL32 ref: 000000014000B5CA
Process32NextW.KERNEL32 ref: 000000014000B613
Process32NextW.KERNEL32 ref: 000000014000B65B
GetLastError.KERNEL32 ref: 000000014000B664
CloseHandle.KERNEL32 ref: 000000014000B679

Strings

%lu, xrefs: 000000014000B31F, 000000014000B34A, 000000014000B3CA
AppStopMethodSkip, xrefs: 000000014000B4AA
NSSM, xrefs: 000000014000B4BF

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: CloseErrorHandleLast$Event_snwprintf_s$NextProcessProcess32Source$AllocCodeCreateDeregisterExitLocalOpenRegisterReportSnapshotToolhelp32Value
String ID: %lu$AppStopMethodSkip$NSSM
API String ID: 3491791553-153837258
Opcode ID: 0c7385911431ca271a527a88f3baef0bf870f7267b49319b7ae97b48872975ef
Instruction ID: 228514648ff0bd046f16d9da10956bf1708be2c3e3f6d233c5a9c556325b648d
Opcode Fuzzy Hash: 0c7385911431ca271a527a88f3baef0bf870f7267b49319b7ae97b48872975ef
Instruction Fuzzy Hash: 33B149B1204B8486EB25DB62E4543DA73A0F78DBD8F800215FB99477AADF3DCA058B41

Function 0000000140016190 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

dependencies, xrefs: 0000000140016285
native_set_dependongroup, xrefs: 000000014001627E

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID: dependencies$native_set_dependongroup
API String ID: 0-409972118
Opcode ID: 739a02f57c687493ff17d25acbd0d647586937320d629fc731b6e7eb5aacb352
Instruction ID: 03521c866b4c7cfe6bf2b1022ff6480705ab1916cd7ea62ef3b9d3751cacd87a
Opcode Fuzzy Hash: 739a02f57c687493ff17d25acbd0d647586937320d629fc731b6e7eb5aacb352
Instruction Fuzzy Hash: 62716C71604B8082EA269B77B8143DA67A1FB8DBD4F044129FB99477B9DF3DC944CB40

Function 0000000140016720 Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400167E5
HeapAlloc.KERNEL32 ref: 00000001400167F3
GetProcessHeap.KERNEL32 ref: 000000014001682D
HeapFree.KERNEL32 ref: 000000014001683D
GetProcessHeap.KERNEL32 ref: 000000014001684B
HeapFree.KERNEL32 ref: 000000014001685B

Strings

native_set_dependonservice, xrefs: 000000014001680A
dependencies, xrefs: 0000000140016811

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$Process$Free$Alloc
String ID: dependencies$native_set_dependonservice
API String ID: 3689955550-2849880886
Opcode ID: e09cbeb6ba163b7733074487d8c5ea57c5f9c57d39f7d7db8b5e54c9bc97f286
Instruction ID: 4c18f0a9f8906bac8d29316d0d99a19f8ca38918d160cccc75a1141df60495ad
Opcode Fuzzy Hash: e09cbeb6ba163b7733074487d8c5ea57c5f9c57d39f7d7db8b5e54c9bc97f286
Instruction Fuzzy Hash: 53714B71604B8082EA269B77A8143DA67A1FB8DBD4F444129FB89477B9DF3DC845CB40

Function 00000001400102F0 Relevance: 30.1, APIs: 20, Instructions: 91memoryserviceCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000000140010312
HeapFree.KERNEL32 ref: 0000000140010320
GetProcessHeap.KERNEL32 ref: 0000000140010340
HeapFree.KERNEL32 ref: 0000000140010352
GetProcessHeap.KERNEL32 ref: 0000000140010364
HeapFree.KERNEL32 ref: 0000000140010372
GetProcessHeap.KERNEL32 ref: 0000000140010384
HeapFree.KERNEL32 ref: 0000000140010392
GetProcessHeap.KERNEL32 ref: 00000001400103A4
HeapFree.KERNEL32 ref: 00000001400103B2
CloseServiceHandle.ADVAPI32 ref: 00000001400103C4
CloseHandle.KERNEL32 ref: 00000001400103D6
UnregisterWait.KERNEL32 ref: 00000001400103E8
DeleteCriticalSection.KERNEL32 ref: 00000001400103FE
CloseHandle.KERNEL32 ref: 0000000140010410
DeleteCriticalSection.KERNEL32 ref: 0000000140010426
GetProcessHeap.KERNEL32 ref: 0000000140010438
HeapFree.KERNEL32 ref: 0000000140010446
GetProcessHeap.KERNEL32 ref: 000000014001044C
HeapFree.KERNEL32 ref: 000000014001045A

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$FreeProcess$CloseHandle$CriticalDeleteSection$ServiceUnregisterWait
String ID:
API String ID: 721818521-0
Opcode ID: 8b1967781c819801c2282c7234f9428b6f988098830cbf00d7948db7f41d6083
Instruction ID: e9855117271ec644d348db211c8dcb89f8f0867333612b95edce9907f1671582
Opcode Fuzzy Hash: 8b1967781c819801c2282c7234f9428b6f988098830cbf00d7948db7f41d6083
Instruction Fuzzy Hash: 2D413D74601E90C2EB56DBB395183E963A1BF8DFD5F084138AF4A57778DE3889448710

Function 0000000140006E20 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 155memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000000140006E60
HeapAlloc.KERNEL32 ref: 0000000140006E71
CloseHandle.KERNEL32 ref: 0000000140006F2A
GetProcessHeap.KERNEL32 ref: 0000000140006FA3
HeapAlloc.KERNEL32 ref: 0000000140006FB1
GetProcessHeap.KERNEL32 ref: 000000014000705B
HeapFree.KERNEL32 ref: 0000000140007069

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Strings

retain, xrefs: 0000000140006E91
data, xrefs: 0000000140006FC9
await_hook_threads(), xrefs: 0000000140006E8A, 0000000140006FC2
await_hook_threads, xrefs: 0000000140006EE1, 0000000140006F73

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$EventProcess$AllocSource$CloseDeregisterFreeHandleRegisterReport
String ID: await_hook_threads$await_hook_threads()$data$retain
API String ID: 2142993808-1900669911
Opcode ID: d01ba2fbf3bcc440b567fc7c1a7f886c0b57a6a8111ab25369b635bf27e9f7c9
Instruction ID: 780427434044c61dd547f03e7bf771bfcca09c03c361e120a64a7bde647cd176
Opcode Fuzzy Hash: d01ba2fbf3bcc440b567fc7c1a7f886c0b57a6a8111ab25369b635bf27e9f7c9
Instruction Fuzzy Hash: 2A6178B6601A8086EA16DF23F8503EA73A5F78CBC4F548129EF8E53764DF39C9128700

Function 0000000140001780 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 146COMMON

Download Yara Rule

Strings

canon, xrefs: 000000014000196E
lsa_canon, xrefs: 00000001400018BE
username_sid, xrefs: 00000001400018B7, 0000000140001967

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID: canon$lsa_canon$username_sid
API String ID: 0-3165952623
Opcode ID: 61a4d28acd9b3c91b8a6b98856a030ccb66226a499a1cfe347736c4baa40fbbe
Instruction ID: 2a8286567617ec90dd27cdb103d0c73c0caae6ca0e22823ef32155b10df1f8e5
Opcode Fuzzy Hash: 61a4d28acd9b3c91b8a6b98856a030ccb66226a499a1cfe347736c4baa40fbbe
Instruction Fuzzy Hash: 51516176610A8582EA02EF66E4117DA6364FBC8BD4F444026FF4D47BAAEE39C586C710

Function 0000000140004690 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 143memorywindowCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400046CE
HeapAlloc.KERNEL32 ref: 00000001400046DF
_snwprintf_s.LIBCMT ref: 0000000140004774
LocalFree.KERNEL32 ref: 000000014000478E
_snwprintf_s.LIBCMT ref: 00000001400047C0
GetProcessHeap.KERNEL32 ref: 0000000140004801
HeapAlloc.KERNEL32 ref: 0000000140004812
_snwprintf_s.LIBCMT ref: 0000000140004851
_snwprintf_s.LIBCMT ref: 0000000140004878

Part of subcall function 0000000140002530: GetUserDefaultLangID.KERNELBASE(?,?,?,?,?,?,00000000,00000001400026CE,?,?,?,00000000,0000000140001065), ref: 0000000140002538
Part of subcall function 0000000140002530: FormatMessageW.KERNELBASE ref: 0000000140002567
Part of subcall function 0000000140002530: FormatMessageW.KERNEL32 ref: 0000000140002599
Part of subcall function 0000000140002530: GetProcessHeap.KERNEL32 ref: 00000001400025A3
Part of subcall function 0000000140002530: HeapAlloc.KERNEL32 ref: 00000001400025B2
Part of subcall function 0000000140002530: _snwprintf_s.LIBCMT ref: 00000001400025D4

GetOpenFileNameW.COMDLG32 ref: 00000001400048AF
SendMessageW.USER32 ref: 00000001400048DD
GetProcessHeap.KERNEL32 ref: 00000001400048EB
HeapFree.KERNEL32 ref: 00000001400048FB
GetProcessHeap.KERNEL32 ref: 0000000140004909
HeapFree.KERNEL32 ref: 0000000140004919

Strings

:%s:, xrefs: 000000014000483C

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$Process_snwprintf_s$AllocFreeMessage$Format$DefaultFileLangLocalNameOpenSendUser
String ID: :%s:
API String ID: 293816848-1112191061
Opcode ID: 724d6725c9227211ad7173d27c787d1fbc941b97eaedc79ecfb1e8cb120bc382
Instruction ID: f4c02c16514924a05df0f0130103984169df6d8ae751033e802da1f55740790b
Opcode Fuzzy Hash: 724d6725c9227211ad7173d27c787d1fbc941b97eaedc79ecfb1e8cb120bc382
Instruction Fuzzy Hash: 85616B71604A8082E761DB66F8043DA62A1FB8D7F4F504329BBBA47BE9DF3CC5458B00

Function 000000014001F794 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000014001957C: RtlLookupFunctionEntry.KERNEL32 ref: 00000001400195F0

__GetUnwindTryBlock.LIBCMT ref: 000000014001F805
__SetUnwindTryBlock.LIBCMT ref: 000000014001F82D

Part of subcall function 0000000140024004: RaiseException.KERNEL32 ref: 0000000140024084

__GetUnwindTryBlock.LIBCMT ref: 000000014001F837
_getptd.LIBCMT ref: 000000014001F88C
_getptd.LIBCMT ref: 000000014001F89E
_getptd.LIBCMT ref: 000000014001F8AA
_SetThrowImageBase.LIBCMT ref: 000000014001F8C7
_getptd.LIBCMT ref: 000000014001F917
_getptd.LIBCMT ref: 000000014001F929
_getptd.LIBCMT ref: 000000014001F935
_getptd.LIBCMT ref: 000000014001FC76

Strings

csm, xrefs: 000000014001F8E3
csm, xrefs: 000000014001FA13
bad exception, xrefs: 000000014001F9C3
csm, xrefs: 000000014001F84D

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: _getptd$BlockUnwind$BaseEntryExceptionFunctionImageLookupRaiseThrow
String ID: bad exception$csm$csm$csm
API String ID: 2351602029-820278400
Opcode ID: 94f2d7a7ac3fbf0c7e408cc05698066adc522e88fcd38db2d59bce62785e5561
Instruction ID: 4ff304013d71e1c421c352ba0f3210a58c520cabd4eb8e9e99b64509a02ee7b9
Opcode Fuzzy Hash: 94f2d7a7ac3fbf0c7e408cc05698066adc522e88fcd38db2d59bce62785e5561
Instruction Fuzzy Hash: 95E1A27220478086EA72AB27A1403ED77A0F74CBC4F444525FF890BBAACF39D591D741

Function 0000000140013690 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 226timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140011585), ref: 00000001400136EC
GetExitCodeProcess.KERNEL32 ref: 000000014001370B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000140011585), ref: 0000000140013740
_snwprintf_s.LIBCMT ref: 0000000140013779
EnterCriticalSection.KERNEL32 ref: 0000000140013947
LeaveCriticalSection.KERNEL32 ref: 000000014001396B

Part of subcall function 000000014000AA80: GetProcessTimes.KERNEL32 ref: 000000014000AAA2
Part of subcall function 000000014000AA80: GetLastError.KERNEL32 ref: 000000014000AAAC

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Part of subcall function 0000000140011450: UnregisterWait.KERNEL32 ref: 000000014001148E
Part of subcall function 0000000140011450: SetServiceStatus.ADVAPI32 ref: 0000000140011526
Part of subcall function 0000000140011450: EnterCriticalSection.KERNEL32 ref: 00000001400115A5
Part of subcall function 0000000140011450: LeaveCriticalSection.KERNEL32 ref: 00000001400115CE
Part of subcall function 0000000140011450: SetServiceStatus.ADVAPI32 ref: 0000000140011610

Strings

`, xrefs: 0000000140013810
%lu, xrefs: 000000014001375D
Post, xrefs: 00000001400137F8
Exit, xrefs: 00000001400137FF

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: CriticalSection$Event$EnterLeaveProcessServiceSourceStatusTime$CloseCodeDeregisterErrorExitFileHandleLastRegisterReportSystemTimesUnregisterWait_snwprintf_s
String ID: %lu$Exit$Post$`
API String ID: 3610551520-1249451036
Opcode ID: 642cab63ffa1f930bf2db4ea8372a97cdcc443e84d7dfb65cdf66ffba4770686
Instruction ID: 9c6898da4b82adcd527d375305501d490671b7e5d756c49b4bab06ebdae18802
Opcode Fuzzy Hash: 642cab63ffa1f930bf2db4ea8372a97cdcc443e84d7dfb65cdf66ffba4770686
Instruction Fuzzy Hash: FFB17C76604BC582E722DF22E4513DB73A4F789B88F540126FF890B6A9DF39C949CB10

Function 00000001400150A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 188COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000000140015102
GetProcessAffinityMask.KERNEL32 ref: 0000000140015115

Strings

All, xrefs: 000000014001513E

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID: All
API String ID: 1231390398-55916349
Opcode ID: eff96e4369339bbba2c319400aa00bee1043dd448a0f535bee212858d1ac3183
Instruction ID: 89333b989c272c6900fa0fe1462a190d1688c94fb8f165d787664ba4dc7caf2a
Opcode Fuzzy Hash: eff96e4369339bbba2c319400aa00bee1043dd448a0f535bee212858d1ac3183
Instruction Fuzzy Hash: 1B716172204B80C1EA62EB63E4403DA63A5FB8DBD4F444125FF9E8B7A9EF38C5458700

Function 0000000140001AD0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

SeServiceLogonRight, xrefs: 0000000140001B64

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID: SeServiceLogonRight
API String ID: 0-347471591
Opcode ID: 1ca323ff7544cbea062a316e85ed950d70d80caaa4b078221830f27f3448ad9d
Instruction ID: a0f944345680951f5638d9c7f8e84b06276241971c720b1fbeca9eec54f8535e
Opcode Fuzzy Hash: 1ca323ff7544cbea062a316e85ed950d70d80caaa4b078221830f27f3448ad9d
Instruction Fuzzy Hash: 8051307260464082E612EB26B4517DB66A1F7C97D0F550125FF5E87BB6DE38C942C700

Function 00000001400067E0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 100memorysynchronizationtimeCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 000000014000680A
GetSystemTimeAsFileTime.KERNEL32 ref: 0000000140006872
CloseHandle.KERNEL32 ref: 000000014000688B
GetProcessHeap.KERNEL32 ref: 0000000140006899
HeapFree.KERNEL32 ref: 00000001400068A7
GetProcessHeap.KERNEL32 ref: 00000001400068AD
HeapFree.KERNEL32 ref: 00000001400068BB

Strings

hook, xrefs: 0000000140006832

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$FreeProcessTime$CloseFileHandleObjectSingleSystemWait
String ID: hook
API String ID: 2152274456-2757247829
Opcode ID: 09c5df5f2420748436591441a970fd3aa0a79a693a197f012b347bfb45edf898
Instruction ID: d1e46cd8051026dbb071bf6fa3c4f2d243ea7f00bf048e6cb1231a60534f5b15
Opcode Fuzzy Hash: 09c5df5f2420748436591441a970fd3aa0a79a693a197f012b347bfb45edf898
Instruction Fuzzy Hash: 3C4134B6601B8486EB16CF66E84435967A1FB88FD8F144119EF4A53768DF38C896CB40

Function 000000014000BDB0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121memoryregistryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000014000BDD4
HeapAlloc.KERNEL32 ref: 000000014000BDE2
RegQueryValueExW.ADVAPI32 ref: 000000014000BE4C
GetProcessHeap.KERNEL32 ref: 000000014000BE59
HeapFree.KERNEL32 ref: 000000014000BE67

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Strings

get_string(), xrefs: 000000014000BDF3

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$Event$ProcessSource$AllocDeregisterFreeQueryRegisterReportValue
String ID: get_string()
API String ID: 4130051898-896229945
Opcode ID: f432ba425df1c334af0d5d8bc6cf21bbf44c8f1dc0a7f0ab12c867f88ba37124
Instruction ID: e01773196815c225b165d9e20bffeedce6d82feaaa2e36e89eb2a6d238022399
Opcode Fuzzy Hash: f432ba425df1c334af0d5d8bc6cf21bbf44c8f1dc0a7f0ab12c867f88ba37124
Instruction Fuzzy Hash: 9F416AB1204A8186F722DB63B8543EA6691F78DBC4F444028FF8943BBADF3CC5458B00

Function 0000000140009600 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 267fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 000000014000967A
GetLastError.KERNEL32 ref: 000000014000968A

Strings

AppStderr, xrefs: 0000000140009A9E
AppStdout, xrefs: 0000000140009856
stdout, xrefs: 000000014000984F, 000000014000988C, 0000000140009906
stderr, xrefs: 00000001400098F3, 0000000140009A97, 0000000140009AD1
stderr_si, xrefs: 0000000140009AD8
stdout_si, xrefs: 0000000140009893

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: CreateErrorFileLast
String ID: AppStderr$AppStdout$stderr$stderr_si$stdout$stdout_si
API String ID: 1214770103-3145564883
Opcode ID: 8bc41217d2cab0aac7e5492a8b28b5557a478992bb3363fedfbb000bcd89686d
Instruction ID: 84f8d01f0d4a39fbc827c3b2a16233fbc00f92dc2afb04cd47d387f1aa36e1d9
Opcode Fuzzy Hash: 8bc41217d2cab0aac7e5492a8b28b5557a478992bb3363fedfbb000bcd89686d
Instruction Fuzzy Hash: 06E11AB26046C1CAD761CF35E4417DA77A4F348B98F48463AEF8C4B6A9DB38C945CB20

Function 0000000140015580 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 187memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000000140015722
HeapFree.KERNEL32 ref: 0000000140015732

Strings

AppEnvironment, xrefs: 00000001400157B0

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: AppEnvironment
API String ID: 3859560861-948859433
Opcode ID: bf727592a83bd657103b9efa741edc9865e88ac5b80f902545c4b4d6b6b03db5
Instruction ID: 1f537f8a4e15fb6a063128440b77b0ff2ca1e7455b8185a5c21f445aa25c8dd6
Opcode Fuzzy Hash: bf727592a83bd657103b9efa741edc9865e88ac5b80f902545c4b4d6b6b03db5
Instruction Fuzzy Hash: 4871A676604A80C2EA62EB63B4443DA67A0FB8DBD5F544215FF998B6F8DF39C845C700

Function 0000000140011840 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorysynchronizationCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400118A6
HeapAlloc.KERNEL32 ref: 00000001400118B4
_snwprintf_s.LIBCMT ref: 00000001400118D9
_snwprintf_s.LIBCMT ref: 000000014001190C
SetServiceStatus.ADVAPI32 ref: 000000014001193E
_snwprintf_s.LIBCMT ref: 0000000140011967
_snwprintf_s.LIBCMT ref: 0000000140011984
WaitForSingleObject.KERNEL32 ref: 00000001400119D4
GetProcessHeap.KERNEL32 ref: 0000000140011A3B
HeapFree.KERNEL32 ref: 0000000140011A49

Strings

%s(), xrefs: 00000001400118C2
%lu, xrefs: 00000001400118F0, 0000000140011950, 0000000140011970

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap_snwprintf_s$Process$AllocFreeObjectServiceSingleStatusWait
String ID: %lu$%s()
API String ID: 3601813699-699940799
Opcode ID: 0ffba0166ba33d02090c299909e839c505018103f0bb2f8e7f4f694d868e91e3
Instruction ID: 69971400c90e31b65b72574bdd09145e1363e6fa122ccb17f487d7069af77f90
Opcode Fuzzy Hash: 0ffba0166ba33d02090c299909e839c505018103f0bb2f8e7f4f694d868e91e3
Instruction Fuzzy Hash: 17514B76204B8186E6618B62A4503DA73A5F7887E4F50031AEFBD477E9DF39C509C700

Function 0000000140015390 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 125registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 00000001400153DE

Strings

All, xrefs: 00000001400153F1
affinity, xrefs: 0000000140015452
setting_get_affinity, xrefs: 000000014001544B

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: QueryValue
String ID: All$affinity$setting_get_affinity
API String ID: 3660427363-3501811323
Opcode ID: 36e189c61de046a56e77c0e4f0c4d51a8d75b56e4cf18c7dacff24821600d77c
Instruction ID: d992f5cfb115b4e69d8ec94212e49f6658679346330c533de7153ebc08c68e82
Opcode Fuzzy Hash: 36e189c61de046a56e77c0e4f0c4d51a8d75b56e4cf18c7dacff24821600d77c
Instruction Fuzzy Hash: 7B516171608A8082EB22DB66F4503DAA7A1F78DBD4F544125FB8947BB9DF3DC4858B00

Function 000000014000FD70 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

QueryServiceConfig2W.ADVAPI32 ref: 000000014000FDBC
GetLastError.KERNEL32 ref: 000000014000FDC2
GetProcessHeap.KERNEL32 ref: 000000014000FDD5
HeapAlloc.KERNEL32 ref: 000000014000FDE3

Strings

get_service_description(), xrefs: 000000014000FDF6
SERVICE_CONFIG_DESCRIPTION, xrefs: 000000014000FDFD, 000000014000FEB1, 000000014000FEE4

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$AllocConfig2ErrorLastProcessQueryService
String ID: SERVICE_CONFIG_DESCRIPTION$get_service_description()
API String ID: 2527037045-119971955
Opcode ID: 87cfc007ee1f7d47041ce5e3710580b357c85b779c488430ea12dfe6e7cffaa3
Instruction ID: ce23d3445b3d502cfd1cee6f423eb33bdad80a8a01337122df70ec9d9f023edb
Opcode Fuzzy Hash: 87cfc007ee1f7d47041ce5e3710580b357c85b779c488430ea12dfe6e7cffaa3
Instruction Fuzzy Hash: 08418E75600B8182EA22EBA3F8007EA67A1BB8DBD4F444129BF4947BB6DF3CC545D700

Function 0000000140002700 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140002530: GetUserDefaultLangID.KERNELBASE(?,?,?,?,?,?,00000000,00000001400026CE,?,?,?,00000000,0000000140001065), ref: 0000000140002538
Part of subcall function 0000000140002530: FormatMessageW.KERNELBASE ref: 0000000140002567
Part of subcall function 0000000140002530: FormatMessageW.KERNEL32 ref: 0000000140002599
Part of subcall function 0000000140002530: GetProcessHeap.KERNEL32 ref: 00000001400025A3
Part of subcall function 0000000140002530: HeapAlloc.KERNEL32 ref: 00000001400025B2
Part of subcall function 0000000140002530: _snwprintf_s.LIBCMT ref: 00000001400025D4

MessageBoxW.USER32 ref: 0000000140002755
_wcsftime_l.LIBCMT ref: 0000000140002781
LocalFree.KERNEL32 ref: 000000014000278D
MessageBoxW.USER32 ref: 00000001400027A9

Strings

The message which was supposed to go here is missing!, xrefs: 000000014000274C
e, xrefs: 0000000140002804
NSSM, xrefs: 0000000140002745, 0000000140002793, 00000001400027EC
The message which was supposed to go here is too big!, xrefs: 000000014000279A
P, xrefs: 00000001400027C3

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Message$FormatHeap$AllocDefaultFreeLangLocalProcessUser_snwprintf_s_wcsftime_l
String ID: NSSM$P$The message which was supposed to go here is missing!$The message which was supposed to go here is too big!$e
API String ID: 2747969056-1535976118
Opcode ID: 58946c53e902570074538918f1f58bb95ea40b455ed7411fed5f342a362d9c8f
Instruction ID: e0aea5a5f9581d4066fd1c3e1683cd6cd46946633892eee8657d269f664f3205
Opcode Fuzzy Hash: 58946c53e902570074538918f1f58bb95ea40b455ed7411fed5f342a362d9c8f
Instruction Fuzzy Hash: 63316E75215B8186EB629B62F8947DA7364FB8C7D4F804129FB8943BA5DF3CC949CB00

Function 0000000140007E20 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 197COMMON

Download Yara Rule

APIs

_snwprintf_s.LIBCMT ref: 0000000140007E7E

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Strings

%s%s, xrefs: 0000000140007EFA, 0000000140007F80, 0000000140008006, 0000000140008094
CreationDisposition, xrefs: 0000000140007F79
ShareMode, xrefs: 0000000140007EF3
FlagsAndAttributes, xrefs: 0000000140007FFF
get_createfile_parameters(), xrefs: 0000000140007E8C, 0000000140007F22, 0000000140007FA8, 000000014000802E, 00000001400080BC
CopyAndTruncate, xrefs: 000000014000808D

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Event$Source$DeregisterRegisterReport_snwprintf_s
String ID: %s%s$CopyAndTruncate$CreationDisposition$FlagsAndAttributes$ShareMode$get_createfile_parameters()
API String ID: 3081108292-1260861110
Opcode ID: c099c9cb19559e2fdbbafae6862631fb2bc145655e25f918de2c2d4a7a0ce256
Instruction ID: e75d1d6abf4a235fca88e6547070dcd46e2f06ec00b428c63354f5bbf43e8fee
Opcode Fuzzy Hash: c099c9cb19559e2fdbbafae6862631fb2bc145655e25f918de2c2d4a7a0ce256
Instruction Fuzzy Hash: B2817BB1204A8586E762DB22F850BDA7754F74C7E8F844316FFA9876E5EB38C646C700

Function 0000000140011DB0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 155COMMON

Download Yara Rule

Strings

%s: %lu: %s, xrefs: 0000000140011F6D
%s: %s, xrefs: 0000000140011EF4

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Window$ConsoleHandleProcessStation
String ID: %s: %lu: %s$%s: %s
API String ID: 2390998093-150483647
Opcode ID: dd4fb859678dd9658312077e5fb5972b1ddeae43dbb5eb2bda94efda359b6f6e
Instruction ID: 935a7045af60d552a4a1b6eb069eef078a932ada1a95a9807a014f2b4c9f0a51
Opcode Fuzzy Hash: dd4fb859678dd9658312077e5fb5972b1ddeae43dbb5eb2bda94efda359b6f6e
Instruction Fuzzy Hash: BF618F31204B8582EA26EB52F4443DA73A4FB8DBC4F404225FB990BBA6EF39C556C700

Function 0000000140009400 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 126memorypipethreadCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32 ref: 000000014000946E
SetHandleInformation.KERNEL32 ref: 0000000140009480
GetProcessHeap.KERNEL32 ref: 0000000140009486
HeapAlloc.KERNEL32 ref: 0000000140009498
GetLastError.KERNEL32 ref: 00000001400094CF
CreateThread.KERNEL32 ref: 000000014000959D
GetLastError.KERNEL32 ref: 00000001400095AB
GetProcessHeap.KERNEL32 ref: 00000001400095CB
HeapFree.KERNEL32 ref: 00000001400095D9

Strings

logger, xrefs: 00000001400094AF
create_logging_thread(), xrefs: 00000001400094A8

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$CreateErrorLastProcess$AllocFreeHandleInformationPipeThread
String ID: create_logging_thread()$logger
API String ID: 3682172063-2332508298
Opcode ID: 6ce080337fbdde164dd771dbbd35574d1c3cc7e9e503ab1a96137a68f46eed7a
Instruction ID: 0f708c83b6d6882e8b311f25b1277f2bd71e346d58eaf93934f5f47650e512b5
Opcode Fuzzy Hash: 6ce080337fbdde164dd771dbbd35574d1c3cc7e9e503ab1a96137a68f46eed7a
Instruction Fuzzy Hash: 9E514B76205B9086E7A1CB63B95079A77A0F78CBC0F44402AEF8983B69DF38D565CB00

Function 000000014000FF20 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

QueryServiceConfig2W.ADVAPI32 ref: 000000014000FF8A
GetLastError.KERNEL32 ref: 000000014000FF90
GetProcessHeap.KERNEL32 ref: 000000014000FFA3
HeapAlloc.KERNEL32 ref: 000000014000FFB1

Strings

SERVICE_CONFIG_DELAYED_AUTO_START_INFO, xrefs: 000000014001005E
SERVICE_DELAYED_AUTO_START_INFO, xrefs: 000000014000FFCB, 0000000140010080
get_service_startup(), xrefs: 000000014000FFC4

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$AllocConfig2ErrorLastProcessQueryService
String ID: SERVICE_CONFIG_DELAYED_AUTO_START_INFO$SERVICE_DELAYED_AUTO_START_INFO$get_service_startup()
API String ID: 2527037045-1869567720
Opcode ID: 69fb2d42e2d91f1c685f588ffc0fe427bfee43e353695e8c5bf8aefcc2d855ce
Instruction ID: 38db9a9ae14d872f97fdc1de8561fc73ac50b2242696658d995bfcb454e7631e
Opcode Fuzzy Hash: 69fb2d42e2d91f1c685f588ffc0fe427bfee43e353695e8c5bf8aefcc2d855ce
Instruction Fuzzy Hash: 9A417C36604A9186EB12DB66F4043DAB7A0FB8DBC4F444425FB8947BB9EF79C945C700

Function 000000014000FA60 Relevance: 18.2, APIs: 10, Strings: 2, Instructions: 171COMMON

Download Yara Rule

Strings

lpDependencies, xrefs: 000000014000FB55
get_service_dependencies(), xrefs: 000000014000FB4E

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID: get_service_dependencies()$lpDependencies
API String ID: 0-219018013
Opcode ID: 68ce330cffe9adf813eb05897d5185dfa0d7afdf617ecf9cd4df69588dddc146
Instruction ID: 0b794208b03b107e37140d15cab82f7c2ac1332d20ef532040e36ff5cb6e1006
Opcode Fuzzy Hash: 68ce330cffe9adf813eb05897d5185dfa0d7afdf617ecf9cd4df69588dddc146
Instruction Fuzzy Hash: B1617EB6601A4486EB12DF66E4107A977A4F74CFD8F448015EF4943BB9DF38C896EB00

Function 000000014001C6CC Relevance: 18.1, APIs: 12, Instructions: 82COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 000000014001C6EB

Part of subcall function 000000014001A458: HeapFree.KERNEL32(?,?,00000000,000000014001C690,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A46E
Part of subcall function 000000014001A458: _errno.LIBCMT ref: 000000014001A478
Part of subcall function 000000014001A458: GetLastError.KERNEL32(?,?,00000000,000000014001C690,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A480

free.LIBCMT ref: 000000014001C6F9
free.LIBCMT ref: 000000014001C707
free.LIBCMT ref: 000000014001C715
free.LIBCMT ref: 000000014001C723
free.LIBCMT ref: 000000014001C731
free.LIBCMT ref: 000000014001C742
free.LIBCMT ref: 000000014001C75A
_lock.LIBCMT ref: 000000014001C764
free.LIBCMT ref: 000000014001C792
_lock.LIBCMT ref: 000000014001C7A7
free.LIBCMT ref: 000000014001C7F1

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast_errno
String ID:
API String ID: 1575098132-0
Opcode ID: 900ce2037cdb037113a81b253223c54e735500e579220bc9ff7a13c552b12bce
Instruction ID: 3f2e47c94607781c5668a653277a2e80905b3f9df4bd34b8ef35c317ec6b371a
Opcode Fuzzy Hash: 900ce2037cdb037113a81b253223c54e735500e579220bc9ff7a13c552b12bce
Instruction Fuzzy Hash: C931613171658046FE57ABA39051BF81350AFCEBD4F481625BB1E0F6E6CF7AC8419721

Function 00000001400146D0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 191registryCOMMON

Download Yara Rule

APIs

_snwprintf_s.LIBCMT ref: 00000001400147B4
RegDeleteValueW.ADVAPI32 ref: 00000001400147C6
RegCloseKey.ADVAPI32 ref: 00000001400147D1
_snwprintf_s.LIBCMT ref: 0000000140014832
RegSetValueExW.ADVAPI32 ref: 000000014001494C
GetLastError.KERNEL32 ref: 0000000140014956
RegCloseKey.ADVAPI32 ref: 0000000140014987
RegCloseKey.ADVAPI32 ref: 0000000140014995

Strings

%s, xrefs: 00000001400148AA
Default, xrefs: 000000014001470C

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Close$Value_snwprintf_s$DeleteErrorLast
String ID: %s$Default
API String ID: 3208764733-3635391725
Opcode ID: f968c3f3b5bbd221de3442cd771249ba592d43d4f0135544e74485d0ad2b4540
Instruction ID: 7f3500c77af8523e0b9688c3565e21f73e6fccc2fc3eb3fe9c18069a2d6bb7bc
Opcode Fuzzy Hash: f968c3f3b5bbd221de3442cd771249ba592d43d4f0135544e74485d0ad2b4540
Instruction Fuzzy Hash: 36719F71205A8481FB62AF63A8507DA6390BB8DBE4F441225BF2A4B7F5EF39C545C700

Function 000000014000AE60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

kill_console, xrefs: 000000014000AFD1

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID: kill_console
API String ID: 0-1600766264
Opcode ID: 24588610c75a006a5ec3907880273b6228820f287f5c7304aec0ead17864109a
Instruction ID: 4e94d8b513b1f5e7ee0762e412180e31d9f0e4f8997cd7f6d5a9da43dfda367a
Opcode Fuzzy Hash: 24588610c75a006a5ec3907880273b6228820f287f5c7304aec0ead17864109a
Instruction Fuzzy Hash: ED517CB1204A8086E756DB67B5043EA73A0FB4D7C4F444129FF9A877A9EF3CC9608344

Function 0000000140017720 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400177D2
HeapFree.KERNEL32 ref: 00000001400177E0

Strings

LocalSystem, xrefs: 00000001400177BB
%s, xrefs: 0000000140017865, 0000000140017881
SERVICE_WIN32_OWN_PROCESS, xrefs: 000000014001782B, 000000014001785A
SERVICE_INTERACTIVE_PROCESS, xrefs: 0000000140017768, 0000000140017876

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: %s$LocalSystem$SERVICE_INTERACTIVE_PROCESS$SERVICE_WIN32_OWN_PROCESS
API String ID: 3859560861-1492594695
Opcode ID: fffd49694891c048e89e9d27ed4e9e083eab7d1e701e1650eb288d6d3e09bb87
Instruction ID: 91411cd37f94a30d779ec4d0d885fcc79ea8ecf7b1daad06c6b59b3cb524fe1d
Opcode Fuzzy Hash: fffd49694891c048e89e9d27ed4e9e083eab7d1e701e1650eb288d6d3e09bb87
Instruction Fuzzy Hash: D8516E71600A8581EA22EB63F8147DA36A0FB9DBE4F544129BF5D8B7E5EF38C945C310

Function 00000001400159F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 117COMMON

Download Yara Rule

Strings

%c%s, xrefs: 0000000140015ACE
dump, xrefs: 0000000140015B56
setting_dump_environment, xrefs: 0000000140015B4F

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID: %c%s$dump$setting_dump_environment
API String ID: 0-3189341153
Opcode ID: 9a0f11384646d509be77c744bea4d997d78b4229cb7c4b37e1591e935d434a64
Instruction ID: a88404555512558ecfb639f2472b13f1a2d02313ba6e537b4a6dd30e16b3868c
Opcode Fuzzy Hash: 9a0f11384646d509be77c744bea4d997d78b4229cb7c4b37e1591e935d434a64
Instruction Fuzzy Hash: FC418672605B8086E7529B22B8407CA73A0FB4DBE4F448215FF59477A8DF38C546C740

Function 0000000140016540 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 116COMMON

Download Yara Rule

Strings

%c%s, xrefs: 0000000140016620
setting_dump_dependon, xrefs: 000000014001669F
dump, xrefs: 00000001400166A6

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID: %c%s$dump$setting_dump_dependon
API String ID: 0-3641056368
Opcode ID: 57a2d30268ecd36bb96e0013271ec2899ae4f714c99f68fd30a59840ab665ad2
Instruction ID: 5b2c56ca74a4f11c5f493cda54f30b86cc1eab8f828d8a41247e1b07d06811aa
Opcode Fuzzy Hash: 57a2d30268ecd36bb96e0013271ec2899ae4f714c99f68fd30a59840ab665ad2
Instruction Fuzzy Hash: AB415E72605B8086E7529F62B8003DA77A4F789BE4F454216FF99477A8DF39C986C700

Function 000000014000B050 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000014000B08F
HeapAlloc.KERNEL32 ref: 000000014000B09D
GetModuleFileNameExW.PSAPI ref: 000000014000B10F
GetLastError.KERNEL32 ref: 000000014000B118
_snwprintf_s.LIBCMT ref: 000000014000B141
GetProcessHeap.KERNEL32 ref: 000000014000B16D
HeapFree.KERNEL32 ref: 000000014000B17B

Strings

[WOW64], xrefs: 000000014000B12C
% 8lu %s%s, xrefs: 000000014000B158
???, xrefs: 000000014000B13A

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$Process$AllocErrorFileFreeLastModuleName_snwprintf_s
String ID: % 8lu %s%s$???$[WOW64]
API String ID: 2935443209-3245662266
Opcode ID: cbb4cfd1420a93e7b420b7677ccf895b67e377104a8596a3b37561e861a92888
Instruction ID: e0c9e3d2c961057911ea44f832aeb7ed931542fe1b8e416e59bf97ed6bf11b92
Opcode Fuzzy Hash: cbb4cfd1420a93e7b420b7677ccf895b67e377104a8596a3b37561e861a92888
Instruction Fuzzy Hash: 05319A71301A8592EB16DB62E8507DA63A0FB8CBC4F444126FB5D877A8EF3CC946C700

Function 0000000140001E20 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsW.KERNEL32 ref: 0000000140001E32
GetLastError.KERNEL32 ref: 0000000140001E3E

Part of subcall function 0000000140002430: TlsGetValue.KERNEL32 ref: 0000000140002442
Part of subcall function 0000000140002430: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002458

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

GetProcessHeap.KERNEL32 ref: 0000000140001E84
HeapAlloc.KERNEL32 ref: 0000000140001E92

Strings

expand_environment_string, xrefs: 0000000140001EA3
ExpandEnvironmentStrings(), xrefs: 0000000140001EAA

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Event$AllocHeapSource$DeregisterEnvironmentErrorExpandLastLocalProcessRegisterReportStringsValue
String ID: ExpandEnvironmentStrings()$expand_environment_string
API String ID: 834161584-2090451141
Opcode ID: 1a857a85fd842b27e93463c536bdb97f0d9aefa233d789fc1baff957dccea033
Instruction ID: 58318641a1031420995e21b4a8e777d6e14e3e5644aac21f61b35d74fcd66aa2
Opcode Fuzzy Hash: 1a857a85fd842b27e93463c536bdb97f0d9aefa233d789fc1baff957dccea033
Instruction Fuzzy Hash: F1317175704A9042FB519B77B81039A62A1BB8DBC8F480139FF899776EEE3DC9414700

Function 000000014000F170 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

QueryServiceConfigW.ADVAPI32 ref: 000000014000F192
GetLastError.KERNEL32 ref: 000000014000F198
GetProcessHeap.KERNEL32 ref: 000000014000F1A7
HeapAlloc.KERNEL32 ref: 000000014000F1B8
QueryServiceConfigW.ADVAPI32 ref: 000000014000F1F0
GetProcessHeap.KERNEL32 ref: 000000014000F1FA
HeapFree.KERNEL32 ref: 000000014000F208
GetLastError.KERNEL32 ref: 000000014000F20E

Strings

query_service_config(), xrefs: 000000014000F1CB
QUERY_SERVICE_CONFIG, xrefs: 000000014000F1D2

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$ConfigErrorLastProcessQueryService$AllocFree
String ID: QUERY_SERVICE_CONFIG$query_service_config()
API String ID: 2921672788-976127789
Opcode ID: 6385d850b7c4583b6f4ff08a7ab95c0a91cc1a175e4f964d4c8b666ba4b27812
Instruction ID: 12ef63c7e0ec9709d506b3c2b775e2798cffe3e90e480b8a1bef477be83b5080
Opcode Fuzzy Hash: 6385d850b7c4583b6f4ff08a7ab95c0a91cc1a175e4f964d4c8b666ba4b27812
Instruction Fuzzy Hash: E0215E75604A9082EB02DBA7F8043DAA7A0BB8DBC4F444429FF4E43B79DE7CC9459B00

Function 000000014000C570 Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000014000C605
HeapAlloc.KERNEL32 ref: 000000014000C614
GetProcessHeap.KERNEL32 ref: 000000014000C6E4
HeapAlloc.KERNEL32 ref: 000000014000C6F5
GetProcessHeap.KERNEL32 ref: 000000014000C72E
HeapFree.KERNEL32 ref: 000000014000C73C
GetProcessHeap.KERNEL32 ref: 000000014000C80B
HeapFree.KERNEL32 ref: 000000014000C819

Strings

newdn, xrefs: 000000014000C715
append_to_double_null(), xrefs: 000000014000C628, 000000014000C70E
key, xrefs: 000000014000C62F

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: append_to_double_null()$key$newdn
API String ID: 756756679-3598718664
Opcode ID: e8c0b0ba8166b1c5237778d83a4dddeaf43343473c6732b3d22e86108212e6b8
Instruction ID: a8659a9f761dcd48a20ea0bbf3106ddecff7fc8e2851ddb4a1a6f8d7a32dd65c
Opcode Fuzzy Hash: e8c0b0ba8166b1c5237778d83a4dddeaf43343473c6732b3d22e86108212e6b8
Instruction Fuzzy Hash: CF7180B6615A8081E662DB26B41079AB7A0FB4DBE4F448215FF6953BE8EB3CC545C700

Function 000000014000C840 Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 164memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000014000C8CD
HeapAlloc.KERNEL32 ref: 000000014000C8DC
GetProcessHeap.KERNEL32 ref: 000000014000C9B8
HeapAlloc.KERNEL32 ref: 000000014000C9C9
GetProcessHeap.KERNEL32 ref: 000000014000CA02
HeapFree.KERNEL32 ref: 000000014000CA10
GetProcessHeap.KERNEL32 ref: 000000014000CA84
HeapFree.KERNEL32 ref: 000000014000CA92

Strings

newdn, xrefs: 000000014000C9E9
key, xrefs: 000000014000C8F7
remove_from_double_null(), xrefs: 000000014000C8F0, 000000014000C9E2

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: key$newdn$remove_from_double_null()
API String ID: 756756679-180665911
Opcode ID: dec6ef9297f2f528877f7eddd1e9d4dee81437ed94269273f5d5e12274e4d5bc
Instruction ID: 8c6053ef598a717a1cf223f2861525f2768c9fab3b540323a4fd1412df3eeb5f
Opcode Fuzzy Hash: dec6ef9297f2f528877f7eddd1e9d4dee81437ed94269273f5d5e12274e4d5bc
Instruction Fuzzy Hash: 03619D76722A9485E622DF26B8047D9B7E0F749BD4F488219EF59037E8DF38C985C300

Function 000000014000E8B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

%c%u, xrefs: 000000014000EA05

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID: %c%u
API String ID: 0-883269693
Opcode ID: dae4665bc3affedc8ddc6640690ef829aa088a68563d45def97606a5a0a477d5
Instruction ID: e75947337f5fd74baf7b6f5cfe7824060c4155299e81c8694041bf6305fe6a32
Opcode Fuzzy Hash: dae4665bc3affedc8ddc6640690ef829aa088a68563d45def97606a5a0a477d5
Instruction Fuzzy Hash: 6C51D072215AC596E7A1CF26F4483DA73A0F78C7E8F548229EB5957BE8DB38C105CB00

Function 000000014000BBD0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 124registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32 ref: 000000014000BC24

Part of subcall function 0000000140002430: TlsGetValue.KERNEL32 ref: 0000000140002442
Part of subcall function 0000000140002430: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002458

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Strings

get_environment(), xrefs: 000000014000BCF0

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Event$SourceValue$AllocDeregisterLocalQueryRegisterReport
String ID: get_environment()
API String ID: 3592804690-3013924771
Opcode ID: d57cb4b6c5f1898b49630d35002a849a514446ed12f956d7628af7b00dca0aac
Instruction ID: 391c77f4bcccafbf38fb0bab5bbf8670fbb79554e73f50bd891dca26f0d5cfbd
Opcode Fuzzy Hash: d57cb4b6c5f1898b49630d35002a849a514446ed12f956d7628af7b00dca0aac
Instruction Fuzzy Hash: A9515CB6204B9082E721DF62A8547DE72A5F74DBC8F44812AFF89477A9EF38C9158700

Function 0000000140011640 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 114sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

_snwprintf_s.LIBCMT ref: 00000001400116C5
_snwprintf_s.LIBCMT ref: 000000014001171C
EnterCriticalSection.KERNEL32 ref: 0000000140011765
SetWaitableTimer.KERNEL32 ref: 00000001400117A0
SetServiceStatus.ADVAPI32 ref: 00000001400117C5
LeaveCriticalSection.KERNEL32 ref: 00000001400117F2
WaitForSingleObject.KERNEL32 ref: 0000000140011809
Sleep.KERNEL32 ref: 0000000140011813

Strings

%lu, xrefs: 00000001400116A7, 0000000140011705

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: CriticalSection_snwprintf_s$EnterLeaveObjectServiceSingleSleepStatusTimerWaitWaitable
String ID: %lu
API String ID: 109876818-685833217
Opcode ID: a44a97c43d17e4cb705c039e0ed849eaca5a340843a244270a44aae3fcf5a655
Instruction ID: e17d187198e1d2c556d4b600b8acea85b7155cc02b68ccfbb8bdb977714c94d3
Opcode Fuzzy Hash: a44a97c43d17e4cb705c039e0ed849eaca5a340843a244270a44aae3fcf5a655
Instruction Fuzzy Hash: 2B51DC72A04A80D7E7698F22E5553DE7360F388794F40032AF7AD876E5DB39D969CB00

Function 000000014000D020 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 105registryCOMMON

Download Yara Rule

APIs

_snwprintf_s.LIBCMT ref: 000000014000D06F
RegQueryValueExW.ADVAPI32 ref: 000000014000D101
RegCloseKey.ADVAPI32 ref: 000000014000D10C

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Strings

hook registry, xrefs: 000000014000D084
set_hook(), xrefs: 000000014000D07D
AppEvents, xrefs: 000000014000D04B
%s\%s, xrefs: 000000014000D055

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Event$Source$CloseDeregisterQueryRegisterReportValue_snwprintf_s
String ID: %s\%s$AppEvents$hook registry$set_hook()
API String ID: 2341694245-1670097391
Opcode ID: b442a7b8d74010f362647dca0de7b108b6b00fa7208d0fa25c58233f39fd3f26
Instruction ID: 6d0862f9470687456da518464cbe15381b9a51efbdc411d03d7a1f67d58250b0
Opcode Fuzzy Hash: b442a7b8d74010f362647dca0de7b108b6b00fa7208d0fa25c58233f39fd3f26
Instruction Fuzzy Hash: 9041B17131468059EB62CB23B891BEA6291B74DBE4F84032ABF6E47BE5DF3CC5459310

Function 0000000140002430 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 62windowmemoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 0000000140002442
LocalAlloc.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002458
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002481
GetUserDefaultLangID.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002487
FormatMessageW.KERNEL32 ref: 00000001400024B1
FormatMessageW.KERNEL32 ref: 00000001400024DE
_snwprintf_s.LIBCMT ref: 00000001400024FF

Strings

system error %lu, xrefs: 00000001400024E8
<out of memory for error message>, xrefs: 0000000140002466

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: FormatMessageValue$AllocDefaultLangLocalUser_snwprintf_s
String ID: <out of memory for error message>$system error %lu
API String ID: 2253289489-3923297632
Opcode ID: c57cf59de28d07db67d5877a0ca59d18a7d4958fae7d58dbe770bbd656636a06
Instruction ID: a577034a7231977c6e80a66ab4d1eee538ee20579c78fea223c5835cb28133ac
Opcode Fuzzy Hash: c57cf59de28d07db67d5877a0ca59d18a7d4958fae7d58dbe770bbd656636a06
Instruction Fuzzy Hash: 7E21327160478186E7229F26F8547A66291FB8C7E8F444238EB99477E4EF3CC8548704

Function 0000000140015EA0 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 195memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000000140015FC9
HeapFree.KERNEL32 ref: 0000000140015FDC
GetProcessHeap.KERNEL32 ref: 000000014001605C
HeapAlloc.KERNEL32 ref: 000000014001606D
GetProcessHeap.KERNEL32 ref: 00000001400160A3
HeapFree.KERNEL32 ref: 00000001400160B3
GetProcessHeap.KERNEL32 ref: 000000014001613A
HeapFree.KERNEL32 ref: 000000014001614A

Strings

native_set_dependon, xrefs: 0000000140016080
canon, xrefs: 0000000140016087

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$Process$Free$Alloc
String ID: canon$native_set_dependon
API String ID: 3689955550-866904565
Opcode ID: 1a41d593f63f6d53f7ef41eee8dd95d892469f4ce90a1465bab3fee54d794e47
Instruction ID: 3417812ee75a08193b20f1fd53a885790022d951d8f5cc66eb521b80143630f7
Opcode Fuzzy Hash: 1a41d593f63f6d53f7ef41eee8dd95d892469f4ce90a1465bab3fee54d794e47
Instruction Fuzzy Hash: 8B81947260468086E762DF66A8003DA73A1F74DBE4F548229FF9947BE9DF39C9468700

Function 000000014002463C Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 0000000140024692
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00000001400246B1
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 0000000140024756
malloc.LIBCMT ref: 000000014002476D
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00000001400247B5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00000001400247F0
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000014002482C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000014002486C
free.LIBCMT ref: 000000014002487A
free.LIBCMT ref: 000000014002489C

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: ByteCharMultiWide$Infofree$malloc
String ID:
API String ID: 1309074677-0
Opcode ID: 87be4e84dfff67e6a5404b062bacef3d47c9d24ad15316017cadb552b82724b7
Instruction ID: 0861bc031b95cbac96e7ade4b626951d0e31202a9991f2a15cb32f64d4bc2cc4
Opcode Fuzzy Hash: 87be4e84dfff67e6a5404b062bacef3d47c9d24ad15316017cadb552b82724b7
Instruction Fuzzy Hash: 6761A232214A8086E7268F27A8403ED76D5F789BE8F544629FB6A47BF4DF78C9458600

Function 000000014000AB10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 000000014000AB52
_snwprintf_s.LIBCMT ref: 000000014000AB7A
GetLastError.KERNEL32 ref: 000000014000AB7F

Strings

%lu, xrefs: 000000014000AB63

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: ErrorLastOpenProcess_snwprintf_s
String ID: %lu
API String ID: 1004745324-685833217
Opcode ID: 90df853b17baf89f81b51910ebc5fb765af783191756ca6429a8faba2c2f6cee
Instruction ID: 96f1c24e96412612cb91f2ad7393678c3340066f9dc9d26303ae69a5e6fb9e68
Opcode Fuzzy Hash: 90df853b17baf89f81b51910ebc5fb765af783191756ca6429a8faba2c2f6cee
Instruction Fuzzy Hash: 38318071204A8182EB25DB26F41179E73A0FB4D7D4F444225BB8A876B9DF3CC545C700

Function 0000000140011330 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000000140011357
HeapAlloc.KERNEL32 ref: 0000000140011366
_snwprintf_s.LIBCMT ref: 00000001400113BD

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

GetProcessHeap.KERNEL32 ref: 0000000140011429
HeapFree.KERNEL32 ref: 0000000140011437

Strings

control code, xrefs: 000000014001137E, 00000001400113D2
log_service_control(), xrefs: 0000000140011377, 00000001400113CB
0x%08x, xrefs: 00000001400113AB

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$Event$ProcessSource$AllocDeregisterFreeRegisterReport_snwprintf_s
String ID: 0x%08x$control code$log_service_control()
API String ID: 4005908332-2089045330
Opcode ID: 4b21c5b224168c7e7b4499695bab61fcf9293932d0e1ac05f85688a7a5bfa71c
Instruction ID: ffd804206bfe6ad337dc71d2b961a3d269193d7c685cb79a6a520c7edc326c17
Opcode Fuzzy Hash: 4b21c5b224168c7e7b4499695bab61fcf9293932d0e1ac05f85688a7a5bfa71c
Instruction Fuzzy Hash: CB219E74605B9582F716CB57B8403E963A0E78C7D8F44422AFF99477AAEB3DC9868700

Function 000000014001C1A0 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000000014001C1EC

Part of subcall function 000000014001A458: HeapFree.KERNEL32(?,?,00000000,000000014001C690,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A46E
Part of subcall function 000000014001A458: _errno.LIBCMT ref: 000000014001A478
Part of subcall function 000000014001A458: GetLastError.KERNEL32(?,?,00000000,000000014001C690,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A480

Part of subcall function 0000000140022644: free.LIBCMT ref: 0000000140022662
Part of subcall function 0000000140022644: free.LIBCMT ref: 0000000140022674
Part of subcall function 0000000140022644: free.LIBCMT ref: 0000000140022686
Part of subcall function 0000000140022644: free.LIBCMT ref: 0000000140022698
Part of subcall function 0000000140022644: free.LIBCMT ref: 00000001400226AA
Part of subcall function 0000000140022644: free.LIBCMT ref: 00000001400226BC
Part of subcall function 0000000140022644: free.LIBCMT ref: 00000001400226CE

free.LIBCMT ref: 000000014001C20E
free.LIBCMT ref: 000000014001C226
free.LIBCMT ref: 000000014001C232
free.LIBCMT ref: 000000014001C256
free.LIBCMT ref: 000000014001C26A
free.LIBCMT ref: 000000014001C279
free.LIBCMT ref: 000000014001C285
free.LIBCMT ref: 000000014001C2B2
free.LIBCMT ref: 000000014001C2DA
free.LIBCMT ref: 000000014001C2F4

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: a77eea8c151e190d82b6f428cf3663883c0e4f19f30549a310c13090e96925bf
Instruction ID: ba48b5ff12f0f3a38f4112c7b4e794e919eaded4b65ab0df7ef7b43739d5b6dd
Opcode Fuzzy Hash: a77eea8c151e190d82b6f428cf3663883c0e4f19f30549a310c13090e96925bf
Instruction Fuzzy Hash: D941083261268486FF579FA3C4557EC23A0AB9EBC4F480535EB1D1F6A5CF7AC8918320

Function 0000000140022118 Relevance: 13.7, APIs: 9, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 0000000140022178
GetLastError.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 000000014002218A
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 00000001400221EA
malloc.LIBCMT ref: 0000000140022256
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 00000001400222A0
GetStringTypeW.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 00000001400222B7
free.LIBCMT ref: 00000001400222C8
GetStringTypeA.KERNEL32(?,?,?,?,?,?,00000008,00000001400223EA), ref: 0000000140022345
free.LIBCMT ref: 0000000140022355

Part of subcall function 000000014002463C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 0000000140024692
Part of subcall function 000000014002463C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00000001400246B1
Part of subcall function 000000014002463C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00000001400247B5
Part of subcall function 000000014002463C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00000001400247F0

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Infofree$ErrorLastmalloc
String ID:
API String ID: 3804003340-0
Opcode ID: e91ada0d3418bd2f4ec09be758e20b385c78253fc2d9f4ca109f82a3e7e5caae
Instruction ID: d53383f59eec4462090a64fdbba06e0d248b67d1e792285d37ae28196ec31423
Opcode Fuzzy Hash: e91ada0d3418bd2f4ec09be758e20b385c78253fc2d9f4ca109f82a3e7e5caae
Instruction Fuzzy Hash: 1A61A4326006809AEB229F66D4407DC77A6F74CBE8F540A29FF1957BE8DB78CD458340

Function 0000000140001F50 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32 ref: 0000000140001FCD
GetProcessHeap.KERNEL32 ref: 0000000140001FD9
HeapFree.KERNEL32 ref: 0000000140001FE7
SetEnvironmentVariableW.KERNEL32 ref: 0000000140001FF5
SetEnvironmentVariableW.KERNEL32 ref: 0000000140002008

Strings

=, xrefs: 0000000140001F90
=, xrefs: 0000000140001FA0

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: EnvironmentVariable$Heap$FreeProcess
String ID: =$=
API String ID: 3778319993-2054292070
Opcode ID: 7bf4f98abe447227e6e460fd7a3f549218de6e97ff0865786475516afd98c878
Instruction ID: f6e392f159df02a5c0d1aa5861e7932fb23e5242deca1ebcea39a171da841de7
Opcode Fuzzy Hash: 7bf4f98abe447227e6e460fd7a3f549218de6e97ff0865786475516afd98c878
Instruction Fuzzy Hash: 98217676B0464081EB67AF23B4003EAA3B4FB99FC4F189025FB45436B5EB78C896C301

Function 000000014000CF10 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 72registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,00000000,0000000140010A23), ref: 000000014000CF9C
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00000000,0000000140010A23), ref: 000000014000CFA9

Strings

AppExit, xrefs: 000000014000CF34
%lu, xrefs: 000000014000CFBC

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: CloseQueryValue
String ID: %lu$AppExit
API String ID: 3356406503-2506947422
Opcode ID: 91cce3c04103fca208db0ba8ea57d72feedcf25d7159b3a3e563298903852ca5
Instruction ID: e4ede004e4c372926661c22df9dbebd0d94544826e947ded5c53d602466b7697
Opcode Fuzzy Hash: 91cce3c04103fca208db0ba8ea57d72feedcf25d7159b3a3e563298903852ca5
Instruction Fuzzy Hash: 66217172226B4586EB52CB22B440BEA63A1EB4DBE4F541235BF4D477B5EB38C4458701

Function 0000000140001080 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400010AA
HeapAlloc.KERNEL32 ref: 00000001400010B8
_snwprintf_s.LIBCMT ref: 000000014000111C

Part of subcall function 00000001400026B0: _vfwprintf_p.LIBCMT ref: 00000001400026E1
Part of subcall function 00000001400026B0: LocalFree.KERNELBASE(?,?,?,00000000,0000000140001065), ref: 00000001400026E9

Strings

name, xrefs: 00000001400010D2
NT Service, xrefs: 00000001400010F9
virtual_account, xrefs: 00000001400010CB
%s\%s, xrefs: 0000000140001100

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$AllocFreeLocalProcess_snwprintf_s_vfwprintf_p
String ID: %s\%s$NT Service$name$virtual_account
API String ID: 1628691493-1293189587
Opcode ID: db52c54a1bd37a6a99ec5c8299a3637e23c77f5368cde7bf9e39c4659f78377e
Instruction ID: 847d56988c11ccff595402cc5be1d1d2c3e50c9f6037e04ff214d1465cb41b48
Opcode Fuzzy Hash: db52c54a1bd37a6a99ec5c8299a3637e23c77f5368cde7bf9e39c4659f78377e
Instruction Fuzzy Hash: E3112B35604A9591EA01DB66B5003CAA7A0E789BF8F944326EF6C03BF8DE38C5468700

Function 0000000140018B3C Relevance: 12.1, APIs: 8, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140018B9D
_errno.LIBCMT ref: 0000000140018BD3
_errno.LIBCMT ref: 0000000140018BE1
_errno.LIBCMT ref: 0000000140018BED
_errno.LIBCMT ref: 0000000140018C2F
_errno.LIBCMT ref: 0000000140018C39
_errno.LIBCMT ref: 0000000140018C5E

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 982cf5645eaff3f93709234b792b80570c945d66980feefcdc7db2932bc7bba4
Instruction ID: f44b4c5ca08c131a72ac2aeda0961a669f3265e00c911aa11d5fdcb0036162f4
Opcode Fuzzy Hash: 982cf5645eaff3f93709234b792b80570c945d66980feefcdc7db2932bc7bba4
Instruction Fuzzy Hash: 1E31B036605A0085FA329B63A5403DE7294F78CBE4F544211FFA90B7F5CB7AC680CB61

Function 000000014001DA5C Relevance: 12.1, APIs: 8, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014001DABB
_errno.LIBCMT ref: 000000014001DAF1
_errno.LIBCMT ref: 000000014001DAFF
_errno.LIBCMT ref: 000000014001DB0B
_errno.LIBCMT ref: 000000014001DB4C
_errno.LIBCMT ref: 000000014001DB56
_errno.LIBCMT ref: 000000014001DB79

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: d8e2f75bd4eec119b7a74162acb909693bf6366b45e2778bd4c6527078f16033
Instruction ID: 458bbcd361950d94f00f622139773638d49f6eb722cf8fc22553e0bf105d927e
Opcode Fuzzy Hash: d8e2f75bd4eec119b7a74162acb909693bf6366b45e2778bd4c6527078f16033
Instruction Fuzzy Hash: 1141AEB550874085FE669B6399803DD73A4A79DBE4F594216FB6A0B7F6CB3AC400CB01

Function 000000014002146C Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140021495
_errno.LIBCMT ref: 000000014002149E
__doserrno.LIBCMT ref: 00000001400214EE
_errno.LIBCMT ref: 00000001400214F5

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 9996c40566fb5828d46623c4ffa25a2266b36484e3f6297649932163638dfe60
Instruction ID: 9b1ae2692c7aa1f797c30d2a7736f9f56704421511a9f923b1d78b963cf8b70d
Opcode Fuzzy Hash: 9996c40566fb5828d46623c4ffa25a2266b36484e3f6297649932163638dfe60
Instruction Fuzzy Hash: 88319E32610A5085E7139FA7A8417ED7555A7C8BF0F554719FF3A0B7E2CB3988428B04

Function 000000014002118C Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000001400211B5
_errno.LIBCMT ref: 00000001400211BE
__doserrno.LIBCMT ref: 000000014002120D
_errno.LIBCMT ref: 0000000140021214

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: b7646aed9a6597f5178b7b5b15324365973a83a7cbee41c92b9d46bd9732982a
Instruction ID: 0ddb69c9fbd17f45a9d6bfcdc64467eb0070a41d15bfb506f601218df6432c84
Opcode Fuzzy Hash: b7646aed9a6597f5178b7b5b15324365973a83a7cbee41c92b9d46bd9732982a
Instruction Fuzzy Hash: 8831CF32A1025086F3135FB7A8427DE7659A7C9BE0F594619FB254B7F2CB39C8128B04

Function 00000001400241F4 Relevance: 12.1, APIs: 8, Instructions: 79COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140024213
_errno.LIBCMT ref: 000000014002421C
__doserrno.LIBCMT ref: 000000014002426C
_errno.LIBCMT ref: 0000000140024273

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 090d77a67de7c985594c94a79ab8a345aab91e021a788556be9dfe15f8f47d1c
Instruction ID: ac8746d5d8e92a8110249d21505def07f870fd1ce60ee0340a01ca48d51c1f4b
Opcode Fuzzy Hash: 090d77a67de7c985594c94a79ab8a345aab91e021a788556be9dfe15f8f47d1c
Instruction Fuzzy Hash: 9631B63261069486F313AF77A8417ED7A55A7C9BD0FAA4619FB250B7F2CF39C8058B04

Function 0000000140017950 Relevance: 12.1, APIs: 2, Strings: 6, Instructions: 63COMMON

Download Yara Rule

Strings

SERVICE_WIN32_SHARE_PROCESS, xrefs: 00000001400179E5
SERVICE_KERNEL_DRIVER, xrefs: 00000001400179DC
SERVICE_WIN32_OWN_PROCESS, xrefs: 00000001400179CA
SERVICE_INTERACTIVE_PROCESS, xrefs: 0000000140017A0F
SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS, xrefs: 0000000140017A06
SERVICE_FILE_SYSTEM_DRIVER, xrefs: 00000001400179D3

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID: SERVICE_FILE_SYSTEM_DRIVER$SERVICE_INTERACTIVE_PROCESS$SERVICE_KERNEL_DRIVER$SERVICE_WIN32_OWN_PROCESS$SERVICE_WIN32_SHARE_PROCESS$SERVICE_WIN32_SHARE_PROCESS|SERVICE_INTERACTIVE_PROCESS
API String ID: 0-2402770260
Opcode ID: 16b709bc6346c575211078ab4dfa56cc102608930ce32e59cc0a2d25995df4d4
Instruction ID: 23a8490cfe90f1c2a308090e366f6a85ca121b180c663b3a352cc601f3572310
Opcode Fuzzy Hash: 16b709bc6346c575211078ab4dfa56cc102608930ce32e59cc0a2d25995df4d4
Instruction Fuzzy Hash: 01217C75524680C1F6678B67A804BE86271AB5C7D0FD51502FF0E5BAF0CB39CE889301

Function 00000001400144B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 126COMMON

Download Yara Rule

Strings

%s set %s %s %s %s, xrefs: 0000000140014666
%lu, xrefs: 000000014001458A
%s set %s %s %s, xrefs: 0000000140014691

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID: %lu$%s set %s %s %s$%s set %s %s %s %s
API String ID: 0-1795435707
Opcode ID: 7eaeb9f95fd18fb7197ea1527400dc4321b66208a513659367c1991a4ac879e3
Instruction ID: 054e451fad24e7065109f3f0b029d0dd47eea46ddc6e4fcf6589d200fc340022
Opcode Fuzzy Hash: 7eaeb9f95fd18fb7197ea1527400dc4321b66208a513659367c1991a4ac879e3
Instruction Fuzzy Hash: C251C2B1618A8052FB32DB26A4517DA2290F7497F8F901322FF794BAF9DB39C641C700

Function 00000001400212C0 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001400212D9
_errno.LIBCMT ref: 0000000140021326

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 8845e350c9dea3cf5267cdca4f8cdd242e0faa8e4b5157f2ade3c82d791c144e
Instruction ID: ab451d4fd270bb3903f805b9d7dd5fa572604a2d19d0fe20b2da734d15af6b17
Opcode Fuzzy Hash: 8845e350c9dea3cf5267cdca4f8cdd242e0faa8e4b5157f2ade3c82d791c144e
Instruction Fuzzy Hash: 8631D232B1064082F723AFB799467EE2656ABD97D0F19421DFB250B6F2CF78C8018744

Function 000000014001F086 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000014001F08E
RaiseException.KERNEL32 ref: 000000014001F0CA
RaiseException.KERNEL32 ref: 000000014001F0ED
_getptd.LIBCMT ref: 000000014001F169
_getptd.LIBCMT ref: 000000014001F17D

Strings

csm, xrefs: 000000014001F11C

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: _getptd$ExceptionRaise
String ID: csm
API String ID: 2255768072-1018135373
Opcode ID: faddf5dcd7db62c195a203077242433b8dd42f1278d6c606382e79f7e625ce9f
Instruction ID: e8565f7666dcd684ddfdf79a9db708bd8ef6147b54f82e3b1904922039863616
Opcode Fuzzy Hash: faddf5dcd7db62c195a203077242433b8dd42f1278d6c606382e79f7e625ce9f
Instruction Fuzzy Hash: D7315032200780C2E662DF12E008BEE7365F79DBE1F454226EF5A0B7A5CB36C845CB00

Function 0000000140008360 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 000000014000839F
PathFindExtensionW.SHLWAPI ref: 00000001400083BD
_snwprintf_s.LIBCMT ref: 0000000140008422
_snwprintf_s.LIBCMT ref: 0000000140008456

Strings

%s%s, xrefs: 000000014000843C
-%04u%02u%02uT%02u%02u%02u.%03u%s, xrefs: 0000000140008406

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: _snwprintf_s$ExtensionFindPathSystemTime
String ID: %s%s$-%04u%02u%02uT%02u%02u%02u.%03u%s
API String ID: 3012895273-3937541175
Opcode ID: 04bf656ff3656d3b29a7e1c79b75fe1ba97853567e5a848dceba71563a3bc1b0
Instruction ID: ef619b30c47574710df53ad96ff4b3ed88230155163be6427908ee86fe4bb24b
Opcode Fuzzy Hash: 04bf656ff3656d3b29a7e1c79b75fe1ba97853567e5a848dceba71563a3bc1b0
Instruction Fuzzy Hash: 8F219F72214A9096E7619F16F84179AB3A4F7887E0F504325BFA807AE8EB3CC521CB00

Function 000000014000D1C0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

_snwprintf_s.LIBCMT ref: 000000014000D20C

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Strings

get_hook(), xrefs: 000000014000D21A
hook registry, xrefs: 000000014000D221
AppEvents, xrefs: 000000014000D1E8
%s\%s, xrefs: 000000014000D1F2

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Event$Source$DeregisterRegisterReport_snwprintf_s
String ID: %s\%s$AppEvents$get_hook()$hook registry
API String ID: 3081108292-1702643787
Opcode ID: 1a6e9feb4cc426e37fdb4580ac0202121e0b5c3df63c35c9d4901585fb099b56
Instruction ID: 186230ca1ad757ef69455b0b81aec2deb29fe0d21a35ae0f365b12cc6bbcffb9
Opcode Fuzzy Hash: 1a6e9feb4cc426e37fdb4580ac0202121e0b5c3df63c35c9d4901585fb099b56
Instruction Fuzzy Hash: 90216D71208A8485FA22DB62F8557DA6350FB9C7D8F400226FB9D477AADB3CC5458B40

Function 000000014001A834 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 000000014001A85B

Part of subcall function 000000014001DBB8: GetModuleFileNameA.KERNEL32(?,?,?,?,?,000000014001DE14,?,?,?,?,0000000140020721,?,?,00000000,000000014001A304), ref: 000000014001DC7B

Part of subcall function 0000000140018E48: ExitProcess.KERNEL32 ref: 0000000140018E57

Part of subcall function 000000014001A2E0: malloc.LIBCMT ref: 000000014001A2FF
Part of subcall function 000000014001A2E0: Sleep.KERNEL32(?,?,00000000,000000014001A895,?,?,00000000,000000014001A93F,?,?,?,?,?,?,00000000,000000014001C67C), ref: 000000014001A316

_errno.LIBCMT ref: 000000014001A89D
_lock.LIBCMT ref: 000000014001A8B1
free.LIBCMT ref: 000000014001A8D3
_errno.LIBCMT ref: 000000014001A8D8
LeaveCriticalSection.KERNEL32(?,?,00000000,000000014001A93F,?,?,?,?,?,?,00000000,000000014001C67C,?,?,00000000,000000014001B8C5), ref: 000000014001A8FE

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfreemalloc
String ID:
API String ID: 1024173049-0
Opcode ID: 4b8126503065e6b48009ab2c06c44879dd52bdcb099693d6deae534223483fd6
Instruction ID: 808b59fbf07043b202a3597875559d9e6a470724fff9b57267105a538d5de662
Opcode Fuzzy Hash: 4b8126503065e6b48009ab2c06c44879dd52bdcb099693d6deae534223483fd6
Instruction Fuzzy Hash: 6A219031A1468082F667AB13A5043EE6394E78E7C4F544235FB4A4F7E6CF7DC8819740

Function 00000001400140E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000000140014125
HeapAlloc.KERNEL32 ref: 0000000140014133
_snwprintf_s.LIBCMT ref: 0000000140014158
GetProcessHeap.KERNEL32 ref: 0000000140014161
HeapFree.KERNEL32 ref: 000000014001416F

Strings

value_from_string(), xrefs: 000000014001417A

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$Process$AllocFree_snwprintf_s
String ID: value_from_string()
API String ID: 734457407-962593079
Opcode ID: 5d32141a8bc92d703f82d54b54d365e21bbe7b70d0b13f31b779d850a6f6be77
Instruction ID: 5240c5b56838f1c33d0c176e021e5deb61c2839be4d9d6ecac02f0754599868e
Opcode Fuzzy Hash: 5d32141a8bc92d703f82d54b54d365e21bbe7b70d0b13f31b779d850a6f6be77
Instruction Fuzzy Hash: B3213675201B8091E7129F62A81039AB7A0FB9DBE4F544729FFA9477F9DF39C5418700

Function 0000000140012A2C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 51threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140011330: GetProcessHeap.KERNEL32 ref: 0000000140011357
Part of subcall function 0000000140011330: HeapAlloc.KERNEL32 ref: 0000000140011366

SetServiceStatus.ADVAPI32 ref: 0000000140012A65

Part of subcall function 00000001400070A0: GetProcessHeap.KERNEL32 ref: 00000001400070DE
Part of subcall function 00000001400070A0: HeapAlloc.KERNEL32 ref: 00000001400070F0

CreateThread.KERNEL32 ref: 0000000140012AB6
GetLastError.KERNEL32 ref: 0000000140012AC1

Part of subcall function 0000000140002430: TlsGetValue.KERNEL32 ref: 0000000140002442
Part of subcall function 0000000140002430: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002458

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Part of subcall function 0000000140011450: UnregisterWait.KERNEL32 ref: 000000014001148E
Part of subcall function 0000000140011450: SetServiceStatus.ADVAPI32 ref: 0000000140011526
Part of subcall function 0000000140011450: EnterCriticalSection.KERNEL32 ref: 00000001400115A5
Part of subcall function 0000000140011450: LeaveCriticalSection.KERNEL32 ref: 00000001400115CE
Part of subcall function 0000000140011450: SetServiceStatus.ADVAPI32 ref: 0000000140011610

Strings

Pre, xrefs: 0000000140012A75
Stop, xrefs: 0000000140012A7C
N, xrefs: 0000000140012A8D

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$AllocEventServiceStatus$CriticalProcessSectionSource$CreateDeregisterEnterErrorLastLeaveLocalRegisterReportThreadUnregisterValueWait
String ID: N$Pre$Stop
API String ID: 812145449-3371997690
Opcode ID: 9281fc33d314b76a1bf7a4864cfbc9a9ffee161a1aecb02412ce670d735580f2
Instruction ID: 6af4c4e2d9bea6531c1b1a8f5835dc278c3db49be028d9187f13332ad1a60afb
Opcode Fuzzy Hash: 9281fc33d314b76a1bf7a4864cfbc9a9ffee161a1aecb02412ce670d735580f2
Instruction Fuzzy Hash: D3215EB1A04A8186EB11DF32E8557DA7791F788788F48422AEB4D4B6A9DB7CC5058B10

Function 0000000140009FB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 0000000140009FB8
GetStdHandle.KERNEL32 ref: 0000000140009FC8
GetProcessWindowStation.USER32 ref: 0000000140009FD3

Strings

64-bit, xrefs: 0000000140009FE5, 000000014000A020
2.24-101-g897c7ad, xrefs: 0000000140009FF8, 000000014000A02C
2017-04-26, xrefs: 0000000140009FDE, 000000014000A019

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Window$ConsoleHandleProcessStation
String ID: 2.24-101-g897c7ad$2017-04-26$64-bit
API String ID: 2390998093-1554524045
Opcode ID: 40212cfdcf06d07a27e46ac9921e9abb250e1e9d96549386459e7f384bd3f580
Instruction ID: 208933ce03e1e4cdc7845d7d233c5fbd470caa9eac46f2f270bb13a7e74a878f
Opcode Fuzzy Hash: 40212cfdcf06d07a27e46ac9921e9abb250e1e9d96549386459e7f384bd3f580
Instruction Fuzzy Hash: 5B011A70201A4582FB16DB66B841BE563A0BB4C794F84052EBB5D476B0DF3DCA69C251

Function 0000000140002900 Relevance: 10.5, APIs: 7, Instructions: 32COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000291C
EnableWindow.USER32 ref: 0000000140002927
GetDlgItem.USER32 ref: 0000000140002939
EnableWindow.USER32 ref: 0000000140002944
GetDlgItem.USER32 ref: 0000000140002956
EnableWindow.USER32 ref: 0000000140002961
GetDlgItem.USER32 ref: 0000000140002973

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Item$EnableWindow
String ID:
API String ID: 1115945535-0
Opcode ID: fdb9829a3620f13d7b2969ddaf86a420751a5d1716256729c1b6106c74bd120c
Instruction ID: c136e8dc2aac8da60112be9b768c9bef934fbc30f7073625e23f517483f65cae
Opcode Fuzzy Hash: fdb9829a3620f13d7b2969ddaf86a420751a5d1716256729c1b6106c74bd120c
Instruction Fuzzy Hash: 5A01B639705A9083EB169F63F85C3A66362BBCCBD1F10402AEB4A43775CE3CC8498211

Function 0000000140015860 Relevance: 10.1, APIs: 8, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f544f8f627ae383a1768f01978c54afb7fcbded243f8772aacbfad5c93b319fe
Instruction ID: dd426357a1b9a04df74fbf9960fc75dfd2c65e8efc1bf2d2ec49ae87e7355242
Opcode Fuzzy Hash: f544f8f627ae383a1768f01978c54afb7fcbded243f8772aacbfad5c93b319fe
Instruction Fuzzy Hash: 9A415E76A14A80C2EB51AB23A4003DA67A1F78DBE4F584116FF4D5B7B8EF39C491CB40

Function 000000014001BF80 Relevance: 9.1, APIs: 6, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000014001BF9F

Part of subcall function 000000014001BBBC: _getptd.LIBCMT ref: 000000014001BBC6

Part of subcall function 000000014001BC78: GetOEMCP.KERNEL32 ref: 000000014001BCA2

Part of subcall function 000000014001A2E0: malloc.LIBCMT ref: 000000014001A2FF
Part of subcall function 000000014001A2E0: Sleep.KERNEL32(?,?,00000000,000000014001A895,?,?,00000000,000000014001A93F,?,?,?,?,?,?,00000000,000000014001C67C), ref: 000000014001A316

free.LIBCMT ref: 000000014001C02B

Part of subcall function 000000014001A458: HeapFree.KERNEL32(?,?,00000000,000000014001C690,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A46E
Part of subcall function 000000014001A458: _errno.LIBCMT ref: 000000014001A478
Part of subcall function 000000014001A458: GetLastError.KERNEL32(?,?,00000000,000000014001C690,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A480

_lock.LIBCMT ref: 000000014001C063
free.LIBCMT ref: 000000014001C113
free.LIBCMT ref: 000000014001C143
_errno.LIBCMT ref: 000000014001C148

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID:
API String ID: 2878544890-0
Opcode ID: 38aff8a93a219e004d4fb2decce731f2e1a6d6680dbde8491e10bca7deaa2c7b
Instruction ID: 9d870c3d51cdc4ff5d3e13d4a664bdaadccf0573858b57b63558978fb1287223
Opcode Fuzzy Hash: 38aff8a93a219e004d4fb2decce731f2e1a6d6680dbde8491e10bca7deaa2c7b
Instruction Fuzzy Hash: 3A51B23220068086E7579B67A4417E9B7A1F78DBD4F184216FB5A4B3F6CB7EC442C750

Function 00000001400022C0 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000000140002343
HeapAlloc.KERNEL32 ref: 0000000140002351
GetProcessHeap.KERNEL32 ref: 00000001400023FA
HeapFree.KERNEL32 ref: 0000000140002408

Strings

key, xrefs: 0000000140002372
remove_from_environment_block(), xrefs: 0000000140002366

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID: key$remove_from_environment_block()
API String ID: 756756679-4119166937
Opcode ID: 50cb34b2d45f5005c24813a1e0df2552c412c9d25a9998c01387e4aadb813f74
Instruction ID: 54bd58668acaa8a64a469b9de0776971d6101dcbc09bd55ad8906b7833b5f725
Opcode Fuzzy Hash: 50cb34b2d45f5005c24813a1e0df2552c412c9d25a9998c01387e4aadb813f74
Instruction Fuzzy Hash: E931A1B6201B9485EB12DF66B4047DA62A4F74CBE4F54422AFF59477A4DE3CCA86C304

Function 0000000140010FD0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d7036cd358576f0070066cd22754db5c612962dedf37fce37ffe29802d89a7
Instruction ID: 3bc43f1e5b14f0690f46103c1f8670f803ed3e49879e2c6b4ee8c207eb9faa24
Opcode Fuzzy Hash: 42d7036cd358576f0070066cd22754db5c612962dedf37fce37ffe29802d89a7
Instruction Fuzzy Hash: C3316B76604A8182EB16EB62F4413EBB360F7887D4F440026EB8A07B65DF7DC98A8700

Function 0000000140006A20 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000000140006A59
HeapAlloc.KERNEL32 ref: 0000000140006A67
GetProcessHeap.KERNEL32 ref: 0000000140006AF6
HeapFree.KERNEL32 ref: 0000000140006B04

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Strings

hook_thread_t, xrefs: 0000000140006A81
add_thread_handle(), xrefs: 0000000140006A7A

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$Event$ProcessSource$AllocDeregisterFreeRegisterReport
String ID: add_thread_handle()$hook_thread_t
API String ID: 2639727016-2774381828
Opcode ID: 07258aa41ff2d329225d4091da11a04ded088b26c61e4ebd4f05c7ccc6aded00
Instruction ID: ae4f56caa427e417652939ebecdf0274b2fcb006895382bd4350f4b80705e1a5
Opcode Fuzzy Hash: 07258aa41ff2d329225d4091da11a04ded088b26c61e4ebd4f05c7ccc6aded00
Instruction Fuzzy Hash: 392139B5200A9086EA16DFA3B990399B351B74DBC4F488439AF8957669DF3CD1528704

Function 0000000140024344 Relevance: 9.1, APIs: 6, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__initconout.LIBCMT ref: 0000000140024372

Part of subcall function 0000000140024BF8: CreateFileA.KERNEL32 ref: 0000000140024C21

WriteConsoleW.KERNEL32 ref: 000000014002439E
GetLastError.KERNEL32 ref: 00000001400243B9
GetConsoleOutputCP.KERNEL32(?,?,?,?,0000000140020D54,?,?,?,00000001,00000000,?,00000001,0000000140021258,?,?,00000000), ref: 00000001400243CB
WideCharToMultiByte.KERNEL32 ref: 00000001400243FE
WriteConsoleA.KERNEL32 ref: 0000000140024424

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide__initconout
String ID:
API String ID: 2210154019-0
Opcode ID: 49750729c7b7aba1964d5437bfb005b6ebdb22c5dff53d799c2bcbff44f50bda
Instruction ID: 6f037757feaa4c27bd12720e07a08ea325e095812da091d21dc5bf2b4c7a5843
Opcode Fuzzy Hash: 49750729c7b7aba1964d5437bfb005b6ebdb22c5dff53d799c2bcbff44f50bda
Instruction Fuzzy Hash: 5931FC32214A5086FB629B22E4583EA63A0F78D7F5F500319F769479F4DB7DC949CB01

Function 000000014001C624 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63,?,?,?,?,00000000,000000014001818D), ref: 000000014001C62E
FlsGetValue.KERNEL32(?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63,?,?,?,?,00000000,000000014001818D), ref: 000000014001C63C
SetLastError.KERNEL32(?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63,?,?,?,?,00000000,000000014001818D), ref: 000000014001C694

Part of subcall function 000000014001A34C: Sleep.KERNEL32(?,?,?,000000014001C657,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A391

FlsSetValue.KERNEL32(?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63,?,?,?,?,00000000,000000014001818D), ref: 000000014001C668
free.LIBCMT ref: 000000014001C68B

Part of subcall function 000000014001C570: _lock.LIBCMT ref: 000000014001C5C0
Part of subcall function 000000014001C570: _lock.LIBCMT ref: 000000014001C5E0

GetCurrentThreadId.KERNEL32 ref: 000000014001C67C

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 744ae31ed2748b486f23b4531f5f32d18c4f8e80a7f5ef535a5c4d2a89bb2a02
Instruction ID: 0ffe949912e89fedb02e4494acd6bb79bd4d8b9ab6d6ef47e204af3708a6d54b
Opcode Fuzzy Hash: 744ae31ed2748b486f23b4531f5f32d18c4f8e80a7f5ef535a5c4d2a89bb2a02
Instruction Fuzzy Hash: 9C016734601B4186FB179F7794547E92391AB8CBD4F588228FB2A4B3F5EF3CD9458610

Function 0000000140017030 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

LocalSystem, xrefs: 000000014001709A, 00000001400170F0

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID: LocalSystem
API String ID: 0-3718507506
Opcode ID: 5c510378ff35a3638561cda51b730c846dcb0c7f476201026cba6af3d87a6302
Instruction ID: 4fab973e0ab3922536d0106af51d2d3be6949260d5916859e64fc5ce486037cb
Opcode Fuzzy Hash: 5c510378ff35a3638561cda51b730c846dcb0c7f476201026cba6af3d87a6302
Instruction Fuzzy Hash: 6E618031305B8481FA62DB27A8007DB66E4BB8DBE4F584625BF6D4BBE5EF39C4418700

Function 0000000140017420 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

%s, xrefs: 00000001400174E7

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID: %s
API String ID: 0-620797490
Opcode ID: 99855a48316195b93616fbf83ab77e05beff4dc8f3728702d7539ec089a948fa
Instruction ID: 432093541ee24ec42a9dad4126288decd4c7b585e2e55cd77d9abcda1cabd02e
Opcode Fuzzy Hash: 99855a48316195b93616fbf83ab77e05beff4dc8f3728702d7539ec089a948fa
Instruction Fuzzy Hash: 5E51C072210B8086FB229B22A8407DA66A5F78DBD4F540225FF5D4BBF6DF39C941C300

Function 0000000140008B20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32 ref: 0000000140008B51
_snwprintf_s.LIBCMT ref: 0000000140008BB5

Part of subcall function 0000000140008A20: WriteFile.KERNEL32 ref: 0000000140008A69
Part of subcall function 0000000140008A20: GetLastError.KERNEL32 ref: 0000000140008A77

Strings

%04u-%02u-%02u %02u:%02u:%02u.%03u: , xrefs: 0000000140008BA2

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: ErrorFileLastSystemTimeWrite_snwprintf_s
String ID: %04u-%02u-%02u %02u:%02u:%02u.%03u:
API String ID: 3358128232-1268504407
Opcode ID: 545cec81cc804d73d1d6c1551bfbb854dad7939054364ccafffc5018a4443183
Instruction ID: 7bdd17979279be81dc0a40d8893366271bb910dda1fa186fda7c8216b1e1685a
Opcode Fuzzy Hash: 545cec81cc804d73d1d6c1551bfbb854dad7939054364ccafffc5018a4443183
Instruction Fuzzy Hash: C231787220879486E7618F26F4407AAB7A0F389BD4F404216FFD943AA8DB3CC559CF00

Function 0000000140022644 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000000140022662

Part of subcall function 000000014001A458: HeapFree.KERNEL32(?,?,00000000,000000014001C690,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A46E
Part of subcall function 000000014001A458: _errno.LIBCMT ref: 000000014001A478
Part of subcall function 000000014001A458: GetLastError.KERNEL32(?,?,00000000,000000014001C690,?,?,00000000,000000014001B8C5,?,?,?,?,0000000140018C63), ref: 000000014001A480

free.LIBCMT ref: 0000000140022674
free.LIBCMT ref: 0000000140022686
free.LIBCMT ref: 0000000140022698
free.LIBCMT ref: 00000001400226AA
free.LIBCMT ref: 00000001400226BC
free.LIBCMT ref: 00000001400226CE

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 481ea5d7f3c29c63cf85197afd43e9c94bbba3eedf21573157349b5057f42bfd
Instruction ID: 77ca1b70bd230a49568464f667e52b8287626ed6f347ef5051490fb47eb780d6
Opcode Fuzzy Hash: 481ea5d7f3c29c63cf85197afd43e9c94bbba3eedf21573157349b5057f42bfd
Instruction Fuzzy Hash: 7A019933600444A2FB53EBA3D45A7F91361A7DDBC5F880505BB1E9B5B1CEBAD8809721

Function 000000014000B710 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 24COMMON

Download Yara Rule

APIs

_snwprintf_s.LIBCMT ref: 000000014000B73C
_snwprintf_s.LIBCMT ref: 000000014000B762

Strings

SYSTEM\CurrentControlSet\Services\%s, xrefs: 000000014000B74F
SYSTEM\CurrentControlSet\Services\%s\Parameters, xrefs: 000000014000B746
SYSTEM\CurrentControlSet\Services\%s\Parameters\%s, xrefs: 000000014000B72E

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: _snwprintf_s
String ID: SYSTEM\CurrentControlSet\Services\%s$SYSTEM\CurrentControlSet\Services\%s\Parameters$SYSTEM\CurrentControlSet\Services\%s\Parameters\%s
API String ID: 2338360151-2857344572
Opcode ID: 955eb0ba2272fd79fd9059f76f52419cdc5c8a2953150d37e1f3236c5638c1eb
Instruction ID: 3b4812ba213ef710f57529e59cf52b854acbe9ee47b84ed3b9b00befb1747d54
Opcode Fuzzy Hash: 955eb0ba2272fd79fd9059f76f52419cdc5c8a2953150d37e1f3236c5638c1eb
Instruction Fuzzy Hash: CBF01C7A90578092E562EBA674517C533A4B79A3F4F901309FEBC037F5DB388655C600

Function 000000014001EC58 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000014001EC6F

Part of subcall function 000000014001E0F4: _getptd.LIBCMT ref: 000000014001E0F8

_getptd.LIBCMT ref: 000000014001EC81
_getptd.LIBCMT ref: 000000014001EC8F

Strings

csm, xrefs: 000000014001EC67
MOC, xrefs: 000000014001EC5F

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: _getptd
String ID: MOC$csm
API String ID: 3186804695-1389381023
Opcode ID: bf3a03d5970d1dd3e1fb6bd408ba9de5847db261f06e21d03137f6bf29761363
Instruction ID: 392b93139b50625e4f00c751eea5d7909c54f268b14a004c93ea04d22c7197c5
Opcode Fuzzy Hash: bf3a03d5970d1dd3e1fb6bd408ba9de5847db261f06e21d03137f6bf29761363
Instruction Fuzzy Hash: 75E04F36911180C6E7272B66C4453EC36E0FB9C789F86A060A3444B3A3CBBEC4818A52

Function 0000000140011450 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

UnregisterWait.KERNEL32 ref: 000000014001148E
SetServiceStatus.ADVAPI32 ref: 0000000140011526
EnterCriticalSection.KERNEL32 ref: 00000001400115A5
LeaveCriticalSection.KERNEL32 ref: 00000001400115CE
SetServiceStatus.ADVAPI32 ref: 0000000140011610

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: CriticalSectionServiceStatus$EnterLeaveUnregisterWait
String ID:
API String ID: 750648178-0
Opcode ID: da6eaf891d5f39c178a9daca24e1f4e62401406960aaf2683fab0f1a6af88cc5
Instruction ID: 64d843524deb2b9263129e994287159644b8f218d23b3c23ad896588e56a0bad
Opcode Fuzzy Hash: da6eaf891d5f39c178a9daca24e1f4e62401406960aaf2683fab0f1a6af88cc5
Instruction Fuzzy Hash: 26519AB6904B86C6E769DB22F4513DBB7A4F3887C8F040215EB9A073A5DB7DD949CB00

Function 0000000140017D40 Relevance: 7.6, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,?,?,?,?,0000000140008BF4), ref: 0000000140017D82
GetProcessHeap.KERNEL32(?,?,?,?,?,0000000140008BF4), ref: 0000000140017DA4
HeapAlloc.KERNEL32(?,?,?,?,?,0000000140008BF4), ref: 0000000140017DB2
MultiByteToWideChar.KERNEL32(?,?,?,?,?,0000000140008BF4), ref: 0000000140017DDF
GetProcessHeap.KERNEL32(?,?,?,?,?,0000000140008BF4), ref: 0000000140017DE9
HeapFree.KERNEL32(?,?,?,?,?,0000000140008BF4), ref: 0000000140017DF7

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$ByteCharMultiProcessWide$AllocFree
String ID:
API String ID: 1621643742-0
Opcode ID: c6716c944c1ee476e8fa47434dc82bb4148891a779e4bc662eaca591434aa38c
Instruction ID: 73261801b5f655ca270de00b92cee958fb11958522fdb0b445105a0a4ffb2315
Opcode Fuzzy Hash: c6716c944c1ee476e8fa47434dc82bb4148891a779e4bc662eaca591434aa38c
Instruction Fuzzy Hash: E9216235605B8081E7219F67B81079AABE5FB4D7E4F044229EF99477E9DF38C4508600

Function 000000014001DE68 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,000000014001DF79,?,?,?,?,0000000140018F3E), ref: 000000014001DE91
DecodePointer.KERNEL32(?,?,?,000000014001DF79,?,?,?,?,0000000140018F3E), ref: 000000014001DEA0

Part of subcall function 0000000140023CCC: _errno.LIBCMT ref: 0000000140023CD5

EncodePointer.KERNEL32(?,?,?,000000014001DF79,?,?,?,?,0000000140018F3E), ref: 000000014001DF1D

Part of subcall function 000000014001A3D0: realloc.LIBCMT ref: 000000014001A3FB
Part of subcall function 000000014001A3D0: Sleep.KERNEL32(?,?,00000000,000000014001DF0D,?,?,?,000000014001DF79,?,?,?,?,0000000140018F3E), ref: 000000014001A417

EncodePointer.KERNEL32(?,?,?,000000014001DF79,?,?,?,?,0000000140018F3E), ref: 000000014001DF2C
EncodePointer.KERNEL32(?,?,?,000000014001DF79,?,?,?,?,0000000140018F3E), ref: 000000014001DF38

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: 83f6c6dcc442b54386dccdd7f702393c51a61e551925173b3f35c03b413daf19
Instruction ID: 30a756f2d09cec3d8e83d99eff3647af459344b6da25205903a0852a7dfdaa83
Opcode Fuzzy Hash: 83f6c6dcc442b54386dccdd7f702393c51a61e551925173b3f35c03b413daf19
Instruction Fuzzy Hash: 9B21683131169480EA12AB63F9453DAB392B78DBC0F54583AFB4E4F776EE79D5828304

Function 0000000140016470 Relevance: 7.6, APIs: 6, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00000001400164BD
HeapFree.KERNEL32 ref: 00000001400164CD
GetProcessHeap.KERNEL32 ref: 00000001400164F3
HeapFree.KERNEL32 ref: 0000000140016503
GetProcessHeap.KERNEL32 ref: 0000000140016509
HeapFree.KERNEL32 ref: 0000000140016519

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 75444d69a368e4496316f745fd35ff06dd85ac79cfc29b2ce87d2832b74a9499
Instruction ID: c44fe957979a91557bf25453a9036a81366d3cea9cc272b65acdfdfda9ee0274
Opcode Fuzzy Hash: 75444d69a368e4496316f745fd35ff06dd85ac79cfc29b2ce87d2832b74a9499
Instruction Fuzzy Hash: 19114CB5605A8482EB129B73A8043DA67A1FB8DBD0F444029FF4E47768DF3CC9498A40

Function 00000001400169F0 Relevance: 7.6, APIs: 6, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000000140016A3D
HeapFree.KERNEL32 ref: 0000000140016A4D
GetProcessHeap.KERNEL32 ref: 0000000140016A73
HeapFree.KERNEL32 ref: 0000000140016A83
GetProcessHeap.KERNEL32 ref: 0000000140016A89
HeapFree.KERNEL32 ref: 0000000140016A99

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 06e58962aa168ef4b9cce3fa7573b8739e7680e84b76f287644083a05431860a
Instruction ID: 4df9a403a91ae1dd2fec2ef8b09f26153c7cc104d93c3de734a30b221c7b6cbb
Opcode Fuzzy Hash: 06e58962aa168ef4b9cce3fa7573b8739e7680e84b76f287644083a05431860a
Instruction Fuzzy Hash: 2E114CB5605A8482EB11DB73A8003DA67A1FBCDBD0F448126FF4E57768DF3DC9498A40

Function 0000000140008770 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 46COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00000001400087FC

Strings

hStdOutput, xrefs: 0000000140008793
stdout_pipe, xrefs: 000000014000879A
hStdError, xrefs: 00000001400087D5
stderr_pipe, xrefs: 00000001400087DC

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: CloseHandle
String ID: hStdError$hStdOutput$stderr_pipe$stdout_pipe
API String ID: 2962429428-3965950600
Opcode ID: b1431f8af12d8aa5b37c11219322e77cfc5415b162553f20b9ad0d1acf7a8f2b
Instruction ID: 132c92118f196b348bc52cac29ee2af79761ecaa20d4e8a20d920413e6b7f2b4
Opcode Fuzzy Hash: b1431f8af12d8aa5b37c11219322e77cfc5415b162553f20b9ad0d1acf7a8f2b
Instruction Fuzzy Hash: EA11C6B171094186EF96CF67F4457E92360FB4CBC8F844125AF5D831A5DF78C8918B00

Function 00000001400049A5 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00000001400049AD
GetDlgItemTextW.USER32 ref: 00000001400049C9

Part of subcall function 0000000140004690: GetProcessHeap.KERNEL32 ref: 00000001400046CE
Part of subcall function 0000000140004690: HeapAlloc.KERNEL32 ref: 00000001400046DF
Part of subcall function 0000000140004690: _snwprintf_s.LIBCMT ref: 0000000140004774
Part of subcall function 0000000140004690: LocalFree.KERNEL32 ref: 000000014000478E
Part of subcall function 0000000140004690: _snwprintf_s.LIBCMT ref: 00000001400047C0
Part of subcall function 0000000140004690: GetProcessHeap.KERNEL32 ref: 0000000140004801
Part of subcall function 0000000140004690: HeapAlloc.KERNEL32 ref: 0000000140004812
Part of subcall function 0000000140004690: _snwprintf_s.LIBCMT ref: 0000000140004851

GetDlgItemTextW.USER32 ref: 0000000140004A0C
GetDlgItemTextW.USER32 ref: 0000000140004A31
SetDlgItemTextW.USER32 ref: 0000000140004A4E

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Item$HeapText$_snwprintf_s$AllocProcess$FreeLocal
String ID:
API String ID: 65965981-0
Opcode ID: 21198b540a65345ed7fdc7f0815551f0124c4edbe3ffc441835e824b3edb693a
Instruction ID: 8c88ce8c025d37f4d5b0e8d3153f6582234e056b6c9f906e17911e81f835f57e
Opcode Fuzzy Hash: 21198b540a65345ed7fdc7f0815551f0124c4edbe3ffc441835e824b3edb693a
Instruction Fuzzy Hash: 4B11EFB161968182E7619B12F1547EE6311F789BC4F801125FF4E17AA9CF7CC54A8740

Function 0000000140004B77 Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140004B7F
GetDlgItemTextW.USER32 ref: 0000000140004B9B

Part of subcall function 0000000140004690: GetProcessHeap.KERNEL32 ref: 00000001400046CE
Part of subcall function 0000000140004690: HeapAlloc.KERNEL32 ref: 00000001400046DF
Part of subcall function 0000000140004690: _snwprintf_s.LIBCMT ref: 0000000140004774
Part of subcall function 0000000140004690: LocalFree.KERNEL32 ref: 000000014000478E
Part of subcall function 0000000140004690: _snwprintf_s.LIBCMT ref: 00000001400047C0
Part of subcall function 0000000140004690: GetProcessHeap.KERNEL32 ref: 0000000140004801
Part of subcall function 0000000140004690: HeapAlloc.KERNEL32 ref: 0000000140004812
Part of subcall function 0000000140004690: _snwprintf_s.LIBCMT ref: 0000000140004851

GetDlgItemTextW.USER32 ref: 0000000140004BD3
GetDlgItemTextW.USER32 ref: 0000000140004BF8
SetDlgItemTextW.USER32 ref: 0000000140004C0B

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Item$HeapText$_snwprintf_s$AllocProcess$FreeLocal
String ID:
API String ID: 65965981-0
Opcode ID: bc93de3db2f9f1020f2827c5b2bfaff67fd16c43bba92efd12e0b4febac6b628
Instruction ID: 4cb8385e7472ac1fff0796a63c3a7a682bee92a1d82b4e4757a1f87387902318
Opcode Fuzzy Hash: bc93de3db2f9f1020f2827c5b2bfaff67fd16c43bba92efd12e0b4febac6b628
Instruction Fuzzy Hash: 84111E717196C182EB669B16F158BEE6311F789BC4F801026FE4A17F99CF3CC64A8700

Function 0000000140020638 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000014002066F
GetCurrentProcessId.KERNEL32 ref: 000000014002067A
GetCurrentThreadId.KERNEL32 ref: 0000000140020686
GetTickCount.KERNEL32 ref: 0000000140020692
QueryPerformanceCounter.KERNEL32 ref: 00000001400206A3

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: c8f6b24ac6350ff6811d1f2cfc27df22994d1d3946078b9506eb196b374217da
Instruction ID: 10193c4157f05475708f448b1d2e75a923b46d7bcfff4b871662ec0ac0004df7
Opcode Fuzzy Hash: c8f6b24ac6350ff6811d1f2cfc27df22994d1d3946078b9506eb196b374217da
Instruction Fuzzy Hash: F9011331226B408AEB928F22E85439A6360F74DBD0F446624FF9E47BB4DB38CD958700

Function 0000000140002AE0 Relevance: 7.5, APIs: 5, Instructions: 23COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140002AF5
EnableWindow.USER32 ref: 0000000140002B00
GetDlgItem.USER32 ref: 0000000140002B12
EnableWindow.USER32 ref: 0000000140002B1D
GetDlgItem.USER32 ref: 0000000140002B2F

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Item$EnableWindow
String ID:
API String ID: 1115945535-0
Opcode ID: fc1f00d6f8de915c0cf1fecaaa3dab29ec18d70c3be1c09bf97593c02900dbf0
Instruction ID: 5f5d2ebedf604e459dbdf9e4e943f0f8c65e70048bbde8dab10ac2dd5ce16191
Opcode Fuzzy Hash: fc1f00d6f8de915c0cf1fecaaa3dab29ec18d70c3be1c09bf97593c02900dbf0
Instruction Fuzzy Hash: 9BF09878B01A1082E7169F63F89C3962361B78CBD1F50402AEB4A53374CD3C888A8210

Function 000000014001F550 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000014001F581
_getptd.LIBCMT ref: 000000014001F5A0
_CallSETranslator.LIBCMT ref: 000000014001F5E1

Part of subcall function 00000001400198A8: _getptd.LIBCMT ref: 00000001400198CF

Strings

MOC, xrefs: 000000014001F5B6

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: _getptd$CallTranslator
String ID: MOC
API String ID: 3569367362-624257665
Opcode ID: 984ef666c86ff0f26ee1dd0a56a556fdf105fcc5e21237e672a10548b4838afa
Instruction ID: 1981bdcadb06ce4bdc8508a6749bf47e27913e4d16f9d5307a86893b0f960b5a
Opcode Fuzzy Hash: 984ef666c86ff0f26ee1dd0a56a556fdf105fcc5e21237e672a10548b4838afa
Instruction Fuzzy Hash: 7861C172204BC096EB21CB16E0807EDB3A1F788BC8F044612FB8E4BAA9DF79C155C700

Function 000000014000B1B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetExitCodeProcess.KERNEL32 ref: 000000014000B1D2
EnumWindows.USER32 ref: 000000014000B214

Strings

kill_process, xrefs: 000000014000B201

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: CodeEnumExitProcessWindows
String ID: kill_process
API String ID: 1667765206-4017559064
Opcode ID: ec2725fd4d17deee3c6892182f4ec3b674e3a84b23fc252c11801733192f8160
Instruction ID: 870ed4e6a64c2b2717d87909e2c3c6a9de5bae361eb89f1ed30753fe3d390e05
Opcode Fuzzy Hash: ec2725fd4d17deee3c6892182f4ec3b674e3a84b23fc252c11801733192f8160
Instruction Fuzzy Hash: 62315AB620068182EB92CF27E4443ED67E0F78DBCCF484015EF885B6A9DB38C895CB00

Function 0000000140002100 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 0000000140002178
TerminateProcess.KERNEL32 ref: 0000000140002189
GetLastError.KERNEL32 ref: 00000001400021A2

Strings

h, xrefs: 000000014000215A

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Process$CreateErrorLastTerminate
String ID: h
API String ID: 391916801-2439710439
Opcode ID: f0eea5fc8340ddcc071df88f9cb943006310234530f1304aabdf6978d6f4de95
Instruction ID: d870a3890a1a428991c6d2e8576a3997bb0424cf396cd575bfeec439b2630230
Opcode Fuzzy Hash: f0eea5fc8340ddcc071df88f9cb943006310234530f1304aabdf6978d6f4de95
Instruction Fuzzy Hash: 89116072614AC086DB608B25F44539FB3E5FBC8794F544129A78D87B69EF7CC055CB00

Function 00000001400025F0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46registryCOMMON

Download Yara Rule

APIs

RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
ReportEventW.ADVAPI32 ref: 0000000140002688
DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Strings

nssm, xrefs: 000000014000260A

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Event$Source$DeregisterRegisterReport
String ID: nssm
API String ID: 3235303502-2602286837
Opcode ID: 7df15c659b1a9ede9e7b78cde8095a5092b846815cd3347651fe12293546a120
Instruction ID: e50ceca6900d08032080260d0135b37eb9bb60d2fd49f87d05c207e38d1b7918
Opcode Fuzzy Hash: 7df15c659b1a9ede9e7b78cde8095a5092b846815cd3347651fe12293546a120
Instruction Fuzzy Hash: FD11C672614B8082DB61CB15B440799B3A4FBA97E9F144229EBA917FA4DF3CC464CB00

Function 0000000140008200 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41registryCOMMON

Download Yara Rule

APIs

_snwprintf_s.LIBCMT ref: 0000000140008240
RegDeleteValueW.ADVAPI32(?,?,?,?,?,?,?,?,00000000,0000000140004197), ref: 0000000140008278

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Strings

%s%s, xrefs: 0000000140008230
delete_createfile_parameter(), xrefs: 0000000140008250

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Event$Source$DeleteDeregisterRegisterReportValue_snwprintf_s
String ID: %s%s$delete_createfile_parameter()
API String ID: 1919654809-3045456684
Opcode ID: 175380935694bc14b7af4e0a0e91dce587c67f0dfa4100bd6f875a10a037d859
Instruction ID: 00e2f90206eeac15bc4beae9a7c9104b7a997fd30bc8a4e903547ee1ab7b090e
Opcode Fuzzy Hash: 175380935694bc14b7af4e0a0e91dce587c67f0dfa4100bd6f875a10a037d859
Instruction Fuzzy Hash: C8016171204B8186EA61CB26F8517DA72A0F74C7D4F540229BBAD876E5DF3CC5098700

Function 0000000140018E0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,0000000140018E55,?,?,00000028,0000000140020735,?,?,00000000,000000014001A304,?,?,00000000,000000014001A895), ref: 0000000140018E1B
GetProcAddress.KERNEL32(?,?,000000FF,0000000140018E55,?,?,00000028,0000000140020735,?,?,00000000,000000014001A304,?,?,00000000,000000014001A895), ref: 0000000140018E30

Strings

CorExitProcess, xrefs: 0000000140018E26
mscoree.dll, xrefs: 0000000140018E14

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 33c6d0fe48477ca3b6b91b462d7bf832c94a3ce6636cad9f835ac117e0bb2d2e
Instruction ID: 7fd0a63c8c4db595e634ee2cb220929ad1125e220e7f5ed1595a97e86bb7ad7d
Opcode Fuzzy Hash: 33c6d0fe48477ca3b6b91b462d7bf832c94a3ce6636cad9f835ac117e0bb2d2e
Instruction Fuzzy Hash: 88E0627071174592FE1B6BA3B8943E412917B5C7C1F48152D9E5E0B3B0EF389D59C310

Function 000000014001ECA4 Relevance: 6.1, APIs: 4, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140019668: _getptd.LIBCMT ref: 000000014001966C

_getptd.LIBCMT ref: 000000014001ECE6
_SetImageBase.LIBCMT ref: 000000014001EDBC
_getptd.LIBCMT ref: 000000014001EDEF
_getptd.LIBCMT ref: 000000014001EDFD

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: _getptd$BaseImage
String ID:
API String ID: 2482573191-0
Opcode ID: 2237048bf79284b0269ed9c29fe75178a274c15cdf13b4d9d56bc2e72612f190
Instruction ID: 43c81dbebb5e7642f9f0f2e393759842062bb8c55fdd15a841d76fd40ecc4635
Opcode Fuzzy Hash: 2237048bf79284b0269ed9c29fe75178a274c15cdf13b4d9d56bc2e72612f190
Instruction Fuzzy Hash: B241877220158185EA26A727E4457EDA794BB8DFD8F558121FF194B7F2CF36C482C701

Function 00000001400100E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000000140010158
HeapAlloc.KERNEL32 ref: 0000000140010166

Strings

username, xrefs: 0000000140010181
get_service_username(), xrefs: 000000014001017A

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$AllocProcess
String ID: get_service_username()$username
API String ID: 1617791916-1118073074
Opcode ID: c429dc061a9a6cf9038fc22e94fa89e910a21fbdcc0c89adca4798bb4a11ac5d
Instruction ID: 0cb368d2c87889caaf96027648e82f4ecc8631b9f2301991adb876be56352873
Opcode Fuzzy Hash: c429dc061a9a6cf9038fc22e94fa89e910a21fbdcc0c89adca4798bb4a11ac5d
Instruction Fuzzy Hash: 8C218E35311F9181EB52EB66A4007D963A0FB4DBD4F145115FFA9477AADF39C5918300

Function 000000014000F270 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 000000014000F2BC
HeapAlloc.KERNEL32 ref: 000000014000F2CB

Part of subcall function 00000001400026B0: _vfwprintf_p.LIBCMT ref: 00000001400026E1
Part of subcall function 00000001400026B0: LocalFree.KERNELBASE(?,?,?,00000000,0000000140001065), ref: 00000001400026E9

Strings

canon, xrefs: 000000014000F2EA
prepend_service_group_identifier(), xrefs: 000000014000F2E3

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$AllocFreeLocalProcess_vfwprintf_p
String ID: canon$prepend_service_group_identifier()
API String ID: 3711101700-1763787916
Opcode ID: 70bfe6c4fdbcecd35eb41ec2717ce9fd15992a348f7a4d2acb1872022e334d37
Instruction ID: 507826b590544fc3c42e086d7e5ceacec4a2a22e150a68cdd10baf9fbc5d2281
Opcode Fuzzy Hash: 70bfe6c4fdbcecd35eb41ec2717ce9fd15992a348f7a4d2acb1872022e334d37
Instruction Fuzzy Hash: 43219F76211A4185EB12EF66F4403EA73A0FB4CBE4F489125FF5947BA5DE3CC9868300

Function 0000000140017340 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014001873C: _errno.LIBCMT ref: 000000014001875D

Part of subcall function 0000000140001080: GetProcessHeap.KERNEL32 ref: 00000001400010AA
Part of subcall function 0000000140001080: HeapAlloc.KERNEL32 ref: 00000001400010B8

GetProcessHeap.KERNEL32 ref: 00000001400173A4
HeapFree.KERNEL32 ref: 00000001400173B2

Strings

****, xrefs: 00000001400173F9
NT Service, xrefs: 000000014001737A

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Heap$Process$AllocFree_errno
String ID: ****$NT Service
API String ID: 3082395346-2413771068
Opcode ID: 52f29cefcd2ae25377bfd57735bacb64c6185ee46865f8d51834da5f558f6643
Instruction ID: 542743ef18242b98f181da6a0e2a201551074ef330fba52be6967c975ec7fa0b
Opcode Fuzzy Hash: 52f29cefcd2ae25377bfd57735bacb64c6185ee46865f8d51834da5f558f6643
Instruction Fuzzy Hash: 4D210832209B8482EA229B63F4407DA73A4F78DBD8F484115FF9D47BA9DF79C6458B01

Function 0000000140007CE0 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000000140007D11
GetCurrentProcess.KERNEL32 ref: 0000000140007D1A
DuplicateHandle.KERNEL32(?,?,?,?,?,?,?,0000000140007DB1), ref: 0000000140007D48
GetLastError.KERNEL32(?,?,?,?,?,?,?,0000000140007DB1), ref: 0000000140007D57

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: a1a1746b7a1b8be94718e7fd56a79bcc54c5f9d3e77d580c70b2e15733a3a24d
Instruction ID: 063db28a99952865a7c583c334f68a92e69e6d162e6800a70cf4d12b91e85143
Opcode Fuzzy Hash: a1a1746b7a1b8be94718e7fd56a79bcc54c5f9d3e77d580c70b2e15733a3a24d
Instruction Fuzzy Hash: D1118FB1604B8086E761DF13B80079AB3B0FB99BC4F544129FF8943769DB3CD5458A44

Function 00000001400082B0 Relevance: 6.0, APIs: 4, Instructions: 44fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00000001400082DE
SetFilePointerEx.KERNEL32 ref: 0000000140008300
SetEndOfFile.KERNEL32 ref: 000000014000830D
GetLastError.KERNEL32 ref: 0000000140008321

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: File$CreateErrorLastPointer
String ID:
API String ID: 2723331319-0
Opcode ID: c08339b1e22f32e2d1c44a12ee1b47e332aaf4369c88baee9192c0904b562b12
Instruction ID: 04b0ddcd3c0c213606b494fe1a6ff36e368d780fa48891c1d5ff22db1412f183
Opcode Fuzzy Hash: c08339b1e22f32e2d1c44a12ee1b47e332aaf4369c88baee9192c0904b562b12
Instruction Fuzzy Hash: 3A016DB170478082EB519B67B85579A6290BB8CBF4F044328BFB9477E9DB7CCA404B00

Function 0000000140020928 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014002093D

Part of subcall function 000000014001B7EC: DecodePointer.KERNEL32 ref: 000000014001B813

_flush.LIBCMT ref: 0000000140020966
_freebuf.LIBCMT ref: 0000000140020970

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: DecodePointer_errno_flush_freebuf
String ID:
API String ID: 1889905870-0
Opcode ID: 658a91a57760e8bfdda30ba3aa02c586fb4cbff4a2ea938cc334cdc9ad90d10b
Instruction ID: dd73d03f2c1ea2f4e6da5caa570c6c82c2ded73eed670ef386c6a809164821d1
Opcode Fuzzy Hash: 658a91a57760e8bfdda30ba3aa02c586fb4cbff4a2ea938cc334cdc9ad90d10b
Instruction Fuzzy Hash: 0401D432B1474042FB17AB7794513ED62515BDD7E8F280328BB524B5F7CE39CC818240

Function 0000000140002990 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00000001400029A6
GetDesktopWindow.USER32 ref: 00000001400029B0
GetWindowRect.USER32 ref: 00000001400029C3
MoveWindow.USER32 ref: 0000000140002A12

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Window$Rect$DesktopMove
String ID:
API String ID: 2894293738-0
Opcode ID: 6c793aff5eefccb5bb44ad8668e35a694a0f6c32e109282dd85a116bf074420f
Instruction ID: 9b88486dfa801f3ea56ee834c5fc61d219d0278a4a683ae30dfced5db79f75a2
Opcode Fuzzy Hash: 6c793aff5eefccb5bb44ad8668e35a694a0f6c32e109282dd85a116bf074420f
Instruction Fuzzy Hash: 940121723255418BEB65CF3AB4087597BA1F789BC5F485118BF4A93768DF3CD8048B04

Function 00000001400079F0 Relevance: 6.0, APIs: 4, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 0000000140007A0C
GetLastError.KERNEL32 ref: 0000000140007A1A

Part of subcall function 0000000140002430: TlsGetValue.KERNEL32 ref: 0000000140002442
Part of subcall function 0000000140002430: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,000000014000104C), ref: 0000000140002458

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

GetProcessHeap.KERNEL32 ref: 0000000140007A61
HeapFree.KERNEL32 ref: 0000000140007A71

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Event$HeapSource$AddressAllocDeregisterErrorFreeLastLocalProcProcessRegisterReportValue
String ID:
API String ID: 905504245-0
Opcode ID: d5408b3ffb354c67e7c82357409d565c31efe8536ff850fba44303473ab1db3e
Instruction ID: 68001dc37862e947b6face855cca3149977c74e6503e290e37182dcd7bd8c4ea
Opcode Fuzzy Hash: d5408b3ffb354c67e7c82357409d565c31efe8536ff850fba44303473ab1db3e
Instruction Fuzzy Hash: 58019EB5604B9082E7059B67E80039E63A0FB8DBC4F544428FF8C47B69EF3CC9118B00

Function 000000014001FFE8 Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000014001FFF1
_errno.LIBCMT ref: 000000014001FFF9

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: e500c259cdb1fa6dcf6b2e184e15fca3845d434d9491e58f95f4bba58c537ff6
Instruction ID: 94aae76b054f4c278dc94295e20dd2d585d9ec13bd88ad299c4b3e6ab06a23ff
Opcode Fuzzy Hash: e500c259cdb1fa6dcf6b2e184e15fca3845d434d9491e58f95f4bba58c537ff6
Instruction Fuzzy Hash: 09014F7261064485FB176B66C9913E926629B98BF5F548349FB2A0B3F2CB394815CA10

Function 0000000140004CCC Relevance: 6.0, APIs: 4, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140004CE3
SendMessageW.USER32 ref: 0000000140004CF7
GetDlgItem.USER32 ref: 0000000140004D08
SendMessageW.USER32 ref: 0000000140004D1C

Part of subcall function 0000000140002B50: GetDlgItem.USER32 ref: 0000000140002B91
Part of subcall function 0000000140002B50: SendMessageW.USER32 ref: 0000000140002BA5
Part of subcall function 0000000140002B50: GetDlgItem.USER32 ref: 0000000140002BB7
Part of subcall function 0000000140002B50: SendMessageW.USER32 ref: 0000000140002BCE
Part of subcall function 0000000140002B50: SendMessageW.USER32 ref: 0000000140002C2A
Part of subcall function 0000000140002B50: SendMessageW.USER32 ref: 0000000140002C5A
Part of subcall function 0000000140002B50: SendMessageW.USER32 ref: 0000000140002DA2
Part of subcall function 0000000140002B50: _snwprintf_s.LIBCMT ref: 0000000140002DC7
Part of subcall function 0000000140002B50: GetDlgItemTextW.USER32 ref: 0000000140002DF3
Part of subcall function 0000000140002B50: SetEnvironmentVariableW.KERNEL32 ref: 0000000140002E06

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: MessageSend$Item$EnvironmentTextVariable_snwprintf_s
String ID:
API String ID: 2263371560-0
Opcode ID: 1e261de19b2049f26f316e4d274318e75987586aff01661f23e1450ee786f346
Instruction ID: a487d99df9754013241ce58257599312179a340a947fd995e23cf4898c0dcb84
Opcode Fuzzy Hash: 1e261de19b2049f26f316e4d274318e75987586aff01661f23e1450ee786f346
Instruction Fuzzy Hash: EFF06DB471145042FB62D773F579BEA2251978DBC4F81102AAE0A0BFA5CD3D84C94700

Function 0000000140004D7A Relevance: 6.0, APIs: 4, Instructions: 29windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140004D82
SendMessageW.USER32 ref: 0000000140004D96
GetDlgItem.USER32 ref: 0000000140004DA7
SendMessageW.USER32 ref: 0000000140004DBB

Part of subcall function 0000000140002B50: GetDlgItem.USER32 ref: 0000000140002B91
Part of subcall function 0000000140002B50: SendMessageW.USER32 ref: 0000000140002BA5
Part of subcall function 0000000140002B50: GetDlgItem.USER32 ref: 0000000140002BB7
Part of subcall function 0000000140002B50: SendMessageW.USER32 ref: 0000000140002BCE
Part of subcall function 0000000140002B50: SendMessageW.USER32 ref: 0000000140002C2A
Part of subcall function 0000000140002B50: SendMessageW.USER32 ref: 0000000140002C5A
Part of subcall function 0000000140002B50: SendMessageW.USER32 ref: 0000000140002DA2
Part of subcall function 0000000140002B50: _snwprintf_s.LIBCMT ref: 0000000140002DC7
Part of subcall function 0000000140002B50: GetDlgItemTextW.USER32 ref: 0000000140002DF3
Part of subcall function 0000000140002B50: SetEnvironmentVariableW.KERNEL32 ref: 0000000140002E06

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: MessageSend$Item$EnvironmentTextVariable_snwprintf_s
String ID:
API String ID: 2263371560-0
Opcode ID: 321d717a814a89acfc3efa5d88a05e77f0a26d3068045a377efcac5b98d509ea
Instruction ID: b8c1a0b79c580c7536ba96cf28a415a1f70d0243cf03293b484bff3c148e4e38
Opcode Fuzzy Hash: 321d717a814a89acfc3efa5d88a05e77f0a26d3068045a377efcac5b98d509ea
Instruction Fuzzy Hash: 07F05E7871154042FB629773B979BDA225197CDBC4F811029AE4A0BFA5DD3C848A4700

Function 000000014001FD14 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000014001FD38

Strings

csm, xrefs: 000000014001FD65
csm, xrefs: 000000014001FE6F

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: c278b547bf228ec2d41bf35c1773a0c57779f941625d245b0e0dc3692df98d56
Instruction ID: d9d2eefccdb791b5da5f69efa20d78588aa8d92e6e4a8d7ac5f61f1dcab05ab9
Opcode Fuzzy Hash: c278b547bf228ec2d41bf35c1773a0c57779f941625d245b0e0dc3692df98d56
Instruction Fuzzy Hash: 4F518F3220428086EB669E27A4407FD76E1F749BD8F044125FB995BBFACB39C891DB01

Function 0000000140015BB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

%s, xrefs: 0000000140015C85

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID:
String ID: %s
API String ID: 0-620797490
Opcode ID: 66f9b83034cdc10779a5e0043ec0466502995d1837e5eb2a52bbf968e27da1c1
Instruction ID: d0e6f41c41585116152e02a184c3a1f58e4f54184c66c8a72e5feecc0c09d718
Opcode Fuzzy Hash: 66f9b83034cdc10779a5e0043ec0466502995d1837e5eb2a52bbf968e27da1c1
Instruction Fuzzy Hash: 45518F31711B4486EA67AF23B8403DB6690AB89BD4F580525BF5A4F7F5EF39C442C700

Function 0000000140004330 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

GetDlgItemTextW.USER32 ref: 0000000140004370

Strings

remove(), xrefs: 0000000140004486
service, xrefs: 000000014000448D

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: ItemText
String ID: remove()$service
API String ID: 3367045223-1317115628
Opcode ID: d6c1eab33e552a1d51edc14813662fb88a674c685bc921d8b2703708ddee48ca
Instruction ID: 884b68b2361b9accba3a5647830a6bbb3516d37918a4cefed32121cd93be4a21
Opcode Fuzzy Hash: d6c1eab33e552a1d51edc14813662fb88a674c685bc921d8b2703708ddee48ca
Instruction Fuzzy Hash: 7B319FB571855181FB16DB2BF1553EE5361E78ABC0F990021FF490BBAADA3ECA428704

Function 000000014000CAB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,0000000140010A23), ref: 000000014000CB00
_snwprintf_s.LIBCMT ref: 000000014000CB3E

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Strings

%lu, xrefs: 000000014000CB2A

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Event$Source$DeregisterQueryRegisterReportValue_snwprintf_s
String ID: %lu
API String ID: 4171705784-685833217
Opcode ID: 252649570bab39624b2f3eb7c4793306f44bec8960cf66e6758a799e215959da
Instruction ID: b465ed42436ed88bcde89125f5b67bdb6df87cfb18eb5e921029c2ca6c48ad98
Opcode Fuzzy Hash: 252649570bab39624b2f3eb7c4793306f44bec8960cf66e6758a799e215959da
Instruction Fuzzy Hash: EC2190B222578086E761CB52F45179AB7A0F388BD4F541225BF9E47BE9DB3CC545CB00

Function 0000000140006960 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_snwprintf_s.LIBCMT ref: 00000001400069E4
SetEnvironmentVariableW.KERNEL32 ref: 00000001400069FA

Strings

%llu, xrefs: 00000001400069C8

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: EnvironmentVariable_snwprintf_s
String ID: %llu
API String ID: 709434441-507646796
Opcode ID: 62323e847072239d2dfe07a9b4d82c4042ae325b3561faaad9a455eb713a102c
Instruction ID: e467e5e73326f99c3117ac0c8c0fbe1bd46234100152dbfbcb59804b6ff9c8b8
Opcode Fuzzy Hash: 62323e847072239d2dfe07a9b4d82c4042ae325b3561faaad9a455eb713a102c
Instruction Fuzzy Hash: 581142F271568487EE55CF25F450399B3AAF78C7D0F40622ABB5A4BBA9DB38C445CB00

Function 0000000140002E80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_snwprintf_s.LIBCMT ref: 0000000140002ECB
GetEnvironmentVariableW.KERNEL32 ref: 0000000140002F03

Strings

NSSM_HOOK_%s_%s, xrefs: 0000000140002EBB

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: EnvironmentVariable_snwprintf_s
String ID: NSSM_HOOK_%s_%s
API String ID: 709434441-2875243618
Opcode ID: 4ea9655dce0b04998aeefe81c93d88c27734ff9384fe505650afbcf47a32db9d
Instruction ID: cd584e5e7450ae50aa123f35cea241f8afa392f5509ff8d8e49b189544c92063
Opcode Fuzzy Hash: 4ea9655dce0b04998aeefe81c93d88c27734ff9384fe505650afbcf47a32db9d
Instruction Fuzzy Hash: 9311A5B1324A8441F622DB26E8517DA6254F78D7E8F805225BF9D876E5DE3CC286C700

Function 0000000140008160 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

_snwprintf_s.LIBCMT ref: 00000001400081A1

Part of subcall function 00000001400025F0: RegisterEventSourceW.ADVAPI32 ref: 0000000140002613
Part of subcall function 00000001400025F0: ReportEventW.ADVAPI32 ref: 0000000140002688
Part of subcall function 00000001400025F0: DeregisterEventSource.ADVAPI32 ref: 0000000140002691

Strings

%s%s, xrefs: 0000000140008195
set_createfile_parameter(), xrefs: 00000001400081AF

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: Event$Source$DeregisterRegisterReport_snwprintf_s
String ID: %s%s$set_createfile_parameter()
API String ID: 3081108292-102671490
Opcode ID: db437f29594db4c845281d8ab962dddfa93ab2c9490456a63c896ed5cf6eaedd
Instruction ID: 36db2d84d5898f6ff56e4daee3153183d4249f022df8d192bd57ebdc47628223
Opcode Fuzzy Hash: db437f29594db4c845281d8ab962dddfa93ab2c9490456a63c896ed5cf6eaedd
Instruction Fuzzy Hash: 1101B172614A8042F622DB16F851BDA6354BB8C7E4F540325BFAC477E5DF38C50A8740

Function 00000001400250EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140019A9C: _getptd.LIBCMT ref: 0000000140019AA9
Part of subcall function 0000000140019A9C: _getptd.LIBCMT ref: 0000000140019ABC

_getptd.LIBCMT ref: 0000000140025151
_getptd.LIBCMT ref: 0000000140025164

Strings

csm, xrefs: 0000000140025107

Memory Dump Source

Source File: 00000003.00000002.1818740881.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000003.00000002.1818717558.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818796143.0000000140026000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140030000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818819168.0000000140062000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.1818869758.0000000140065000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_140000000_nssm.jbxd

Similarity

API ID: _getptd
String ID: csm
API String ID: 3186804695-1018135373
Opcode ID: f518a2f01546b2857537e82e835672f00eb15f2ecaa500e75dd14d18472aae28
Instruction ID: 3abc21f0dc36ef9efe3608e6f583550ad69bd6604c7f8c9ada24669edb6f4e5a
Opcode Fuzzy Hash: f518a2f01546b2857537e82e835672f00eb15f2ecaa500e75dd14d18472aae28
Instruction Fuzzy Hash: 480152322416418ADB72AF23C8503EC23A4E79DBCAF894129EF8D0B7A5DB31C994C305

Analysis Process: Service.exePID: 5064, Parent PID: 1928COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.7%
Total number of Nodes:	290
Total number of Limit Nodes:	74

Executed Functions

Function 00007FFDF582C0E0 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 455
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32 ref: 00007FFDF582C2F6

Strings

psow, xrefs: 00007FFDF582C6D3
winOpen, xrefs: 00007FFDF582C563
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFDF582C3E4

Memory Dump Source

Source File: 00000021.00000002.3611379284.00007FFDF5811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDF5810000, based on PE: true

Associated: 00000021.00000002.3611344179.00007FFDF5810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612185498.00007FFDF597D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612258312.00007FFDF5980000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612311932.00007FFDF5981000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612350548.00007FFDF5984000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffdf5810000_Service.jbxd

Similarity

API ID: CreateFile
String ID: delayed %dms for lock/sharing conflict at line %d$psow$winOpen
API String ID: 823142352-1266388144
Opcode ID: 294564a8028a632a24dace648262c53082131fb7504090ab2508b3d506ebc7ad
Instruction ID: ed0f38f8a5da3893da61e958ad3e69455ebeea8f7f575b5ed6017c222e999675
Opcode Fuzzy Hash: 294564a8028a632a24dace648262c53082131fb7504090ab2508b3d506ebc7ad
Instruction Fuzzy Hash: FC226C22B18B4A96FB588B15E864B396BA0FF45F94F44A236DD6D037E8DF3CE4448740

Function 00007FFDF59235E0 Relevance: 1.7, APIs: 1, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,?,?,00007FFDF5923421,?,?,?,?,00007FFDF58113AB), ref: 00007FFDF592360F

Memory Dump Source

Source File: 00000021.00000002.3611379284.00007FFDF5811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDF5810000, based on PE: true

Associated: 00000021.00000002.3611344179.00007FFDF5810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612185498.00007FFDF597D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612258312.00007FFDF5980000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612311932.00007FFDF5981000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612350548.00007FFDF5984000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffdf5810000_Service.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 4f7a0fa851ad468300c0820e9a2cf3c48b89bc06903d9b8e6c916a86d47308c0
Instruction ID: de30f8b15001e14f37c810d7a3bf8b8d107bd50d43dabf6201f53475427ed053
Opcode Fuzzy Hash: 4f7a0fa851ad468300c0820e9a2cf3c48b89bc06903d9b8e6c916a86d47308c0
Instruction Fuzzy Hash: 34B1D065B0AB4F81FF5D8B55B870B3422A4BF45F84F5459BACD2D0A7E8EF2CE5818240

Function 00007FFDF5827D80 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32 ref: 00007FFDF5827E03

Strings

winWrite1, xrefs: 00007FFDF5827F25
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFDF5827EB2
winWrite2, xrefs: 00007FFDF5827F06

Memory Dump Source

Source File: 00000021.00000002.3611379284.00007FFDF5811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDF5810000, based on PE: true

Associated: 00000021.00000002.3611344179.00007FFDF5810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612185498.00007FFDF597D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612258312.00007FFDF5980000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612311932.00007FFDF5981000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612350548.00007FFDF5984000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffdf5810000_Service.jbxd

Similarity

API ID: FileWrite
String ID: delayed %dms for lock/sharing conflict at line %d$winWrite1$winWrite2
API String ID: 3934441357-1808655853
Opcode ID: 50579209e13c0d188a9c80e9b678b0d7a88b1b9ad0d8ca593215720cc074c618
Instruction ID: abd39927918ef054f8c1ea394119215c746b227d890b8e06f06748f21a44da1f
Opcode Fuzzy Hash: 50579209e13c0d188a9c80e9b678b0d7a88b1b9ad0d8ca593215720cc074c618
Instruction Fuzzy Hash: 10419075B1874A82E7288B16E460F697BA5FB85F40F549136DEAC83BD8DF3CE8418710

Function 00007FFDF582CAA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 00007FFDF582CAE4
DeleteFileW.KERNEL32 ref: 00007FFDF582CB12

Strings

delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFDF582CBE1
winDelete, xrefs: 00007FFDF582CBA2

Memory Dump Source

Source File: 00000021.00000002.3611379284.00007FFDF5811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDF5810000, based on PE: true

Associated: 00000021.00000002.3611344179.00007FFDF5810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612185498.00007FFDF597D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612258312.00007FFDF5980000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612311932.00007FFDF5981000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612350548.00007FFDF5984000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffdf5810000_Service.jbxd

Similarity

API ID: File$AttributesDelete
String ID: delayed %dms for lock/sharing conflict at line %d$winDelete
API String ID: 2910425767-1405699761
Opcode ID: 999d1ba121ec2a82a5c60d5c34dcdcc3620227e88c38499f7fbdbc7c6c03f416
Instruction ID: 2862c8493a8016b93c6133bdba7a7265a5b83c7f2394b809a750067a9aca5183
Opcode Fuzzy Hash: 999d1ba121ec2a82a5c60d5c34dcdcc3620227e88c38499f7fbdbc7c6c03f416
Instruction Fuzzy Hash: 3E417C21B1870B82F7188B19F860A786BA1AF44F94F445632DD7D837E9DF2CE9458640

Function 00007FFDF5827550 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32 ref: 00007FFDF5827623

Strings

winRead, xrefs: 00007FFDF5827694
delayed %dms for lock/sharing conflict at line %d, xrefs: 00007FFDF58276D7

Memory Dump Source

Source File: 00000021.00000002.3611379284.00007FFDF5811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDF5810000, based on PE: true

Associated: 00000021.00000002.3611344179.00007FFDF5810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612185498.00007FFDF597D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612258312.00007FFDF5980000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612311932.00007FFDF5981000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612350548.00007FFDF5984000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffdf5810000_Service.jbxd

Similarity

API ID: FileRead
String ID: delayed %dms for lock/sharing conflict at line %d$winRead
API String ID: 2738559852-1843600136
Opcode ID: 54959c592f9b776378a38fea204404d265fd1426f5fd2a84a2b2b3749b4f4957
Instruction ID: e19bd9f6c864c6085c3068329823ac23f156dfdac113a5ef6c78e2886fb3c9c6
Opcode Fuzzy Hash: 54959c592f9b776378a38fea204404d265fd1426f5fd2a84a2b2b3749b4f4957
Instruction Fuzzy Hash: 3F41E532B18B0A86E7149F16E464EA9BBA5FB45F80F445136DE6D83BD8CF3CE5418780

Non-executed Functions

Function 00007FFDF59444B0 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFDF5944529
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFDF5944541
RtlVirtualUnwind.KERNEL32 ref: 00007FFDF594457C
IsDebuggerPresent.KERNEL32 ref: 00007FFDF59445B5
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFDF59445BF
UnhandledExceptionFilter.KERNEL32 ref: 00007FFDF59445CA

Memory Dump Source

Source File: 00000021.00000002.3611379284.00007FFDF5811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDF5810000, based on PE: true

Associated: 00000021.00000002.3611344179.00007FFDF5810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612185498.00007FFDF597D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612258312.00007FFDF5980000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612311932.00007FFDF5981000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612350548.00007FFDF5984000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffdf5810000_Service.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: e0829758c8acea8a88bb22142360789a48b9e3a09f4b65a80001d06f088d6958
Instruction ID: 471be2a22f0b56728d427b55b10950e0a245c522ed13b5be9cc9315fe5d66f1d
Opcode Fuzzy Hash: e0829758c8acea8a88bb22142360789a48b9e3a09f4b65a80001d06f088d6958
Instruction Fuzzy Hash: 19318136708F8586DB248B24E8507AE73A0FB88B54F504136EA9D43B9DDF3CC645CB00

Function 00007FFDF588B9FA Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000021.00000002.3611379284.00007FFDF5811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDF5810000, based on PE: true

Associated: 00000021.00000002.3611344179.00007FFDF5810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612185498.00007FFDF597D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612258312.00007FFDF5980000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612311932.00007FFDF5981000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612350548.00007FFDF5984000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffdf5810000_Service.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b09fb8bc32717e68df346f831d48fb96644a2980a655d8ed8fcf2c81cfa48b0
Instruction ID: 7b0872fbed60f490810981b13608696ddf2fbaa4661be654a1c984df7cea9631
Opcode Fuzzy Hash: 7b09fb8bc32717e68df346f831d48fb96644a2980a655d8ed8fcf2c81cfa48b0
Instruction Fuzzy Hash:

Function 00007FFDF5834550 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 139COMMON

Download Yara Rule

APIs

new[].MSPDB140-MSVCRT ref: 00007FFDF5834675

Strings

winFullPathname1, xrefs: 00007FFDF583465A
:, xrefs: 00007FFDF58345BC
%s%c%s, xrefs: 00007FFDF58345C6
winFullPathname2, xrefs: 00007FFDF58346F1
?, xrefs: 00007FFDF5834591
:, xrefs: 00007FFDF5834581
\, xrefs: 00007FFDF58345D8

Memory Dump Source

Source File: 00000021.00000002.3611379284.00007FFDF5811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDF5810000, based on PE: true

Associated: 00000021.00000002.3611344179.00007FFDF5810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612185498.00007FFDF597D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612258312.00007FFDF5980000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612311932.00007FFDF5981000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612350548.00007FFDF5984000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffdf5810000_Service.jbxd

Similarity

API ID: new[]
String ID: %s%c%s$:$:$?$\$winFullPathname1$winFullPathname2
API String ID: 4059295235-3840279414
Opcode ID: ada1d5f0f810558d137832d9d17ccea550533cbd4bee4c5a2ffc3a0b827115f0
Instruction ID: fb8092b4f830f3088b5b8ddb5b77a018eb680d2fd7e59e06930ea1ac5e01fde7
Opcode Fuzzy Hash: ada1d5f0f810558d137832d9d17ccea550533cbd4bee4c5a2ffc3a0b827115f0
Instruction Fuzzy Hash: B551AF21F1CA8A82FB199B61A434F792795AF44F88F484032DD6D477EADF6CE4858701

Function 00007FFDF594620C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00007FFDF5946235
TlsSetValue.KERNEL32(?,?,00000000,00007FFDF5945CBA,?,?,00000000,00007FFDF59447ED,?,?,?,?,00007FFDF5941C37), ref: 00007FFDF594624C

Strings

FlsSetValue, xrefs: 00007FFDF5946222

Memory Dump Source

Source File: 00000021.00000002.3611379284.00007FFDF5811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00007FFDF5810000, based on PE: true

Associated: 00000021.00000002.3611344179.00007FFDF5810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612030322.00007FFDF594E000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612185498.00007FFDF597D000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612258312.00007FFDF5980000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612311932.00007FFDF5981000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000021.00000002.3612350548.00007FFDF5984000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_33_2_7ffdf5810000_Service.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 6c623e2a00096b0839e064d8c69010e4eef44c071450a3cda0d12956c4a57d8a
Instruction ID: 5ef60e56cae01d2c7811df4e1c190b14263920eb96f1e3208c6765eaf51a3b95
Opcode Fuzzy Hash: 6c623e2a00096b0839e064d8c69010e4eef44c071450a3cda0d12956c4a57d8a
Instruction Fuzzy Hash: 06E06565B0864A92FF1D9B50E424EB52222AF48F80F489136D53D466DCCF3CEE49C301

Analysis Process: devcon.exePID: 3428, Parent PID: 5460COMMON

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.2%
Total number of Nodes:	764
Total number of Limit Nodes:	21

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF694611A20 Relevance: 19.9, APIs: 13, Instructions: 372
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF694616B70: malloc.MSVCRT(?,?,?,00007FF6946112DB), ref: 00007FF694616B8E

SetupDiClassGuidsFromNameExW.SETUPAPI ref: 00007FF694611AFA
GetLastError.KERNEL32 ref: 00007FF694611B0D
CharNextW.USER32 ref: 00007FF694611BAD
CharNextW.USER32 ref: 00007FF694611BC7
wcschr.MSVCRT ref: 00007FF694611BDF
SetupDiCreateDeviceInfoListExW.SETUPAPI ref: 00007FF694611C54
SetupDiGetClassDevsExW.SETUPAPI ref: 00007FF694611C9C
SetupDiOpenDeviceInfoW.SETUPAPI ref: 00007FF694611CEC
SetupDiGetDeviceInfoListDetailW.SETUPAPI ref: 00007FF694611D15
SetupDiEnumDeviceInfo.SETUPAPI ref: 00007FF694611D55
CM_Get_Device_ID_ExW.SETUPAPI ref: 00007FF694611DC6
SetupDiEnumDeviceInfo.SETUPAPI ref: 00007FF694611F4F
SetupDiDestroyDeviceInfoList.SETUPAPI ref: 00007FF694611F97

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: Setup$DeviceInfo$List$CharClassEnumNext$CreateDestroyDetailDevice_DevsErrorFromGet_GuidsLastNameOpenmallocwcschr
String ID:
API String ID: 43639810-0
Opcode ID: 346997b52acf79b8c85f6c67cfbfc8ecc27e95c6d2b0a952b0ad311ee47ef266
Instruction ID: b2f36ca09ff9e6943364c2b988ab837665b6050d6b46fd7fd9e3c7e800d04a98
Opcode Fuzzy Hash: 346997b52acf79b8c85f6c67cfbfc8ecc27e95c6d2b0a952b0ad311ee47ef266
Instruction Fuzzy Hash: F2F1B3B2A08A8286EB208F55E4802FDB7A0FB8DB98F548175DE5E87B94DF3CD545D700

Function 00007FF6946115E8 Relevance: 3.1, APIs: 2, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF694616B70: malloc.MSVCRT(?,?,?,00007FF6946112DB), ref: 00007FF694616B8E

GetLastError.KERNEL32 ref: 00007FF694611639
SetupDiGetDeviceRegistryPropertyW.SETUPAPI ref: 00007FF6946116BB

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: DeviceErrorLastPropertyRegistrySetupmalloc
String ID:
API String ID: 3222414921-0
Opcode ID: 090b46064aa7c0e42f17cac93464e8602f3f87fbcec76419732d820bd4227342
Instruction ID: 7842b2fae20f165afa9fc651038a4bd381005b466ae43959e9fbfb26d1a1f098
Opcode Fuzzy Hash: 090b46064aa7c0e42f17cac93464e8602f3f87fbcec76419732d820bd4227342
Instruction Fuzzy Hash: 1521847260878186EB648F11A4906B977A4FB8CB90F588275EEBE83795DF3DD841CB40

Function 00007FF694616CF0 Relevance: 9.1, APIs: 6, Instructions: 95
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00007FF694616D34
_amsg_exit.MSVCRT ref: 00007FF694616D50
_initterm.MSVCRT ref: 00007FF694616DD4
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF694616E01
exit.KERNELBASE ref: 00007FF694616E4E
_cexit.MSVCRT ref: 00007FF694616E5D

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: CurrentImageNonwritableSleep_amsg_exit_cexit_inittermexit
String ID:
API String ID: 4291973834-0
Opcode ID: 706a97d6c57b6583ab6d2954fa5cc554724fb3c63a47e31049ab5f7dc56f8480
Instruction ID: df9ac3d3d3fa6deadbad87d4a516f41639bbb4d7ad00bc003b358a5756fdb672
Opcode Fuzzy Hash: 706a97d6c57b6583ab6d2954fa5cc554724fb3c63a47e31049ab5f7dc56f8480
Instruction Fuzzy Hash: 2D41D8B5E0C6468AF7709B15E9C027927A0EF8CB44F0085B6D92DC76A4DF7CE845E740

Function 00007FF694611FD0 Relevance: 6.2, APIs: 4, Instructions: 163
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsrchr.MSVCRT ref: 00007FF694612011
CharNextW.USER32 ref: 00007FF69461202B
CharNextW.USER32 ref: 00007FF6946120E1
_wcsicmp.MSVCRT ref: 00007FF69461210B

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: CharNext$_wcsicmpwcsrchr
String ID:
API String ID: 349611830-0
Opcode ID: 00a20d2dbd4039686c28c160fa1c05f15aff131818592b9301d6560f865f19a8
Instruction ID: b5104249dd46c058316abeaef0ea3c4b43af9b8819806a06972d05b6c38665ac
Opcode Fuzzy Hash: 00a20d2dbd4039686c28c160fa1c05f15aff131818592b9301d6560f865f19a8
Instruction Fuzzy Hash: 9251FFB6A0868686EA30DB15D4C427A66A0FB4DB89F05C679DF2DD3390DF3CE585E300

Function 00007FF6946159F0 Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32 ref: 00007FF694615A46
LoadStringW.USER32 ref: 00007FF694615A6C
LoadStringW.USER32 ref: 00007FF694615A94

Part of subcall function 00007FF694611A20: SetupDiClassGuidsFromNameExW.SETUPAPI ref: 00007FF694611AFA
Part of subcall function 00007FF694611A20: GetLastError.KERNEL32 ref: 00007FF694611B0D
Part of subcall function 00007FF694611A20: SetupDiDestroyDeviceInfoList.SETUPAPI ref: 00007FF694611F97

Part of subcall function 00007FF694611094: FormatMessageW.KERNEL32 ref: 00007FF6946110E7
Part of subcall function 00007FF694611094: CharPrevW.USER32 ref: 00007FF69461110F
Part of subcall function 00007FF694611094: fputws.MSVCRT ref: 00007FF694611151
Part of subcall function 00007FF694611094: LocalFree.KERNEL32 ref: 00007FF694611161

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: LoadString$Setup$CharClassDestroyDeviceErrorFormatFreeFromGuidsInfoLastListLocalMessageNamePrevfputws
String ID:
API String ID: 2156310005-0
Opcode ID: 4c3c7b40d94fe2c47dfe18297074997c7891f4faa63f9ec967768bd3813214f2
Instruction ID: 8b9105bd76063d29df8e97aee534ce039678c77640bcb17e88f702de20a24cbb
Opcode Fuzzy Hash: 4c3c7b40d94fe2c47dfe18297074997c7891f4faa63f9ec967768bd3813214f2
Instruction Fuzzy Hash: 9F414A72618B82CAE7748B21E490BBAB6A4FB8C745F508075EA5D87B85DF3CE505DB00

Function 00007FF694616CA0 Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wgetmainargs.KERNELBASE ref: 00007FF694616CD8

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: __wgetmainargs
String ID:
API String ID: 1709950718-0
Opcode ID: 943ab0ee3eda69021a4f07d25a78058e0e8e433080375cef63d515d42e6b7d78
Instruction ID: 368c5e14bd768964d7decdf83574d1f8ef19c3384e617ccf6ba5ac7f4e01c711
Opcode Fuzzy Hash: 943ab0ee3eda69021a4f07d25a78058e0e8e433080375cef63d515d42e6b7d78
Instruction Fuzzy Hash: 73E052B4E086479EEB208B10B9804B837A0FB8DB04F8081B6C42D96234DE7CA14DEB00

Non-executed Functions

Function 00007FF694615C80 Relevance: 40.6, APIs: 13, Strings: 10, Instructions: 363
registryserviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetupDiClassGuidsFromNameExW.SETUPAPI ref: 00007FF694615D02
GetLastError.KERNEL32 ref: 00007FF694615D12
_wcsicmp.MSVCRT ref: 00007FF694615D3D
_wcsicmp.MSVCRT ref: 00007FF694615D64
SetupDiOpenClassRegKeyExW.SETUPAPI ref: 00007FF694615DA7
OpenSCManagerW.ADVAPI32 ref: 00007FF694615EAC
OpenServiceW.ADVAPI32 ref: 00007FF694615ED0
CloseServiceHandle.ADVAPI32 ref: 00007FF694615EE7
CloseServiceHandle.ADVAPI32 ref: 00007FF694615EF6
_wcsicmp.MSVCRT ref: 00007FF694615FEC
RegSetValueExW.ADVAPI32 ref: 00007FF6946160F1
RegDeleteValueW.ADVAPI32 ref: 00007FF694616136

Part of subcall function 00007FF694611094: FormatMessageW.KERNEL32 ref: 00007FF6946110E7
Part of subcall function 00007FF694611094: CharPrevW.USER32 ref: 00007FF69461110F
Part of subcall function 00007FF694611094: fputws.MSVCRT ref: 00007FF694611151
Part of subcall function 00007FF694611094: LocalFree.KERNEL32 ref: 00007FF694611161

Part of subcall function 00007FF694613174: wprintf.MSVCRT ref: 00007FF69461319F

RegCloseKey.ADVAPI32 ref: 00007FF6946161AC

Strings

=, xrefs: 00007FF694615E34
upper, xrefs: 00007FF694615D36
+, xrefs: 00007FF694615E6A
LowerFilters, xrefs: 00007FF694615D7B
!, xrefs: 00007FF694615E61
@, xrefs: 00007FF69461601D
-, xrefs: 00007FF694615E90
@, xrefs: 00007FF694615E58
lower, xrefs: 00007FF694615D5D
UpperFilters, xrefs: 00007FF694615D50

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: CloseOpenService_wcsicmp$ClassHandleSetupValue$CharDeleteErrorFormatFreeFromGuidsLastLocalManagerMessageNamePrevfputwswprintf
String ID: !$+$-$=$@$@$LowerFilters$UpperFilters$lower$upper
API String ID: 1724156078-2693469231
Opcode ID: 926cd04b1689d02a59abcbcd5e01b1a056d007f521a5af8e348f38f05508dc4f
Instruction ID: cc52d523064e1db41ad23284b33ff97b73dd075722a1f66c53d320afc35969f0
Opcode Fuzzy Hash: 926cd04b1689d02a59abcbcd5e01b1a056d007f521a5af8e348f38f05508dc4f
Instruction Fuzzy Hash: D2E1BFB6A0968286EA349B159491279BBA1FF4DBA0F45C271DE3E877D1DF3CE444E300

Function 00007FF694612A04 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 271
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetupDiGetDeviceInstallParamsW.SETUPAPI ref: 00007FF694612A6A
SetupDiSetDeviceInstallParamsW.SETUPAPI ref: 00007FF694612A91
SetupDiBuildDriverInfoList.SETUPAPI ref: 00007FF694612AAD
SetupDiEnumDriverInfoW.SETUPAPI ref: 00007FF694612AD2
SetupDiOpenDevRegKey.SETUPAPI ref: 00007FF694612B08
RegQueryValueExW.ADVAPI32 ref: 00007FF694612B51
RegQueryValueExW.ADVAPI32 ref: 00007FF694612BA0
RegQueryValueExW.ADVAPI32 ref: 00007FF694612BEA
RegQueryValueExW.ADVAPI32 ref: 00007FF694612C34
RegCloseKey.ADVAPI32 ref: 00007FF694612C45
SetupDiGetDeviceRegistryPropertyW.SETUPAPI ref: 00007FF694612C89
SetupDiSetDeviceInstallParamsW.SETUPAPI ref: 00007FF694612CB4
SetupDiBuildDriverInfoList.SETUPAPI ref: 00007FF694612CD1

Strings

ProviderName, xrefs: 00007FF694612B96
InfPath, xrefs: 00007FF694612B42
DriverDesc, xrefs: 00007FF694612C25
InfSection, xrefs: 00007FF694612BDB

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: Setup$DeviceQueryValue$DriverInfoInstallParams$BuildList$CloseEnumOpenPropertyRegistry
String ID: DriverDesc$InfPath$InfSection$ProviderName
API String ID: 1187922586-109328823
Opcode ID: 70622a9b5a574f4e2a8280fc3ff9c5255fc456a0584ec18a8c22dc112fbdd8cc
Instruction ID: 61ed72a14db9be25f583ec4605efc2f914b98b5475680e500e26ee26a6e71e24
Opcode Fuzzy Hash: 70622a9b5a574f4e2a8280fc3ff9c5255fc456a0584ec18a8c22dc112fbdd8cc
Instruction Fuzzy Hash: DCC162B2A08A8286EB708F51E4842BAB7A0FB8DB99F44C175DE5D93754DF3CD504EB40

Function 00007FF694614180 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetupDiClassGuidsFromNameExW.SETUPAPI ref: 00007FF694614292
SetupDiDestroyDeviceInfoList.SETUPAPI ref: 00007FF6946144E0

Strings

, xrefs: 00007FF694614327

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: Setup$ClassDestroyDeviceFromGuidsInfoListName
String ID:
API String ID: 1860465623-3916222277
Opcode ID: e6450321c0d2d64a461101c674be3e33342555eeae8982276af84a45cca274cc
Instruction ID: e97b820dcccfb4faf842d453b2dcc1bebf3195e24987609723bcda00370c65ee
Opcode Fuzzy Hash: e6450321c0d2d64a461101c674be3e33342555eeae8982276af84a45cca274cc
Instruction Fuzzy Hash: 1AA18FB2A0878286E7309F61E4903B967A4FB8EBA4F548675DA6D87BC4DF3CD405D700

Function 00007FF6946111C4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 48shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6946111D7
OpenProcessToken.ADVAPI32 ref: 00007FF6946111F0
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF69461120E
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF694611253
CloseHandle.KERNEL32 ref: 00007FF694611264
InitiateSystemShutdownExW.ADVAPI32 ref: 00007FF69461128A

Strings

SeShutdownPrivilege, xrefs: 00007FF694611207

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSystemValue
String ID: SeShutdownPrivilege
API String ID: 2036077386-3733053543
Opcode ID: fddce4556390571a9fb10fe5ea09b351c16824cdf68d2e6d798df49b6638f994
Instruction ID: 630dabbef7a9a71ec5f36633077ded6fc29d41f1f93cadeacebb24845769642c
Opcode Fuzzy Hash: fddce4556390571a9fb10fe5ea09b351c16824cdf68d2e6d798df49b6638f994
Instruction Fuzzy Hash: FC214F72518A82C7E7608B11F4567BABBA0FBCDB44F44D165EA5E82B54CF7CD048CB00

Function 00007FF6946169C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103fileCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryW.KERNEL32 ref: 00007FF694616A07
FindFirstFileW.KERNEL32 ref: 00007FF694616AB0

Strings

\INF\OEM*.INF, xrefs: 00007FF694616A67

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: DirectoryFileFindFirstWindows
String ID: \INF\OEM*.INF
API String ID: 1585389207-2728984289
Opcode ID: 6a7a1a2d6b532156aec20f8e7e9eeafbd71c87cdb6d56367d2f17184ac1bf8f6
Instruction ID: a26b329638701c756806f054cfdebfb48032422db751b423dac0cc51b28f2c9a
Opcode Fuzzy Hash: 6a7a1a2d6b532156aec20f8e7e9eeafbd71c87cdb6d56367d2f17184ac1bf8f6
Instruction Fuzzy Hash: 304186B5B1868283EE309B24D4902B976A5FF8CB90F54C5B2CA6E83795DF3CE815D340

Function 00007FF694613A1C Relevance: 42.2, APIs: 18, Strings: 6, Instructions: 232
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetupOpenInfFileW.SETUPAPI ref: 00007FF694613A6C
GetLastError.KERNEL32 ref: 00007FF694613A81
SetupFindFirstLineW.SETUPAPI ref: 00007FF694613AAB
SetupGetStringFieldW.SETUPAPI ref: 00007FF694613ADD
SetupFindFirstLineW.SETUPAPI ref: 00007FF694613B36
SetupGetStringFieldW.SETUPAPI ref: 00007FF694613B61
CLSIDFromString.OLE32 ref: 00007FF694613B7D
SetupDiGetClassDescriptionExW.SETUPAPI ref: 00007FF694613BA9
LoadLibraryW.KERNEL32 ref: 00007FF694613BF3
GetProcAddress.KERNEL32 ref: 00007FF694613C15
memset.MSVCRT ref: 00007FF694613C3A
GetLastError.KERNEL32 ref: 00007FF694613C5E
GetLastError.KERNEL32 ref: 00007FF694613C71

Strings

ClassGUID, xrefs: 00007FF694613B28
Provider, xrefs: 00007FF694613A9D
Version, xrefs: 00007FF694613AA4, 00007FF694613B2F, 00007FF694613CC6
DriverVer, xrefs: 00007FF694613CBF
SetupVerifyInfFile, xrefs: 00007FF694613C0B
setupapi.dll, xrefs: 00007FF694613BEC

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: Setup$ErrorLastString$FieldFindFirstLine$AddressClassDescriptionFileFromLibraryLoadOpenProcmemset
String ID: ClassGUID$DriverVer$Provider$SetupVerifyInfFile$Version$setupapi.dll
API String ID: 653204746-1638047923
Opcode ID: 564b6a287c9b88aca2cc48c980f14925d6c819359dbf66884c50b56fdeedf4fc
Instruction ID: d8e4926fc806ea996170937971a6f74391ee0bdde8f26b2402958dfd03a8f2b8
Opcode Fuzzy Hash: 564b6a287c9b88aca2cc48c980f14925d6c819359dbf66884c50b56fdeedf4fc
Instruction Fuzzy Hash: 70A17EB1A08A8286F730AB21E8901F966A0FF8DB55F44D1B5D92ED7784DF3CE549D700

Function 00007FF6946132C4 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 290
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF694613310
memset.MSVCRT ref: 00007FF694613324
SetupDiGetDeviceInstallParamsW.SETUPAPI ref: 00007FF694613346
SetupDiSetDeviceInstallParamsW.SETUPAPI ref: 00007FF69461336B
SetupDiBuildDriverInfoList.SETUPAPI ref: 00007FF69461338C
SetupDiEnumDriverInfoW.SETUPAPI ref: 00007FF6946133C1
SetupDiGetDriverInfoDetailW.SETUPAPI ref: 00007FF69461341B
GetLastError.KERNEL32 ref: 00007FF69461342B
FileTimeToSystemTime.KERNEL32 ref: 00007FF6946134F2
GetDateFormatW.KERNEL32 ref: 00007FF694613525
SetupDiGetDriverInstallParamsW.SETUPAPI ref: 00007FF6946135BA
SetupDiEnumDriverInfoW.SETUPAPI ref: 00007FF6946136FB
SetupDiDestroyDriverInfoList.SETUPAPI ref: 00007FF694613718

Part of subcall function 00007FF694611094: FormatMessageW.KERNEL32 ref: 00007FF6946110E7
Part of subcall function 00007FF694611094: CharPrevW.USER32 ref: 00007FF69461110F
Part of subcall function 00007FF694611094: fputws.MSVCRT ref: 00007FF694611151
Part of subcall function 00007FF694611094: LocalFree.KERNEL32 ref: 00007FF694611161

Strings

, xrefs: 00007FF6946135A5

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: Setup$Driver$Info$InstallParams$DeviceEnumFormatListTimememset$BuildCharDateDestroyDetailErrorFileFreeLastLocalMessagePrevSystemfputws
String ID:
API String ID: 2199235825-3916222277
Opcode ID: 04f89785b6df9a3bfffd53cf9e2ae7aa516d764af16d114aa2dc309da656ddb3
Instruction ID: 7da77c97f5a4cef830a9e849d9a3f143e1c4608af55ea09d082542c4c6946ce0
Opcode Fuzzy Hash: 04f89785b6df9a3bfffd53cf9e2ae7aa516d764af16d114aa2dc309da656ddb3
Instruction Fuzzy Hash: 28C1A3B1B186C247FA34AB2194912FEA651FF8D744F44C479EA1E97786CE3CE444E740

Function 00007FF6946161F0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetupDiGetDeviceInfoListDetailW.SETUPAPI ref: 00007FF694616243
CM_Get_Device_ID_ExW.SETUPAPI ref: 00007FF69461627B
CM_Get_DevNode_Status_Ex.SETUPAPI ref: 00007FF6946162A9
wprintf.MSVCRT ref: 00007FF6946162CF

Part of subcall function 00007FF694611094: FormatMessageW.KERNEL32 ref: 00007FF6946110E7
Part of subcall function 00007FF694611094: CharPrevW.USER32 ref: 00007FF69461110F
Part of subcall function 00007FF694611094: fputws.MSVCRT ref: 00007FF694611151
Part of subcall function 00007FF694611094: LocalFree.KERNEL32 ref: 00007FF694611161

Strings

%-60s: , xrefs: 00007FF6946162C8, 00007FF694616545

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: Get_$CharDetailDeviceDevice_FormatFreeInfoListLocalMessageNode_PrevSetupStatus_fputwswprintf
String ID: %-60s:
API String ID: 1600579866-769737362
Opcode ID: 5fccd09aa755dc3fb9f06b51dcdbeabcd0cd67ba1d2805434f5031641155a501
Instruction ID: 19144cd665c7a074fa01e511f896270a51513ac89d06b4694e70196cec2da1b2
Opcode Fuzzy Hash: 5fccd09aa755dc3fb9f06b51dcdbeabcd0cd67ba1d2805434f5031641155a501
Instruction Fuzzy Hash: B8B190B6A08B8683EA308F11E58027D7BA4FB59B84F45D171DA6E87794DF3CE852D700

Function 00007FF69461182C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcsicmp.MSVCRT ref: 00007FF69461185D
_wcsnicmp.MSVCRT ref: 00007FF69461187B
CharNextW.USER32 ref: 00007FF6946118B7
wcschr.MSVCRT ref: 00007FF6946118CE
iswalpha.MSVCRT ref: 00007FF6946118EF
towupper.MSVCRT ref: 00007FF694611902
towlower.MSVCRT ref: 00007FF694611914
CharNextW.USER32 ref: 00007FF694611944
wcschr.MSVCRT ref: 00007FF694611969
_wcsnicmp.MSVCRT ref: 00007FF694611986
CharNextW.USER32 ref: 00007FF694611999

Strings

*, xrefs: 00007FF6946118A8

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: CharNext$_wcsnicmpwcschr$_wcsicmpiswalphatowlowertowupper
String ID: *
API String ID: 658721666-163128923
Opcode ID: 6c028171533642cf754e1c2f9030c6ee29d2d88fe8cbbbcee21d3451e464a59a
Instruction ID: 75c766f222c81c2bfdc030223778ca8e0aaa854c964ae34654c9be06101935b2
Opcode Fuzzy Hash: 6c028171533642cf754e1c2f9030c6ee29d2d88fe8cbbbcee21d3451e464a59a
Instruction Fuzzy Hash: DE51A5B1A08B9282EB705B16A4900B9BAA0FB4DFD1744C5B1DEBE83794DF3CE455E310

Function 00007FF694612620 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CM_Get_Next_Res_Des_Ex.SETUPAPI ref: 00007FF694612665
CM_Free_Res_Des_Handle.SETUPAPI ref: 00007FF694612681

Part of subcall function 00007FF694611184: fputs.MSVCRT ref: 00007FF6946111A3

CM_Get_Res_Des_Data_Size_Ex.SETUPAPI ref: 00007FF69461269E
CM_Get_Res_Des_Data_Ex.SETUPAPI ref: 00007FF6946126D9
wprintf.MSVCRT ref: 00007FF69461271A
wprintf.MSVCRT ref: 00007FF694612783
CM_Get_Next_Res_Des_Ex.SETUPAPI ref: 00007FF6946127B4
CM_Free_Res_Des_Handle.SETUPAPI ref: 00007FF6946127D0

Strings

MEM : %08I64x-%08I64x, xrefs: 00007FF694612774
IRQ : %u, xrefs: 00007FF694612710
IO : %04I64x-%04I64x, xrefs: 00007FF694612753
DMA : %u, xrefs: 00007FF694612732

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: Des_Res_$Get_$Data_Free_HandleNext_wprintf$Size_fputs
String ID: DMA : %u$IO : %04I64x-%04I64x$IRQ : %u$MEM : %08I64x-%08I64x
API String ID: 722776883-3427375868
Opcode ID: 9b08e2580fd995fd1323d7d8c7d3968f47489ccd5d6e3822b77bb76949f4117a
Instruction ID: b3d1612be9ad23b4f94e1571d1724af66ea8e271bb0fbf03dd6c56c324957efc
Opcode Fuzzy Hash: 9b08e2580fd995fd1323d7d8c7d3968f47489ccd5d6e3822b77bb76949f4117a
Instruction Fuzzy Hash: C851B1B2A047428BEB248F24D4946B9BBA0FB4DB98F44C175DE1D83795DF38E444D700

Function 00007FF694612E8C Relevance: 19.7, APIs: 13, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00007FF694612EDD

Part of subcall function 00007FF694612A04: SetupDiGetDeviceInstallParamsW.SETUPAPI ref: 00007FF694612A6A
Part of subcall function 00007FF694612A04: SetupDiSetDeviceInstallParamsW.SETUPAPI ref: 00007FF694612A91
Part of subcall function 00007FF694612A04: SetupDiBuildDriverInfoList.SETUPAPI ref: 00007FF694612AAD
Part of subcall function 00007FF694612A04: SetupDiEnumDriverInfoW.SETUPAPI ref: 00007FF694612AD2

SetupDiGetDriverInfoDetailW.SETUPAPI ref: 00007FF694612F4F
GetLastError.KERNEL32 ref: 00007FF694612F64
SetupDiSetSelectedDriverW.SETUPAPI ref: 00007FF694612FA2
SetupOpenFileQueue.SETUPAPI ref: 00007FF694612FB6
memset.MSVCRT ref: 00007FF694612FDC
SetupDiGetDeviceInstallParamsW.SETUPAPI ref: 00007FF694612FF4
SetupDiSetDeviceInstallParamsW.SETUPAPI ref: 00007FF69461301D
SetupDiCallClassInstaller.SETUPAPI ref: 00007FF69461303C
SetupScanFileQueueW.SETUPAPI ref: 00007FF69461307F
SetupScanFileQueueW.SETUPAPI ref: 00007FF6946130E7

Part of subcall function 00007FF694611184: fputs.MSVCRT ref: 00007FF6946111A3

Part of subcall function 00007FF694611094: FormatMessageW.KERNEL32 ref: 00007FF6946110E7
Part of subcall function 00007FF694611094: CharPrevW.USER32 ref: 00007FF69461110F
Part of subcall function 00007FF694611094: fputws.MSVCRT ref: 00007FF694611151
Part of subcall function 00007FF694611094: LocalFree.KERNEL32 ref: 00007FF694611161

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: Setup$DeviceDriverInstallParams$FileInfoQueue$Scanmemset$BuildCallCharClassDetailEnumErrorFormatFreeInstallerLastListLocalMessageOpenPrevSelectedfputsfputws
String ID:
API String ID: 3550884892-0
Opcode ID: 1c0340ecdef8709fe67892c2f2bd353b30d0c9940b17e42dad09206d73fa4277
Instruction ID: 1945f204125deda37356e7e9a6cc4b269349f360c2c16585c150162a93489a6e
Opcode Fuzzy Hash: 1c0340ecdef8709fe67892c2f2bd353b30d0c9940b17e42dad09206d73fa4277
Instruction Fuzzy Hash: B27170726086818BE7309B21E8911FEBBA5FB8DB94F448275DA2E87B95CF3CD505D700

Function 00007FF694615540 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF6946155CA
memset.MSVCRT ref: 00007FF6946155ED
SetupDiGetINFClassW.SETUPAPI ref: 00007FF694615623
SetupDiCreateDeviceInfoList.SETUPAPI ref: 00007FF69461563A
SetupDiCreateDeviceInfoW.SETUPAPI ref: 00007FF694615682
SetupDiSetDeviceRegistryPropertyW.SETUPAPI ref: 00007FF6946156C2
SetupDiCallClassInstaller.SETUPAPI ref: 00007FF6946156DF
SetupDiDestroyDeviceInfoList.SETUPAPI ref: 00007FF694615720

Strings

, xrefs: 00007FF694615657

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: Setup$Device$Info$ClassCreateList$CallDestroyFullInstallerNamePathPropertyRegistrymemset
String ID:
API String ID: 2770198913-3916222277
Opcode ID: 637852011958671ebc2a86af737020983344680163c69d9b2c53f9f14a188548
Instruction ID: f88ffb59c05fecfa49054dbbda528f3acb916962ffdaa5f3cfb2e85734c23d02
Opcode Fuzzy Hash: 637852011958671ebc2a86af737020983344680163c69d9b2c53f9f14a188548
Instruction Fuzzy Hash: 2F5191B2A08A8186E764CB21E4907ADB7A1FB8CB94F848172DE6D87B84DF7CD505D740

Function 00007FF694616830 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89libraryloaderCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF69461688B
LoadLibraryW.KERNEL32 ref: 00007FF6946168B1
GetProcAddress.KERNEL32 ref: 00007FF6946168D3
GetLastError.KERNEL32 ref: 00007FF6946168FF
FreeLibrary.KERNEL32 ref: 00007FF694616982

Strings

SetupUninstallOEMInfW, xrefs: 00007FF6946168C9
setupapi.dll, xrefs: 00007FF6946168AA

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: Library$AddressErrorFreeFullLastLoadNamePathProc
String ID: SetupUninstallOEMInfW$setupapi.dll
API String ID: 3805412813-3713901415
Opcode ID: f826e6926d4abd4d1c32c8a32c69696b6dbc7c6ad6b6f534f13fffafd3e8f701
Instruction ID: 550ac5d522afdf855f3e716bbc8beedc54b4ced94abb303fb56872a41a0c6322
Opcode Fuzzy Hash: f826e6926d4abd4d1c32c8a32c69696b6dbc7c6ad6b6f534f13fffafd3e8f701
Instruction Fuzzy Hash: AB416C76A08A8283FB309B11E4953B96AA0FB8DB50F54C4B5DA6E83785CF3CE400D740

Function 00007FF69461377C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171registryCOMMON

Download Yara Rule

APIs

SetupDiGetDeviceInfoListDetailW.SETUPAPI ref: 00007FF6946137BA
SetupDiOpenClassRegKeyExW.SETUPAPI ref: 00007FF6946137FB
wprintf.MSVCRT ref: 00007FF6946138FC
RegCloseKey.ADVAPI32 ref: 00007FF694613989

Part of subcall function 00007FF694611720: RegQueryValueExW.ADVAPI32 ref: 00007FF6946117D2

Part of subcall function 00007FF694611184: fputs.MSVCRT ref: 00007FF6946111A3

Part of subcall function 00007FF694611094: FormatMessageW.KERNEL32 ref: 00007FF6946110E7
Part of subcall function 00007FF694611094: CharPrevW.USER32 ref: 00007FF69461110F
Part of subcall function 00007FF694611094: fputws.MSVCRT ref: 00007FF694611151
Part of subcall function 00007FF694611094: LocalFree.KERNEL32 ref: 00007FF694611161

Part of subcall function 00007FF694613174: wprintf.MSVCRT ref: 00007FF69461319F

Strings

LowerFilters, xrefs: 00007FF69461393A
%s, xrefs: 00007FF6946138F5
UpperFilters, xrefs: 00007FF694613814

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: Setupwprintf$CharClassCloseDetailDeviceFormatFreeInfoListLocalMessageOpenPrevQueryValuefputsfputws
String ID: %s$LowerFilters$UpperFilters
API String ID: 4180368772-1836264166
Opcode ID: c96146b135fb6446ec0d141a43b450ce88b596e9a6496a6f546279a038430dfb
Instruction ID: 68b7ec25415ac1989eb036ddae43b6b4ea72d493bd31d7c8027a594482ad2c53
Opcode Fuzzy Hash: c96146b135fb6446ec0d141a43b450ce88b596e9a6496a6f546279a038430dfb
Instruction Fuzzy Hash: 9B5184F0B0868252FD38A72294A11F85295EF8DB90F48C5B8D92F8B7C6DE3DE441E340

Function 00007FF6946153A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 92libraryloaderCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32 ref: 00007FF69461541D
GetFileAttributesW.KERNEL32 ref: 00007FF69461543B
LoadLibraryW.KERNEL32 ref: 00007FF694615457
GetProcAddress.KERNEL32 ref: 00007FF694615479
FreeLibrary.KERNEL32 ref: 00007FF6946154F2

Part of subcall function 00007FF694611094: FormatMessageW.KERNEL32 ref: 00007FF6946110E7
Part of subcall function 00007FF694611094: CharPrevW.USER32 ref: 00007FF69461110F
Part of subcall function 00007FF694611094: fputws.MSVCRT ref: 00007FF694611151
Part of subcall function 00007FF694611094: LocalFree.KERNEL32 ref: 00007FF694611161

Strings

UpdateDriverForPlugAndPlayDevicesW, xrefs: 00007FF69461546F
newdev.dll, xrefs: 00007FF694615450

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: FreeLibrary$AddressAttributesCharFileFormatFullLoadLocalMessageNamePathPrevProcfputws
String ID: UpdateDriverForPlugAndPlayDevicesW$newdev.dll
API String ID: 3139919817-3767700378
Opcode ID: b5a4fe77c619eed7b17a7eefbe38ac003ec55746e375a6d3b133f2d118feb241
Instruction ID: 5e7683d967ad2826c4ce71a99b40955e05ae15026e604d6d973bc32b5308b7ba
Opcode Fuzzy Hash: b5a4fe77c619eed7b17a7eefbe38ac003ec55746e375a6d3b133f2d118feb241
Instruction Fuzzy Hash: 4641B3B2A08B8286E7349F11E4942B9B7A4FB8CB81F4481B1DE5E93794DF3CE845D700

Function 00007FF694615870 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetupDiGetDeviceInfoListDetailW.SETUPAPI ref: 00007FF6946158AE
CM_Get_Device_ID_ExW.SETUPAPI ref: 00007FF6946158DF
SetupDiSetClassInstallParamsW.SETUPAPI ref: 00007FF694615928
SetupDiCallClassInstaller.SETUPAPI ref: 00007FF694615943
SetupDiGetDeviceInstallParamsW.SETUPAPI ref: 00007FF69461596A
wprintf.MSVCRT ref: 00007FF6946159AD

Strings

%-60s: %s, xrefs: 00007FF6946159A6

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: Setup$ClassDeviceInstallParams$CallDetailDevice_Get_InfoInstallerListwprintf
String ID: %-60s: %s
API String ID: 1061212145-3470069224
Opcode ID: d8e35f1dae23d892e67c052b59891b43c6bb9e2ccfcc005567ed7e1e6362209c
Instruction ID: b214398cc27c05b3515a18b846523b3c64b120b6e06311679e8bbe2677748405
Opcode Fuzzy Hash: d8e35f1dae23d892e67c052b59891b43c6bb9e2ccfcc005567ed7e1e6362209c
Instruction Fuzzy Hash: 623150B2604AC1CAE7348F61E8447EABBA4FB4DB89F449175CA1D8BA94CF3CD505DB40

Function 00007FF694613F80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF694616B70: malloc.MSVCRT(?,?,?,00007FF6946112DB), ref: 00007FF694616B8E

GetLastError.KERNEL32 ref: 00007FF694613FD8
SetupDiBuildClassInfoListExW.SETUPAPI ref: 00007FF694614038
SetupDiClassNameFromGuidExW.SETUPAPI ref: 00007FF6946140A0
SetupDiGetClassDescriptionExW.SETUPAPI ref: 00007FF6946140E3
wprintf.MSVCRT ref: 00007FF69461411A

Strings

%-20s: %s, xrefs: 00007FF694614113

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: ClassSetup$BuildDescriptionErrorFromGuidInfoLastListNamemallocwprintf
String ID: %-20s: %s
API String ID: 894314750-1251934994
Opcode ID: 1f7e96aa73fb74d08126d1bbaf1fdb7694c13161de74e7aefa62b0d6292f9c7f
Instruction ID: b8c24aa3f70bb536b75b33d85b21f54697aab09e4d18901e07c665336ce07a4a
Opcode Fuzzy Hash: 1f7e96aa73fb74d08126d1bbaf1fdb7694c13161de74e7aefa62b0d6292f9c7f
Instruction Fuzzy Hash: D151D3B2A18A9286F730DB21E8917F967A0FB8DB94F408175DA6D83794CF3CE505D740

Function 00007FF694615770 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF6946157A0
GetProcAddress.KERNEL32 ref: 00007FF6946157DB
FreeLibrary.KERNEL32 ref: 00007FF6946157F2

Part of subcall function 00007FF6946153A0: GetFullPathNameW.KERNEL32 ref: 00007FF69461541D
Part of subcall function 00007FF6946153A0: GetFileAttributesW.KERNEL32 ref: 00007FF69461543B
Part of subcall function 00007FF6946153A0: LoadLibraryW.KERNEL32 ref: 00007FF694615457
Part of subcall function 00007FF6946153A0: GetProcAddress.KERNEL32 ref: 00007FF694615479
Part of subcall function 00007FF6946153A0: FreeLibrary.KERNEL32 ref: 00007FF6946154F2

FreeLibrary.KERNEL32 ref: 00007FF694615838

Strings

SetupSetNonInteractiveMode, xrefs: 00007FF6946157D1
setupapi.dll, xrefs: 00007FF694615793

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: Library$Free$AddressLoadProc$AttributesFileFullNamePath
String ID: SetupSetNonInteractiveMode$setupapi.dll
API String ID: 298606531-1268865691
Opcode ID: d6473bd80b3354bc20dd18b845dee4fc7294c20c11b53f877abf81ad8315ab3c
Instruction ID: f5cfc820d38186ef400ee635f522f9158823e990a9fa092ef31cd5008a7035cd
Opcode Fuzzy Hash: d6473bd80b3354bc20dd18b845dee4fc7294c20c11b53f877abf81ad8315ab3c
Instruction Fuzzy Hash: F4212876B08B5182EB249B16A880029FBA0FB8DFD0B8485B5DE5E83B11DF3CE442D744

Function 00007FF694612214 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

SetupDiGetDeviceInfoListDetailW.SETUPAPI ref: 00007FF694612249
CM_Get_Device_ID_ExW.SETUPAPI ref: 00007FF694612277
wprintf.MSVCRT ref: 00007FF6946122B9
wprintf.MSVCRT ref: 00007FF6946122CE

Strings

%-60s: %s, xrefs: 00007FF6946122B2
%s, xrefs: 00007FF6946122C7

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: wprintf$DetailDeviceDevice_Get_InfoListSetup
String ID: %-60s: %s$%s
API String ID: 500149863-1339393084
Opcode ID: 22688ed9ad00e57f419abfa9b832a18cfacfc1b16a54d8d9094973b0933df31a
Instruction ID: 06a3d07fd783dd63da6748e4121086ce03a625f541ca8b9dbf694ef4821b61b8
Opcode Fuzzy Hash: 22688ed9ad00e57f419abfa9b832a18cfacfc1b16a54d8d9094973b0933df31a
Instruction Fuzzy Hash: 50215EB2A18A8286E7308B14F8807B9B760FB8DB85F84D571DA1E87654DF3CD549D700

Function 00007FF6946127F8 Relevance: 9.1, APIs: 6, Instructions: 96COMMON

Download Yara Rule

APIs

SetupDiGetDeviceInfoListDetailW.SETUPAPI ref: 00007FF69461283E
CM_Get_DevNode_Status_Ex.SETUPAPI ref: 00007FF69461286D
CM_Get_First_Log_Conf_Ex.SETUPAPI ref: 00007FF69461289C
CM_Get_First_Log_Conf_Ex.SETUPAPI ref: 00007FF6946128C3
CM_Get_First_Log_Conf_Ex.SETUPAPI ref: 00007FF6946128F7
CM_Free_Log_Conf_Handle.SETUPAPI ref: 00007FF69461297B

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: Conf_Get_Log_$First_$DetailDeviceFree_HandleInfoListNode_SetupStatus_
String ID:
API String ID: 950201049-0
Opcode ID: 31dd0be03b1e2ed74105f98b7802783fa533680d4a7a54325da88854b0cf6a6b
Instruction ID: 52cc94bf74cb4a13daf38d4362fb7f32c5b0479862309a4dd052e0ed465a4150
Opcode Fuzzy Hash: 31dd0be03b1e2ed74105f98b7802783fa533680d4a7a54325da88854b0cf6a6b
Instruction Fuzzy Hash: E041D172618682C7E760CF21E4D07BABBA0FB89B48F44A175EA4E87695CF3CD404DB40

Function 00007FF694617304 Relevance: 9.0, APIs: 6, Instructions: 49timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF694617334
GetCurrentProcessId.KERNEL32 ref: 00007FF694617342
GetCurrentThreadId.KERNEL32 ref: 00007FF69461734E
GetTickCount.KERNEL32 ref: 00007FF69461735A
GetTickCount.KERNEL32 ref: 00007FF69461736A
QueryPerformanceCounter.KERNEL32 ref: 00007FF694617385

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: CountCurrentTickTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 4104442557-0
Opcode ID: ff399e0d3ff5fe37e71ae8076eddf2ae3c4423fb69a0fba1259bbe2426c4784e
Instruction ID: 6f23aac008eb723fe8c41110b7353dd8835b07e27ce3513f3a8c54482d1a7827
Opcode Fuzzy Hash: ff399e0d3ff5fe37e71ae8076eddf2ae3c4423fb69a0fba1259bbe2426c4784e
Instruction Fuzzy Hash: 84111A72A04F418AEB20DF70E8842A933A4FB4C758F444A35EA6D87B64DF7CD5A4C380

Function 00007FF694614CB0 Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

SetupDiSetClassInstallParamsW.SETUPAPI ref: 00007FF694614D23
SetupDiCallClassInstaller.SETUPAPI ref: 00007FF694614D3E
SetupDiSetClassInstallParamsW.SETUPAPI ref: 00007FF694614D7F
SetupDiCallClassInstaller.SETUPAPI ref: 00007FF694614D9A
SetupDiGetDeviceInstallParamsW.SETUPAPI ref: 00007FF694614DBD

Part of subcall function 00007FF694612214: SetupDiGetDeviceInfoListDetailW.SETUPAPI ref: 00007FF694612249
Part of subcall function 00007FF694612214: CM_Get_Device_ID_ExW.SETUPAPI ref: 00007FF694612277
Part of subcall function 00007FF694612214: wprintf.MSVCRT ref: 00007FF6946122B9

Part of subcall function 00007FF694612214: wprintf.MSVCRT ref: 00007FF6946122CE

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: Setup$Class$InstallParams$CallDeviceInstallerwprintf$DetailDevice_Get_InfoList
String ID:
API String ID: 3776784670-0
Opcode ID: 8ce33fe5aa1e47d727e1c62a8cf72dee673e4573541e05452e905546d644a5c8
Instruction ID: 896d1c65fa5972d572f4b0646c7da2df6b9f3132a08649aee3e6eec86f927334
Opcode Fuzzy Hash: 8ce33fe5aa1e47d727e1c62a8cf72dee673e4573541e05452e905546d644a5c8
Instruction Fuzzy Hash: 8E412CB26086818AE7348F11E5943BDBAA0FB8EFC8F448165DA5D87B95CF3CD505DB40

Function 00007FF694616EF0 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF694616F63
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF694616F82
RtlVirtualUnwind.KERNEL32 ref: 00007FF694616FCF
__raise_securityfailure.LIBCMT ref: 00007FF6946170B4

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: CaptureContextEntryFunctionLookupUnwindVirtual__raise_securityfailure
String ID:
API String ID: 140117192-0
Opcode ID: f73fcc106f6f841744f8b0324b0c44eff1169e70cc5ac8b3154f84bef4cecd31
Instruction ID: 82d66e240e048cd368c6debe6e154240214cda60b920beb964c04177014760ef
Opcode Fuzzy Hash: f73fcc106f6f841744f8b0324b0c44eff1169e70cc5ac8b3154f84bef4cecd31
Instruction Fuzzy Hash: ED41CAB5A08B4589EB208B19F8D03697764FB8CB84F508175DAADC3764DF7CE454E740

Function 00007FF694611094 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32 ref: 00007FF6946110E7
CharPrevW.USER32 ref: 00007FF69461110F
fputws.MSVCRT ref: 00007FF694611151
LocalFree.KERNEL32 ref: 00007FF694611161

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: CharFormatFreeLocalMessagePrevfputws
String ID:
API String ID: 578739846-0
Opcode ID: 80f2999c9d4d5f92137bd9dbf908d4475c93929c27a24fa275eded79dab9367f
Instruction ID: f6ed5e6c046b2228e4c20f3cd843e1b04572d51ff8843da08bac168d7f3df280
Opcode Fuzzy Hash: 80f2999c9d4d5f92137bd9dbf908d4475c93929c27a24fa275eded79dab9367f
Instruction Fuzzy Hash: D62139B7A04B519AE7118F61E8844BC77B5FB88B54B568971CE2E43754EF34C851C310

Function 00007FF694615BA0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

CM_Connect_MachineW.SETUPAPI ref: 00007FF694615BC7
CM_Locate_DevNode_ExW.SETUPAPI ref: 00007FF694615BEA
CM_Reenumerate_DevNode_Ex.SETUPAPI ref: 00007FF694615C22
CM_Disconnect_Machine.SETUPAPI ref: 00007FF694615C53

Memory Dump Source

Source File: 00000028.00000002.1877620203.00007FF694611000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF694610000, based on PE: true

Associated: 00000028.00000002.1877600211.00007FF694610000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877638479.00007FF694618000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877658108.00007FF69461B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000028.00000002.1877678865.00007FF69461C000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_40_2_7ff694610000_devcon.jbxd

Similarity

API ID: MachineNode_$Connect_Disconnect_Locate_Reenumerate_
String ID:
API String ID: 218754429-0
Opcode ID: bcf9bd167d5d9956257164c9fa32b781fcb5858d099143dc4dd555625cd9d9f3
Instruction ID: dbc1e0701fd36513bb668b613bfd7c2bbfd71f92c9b7d71a84289da23ea18124
Opcode Fuzzy Hash: bcf9bd167d5d9956257164c9fa32b781fcb5858d099143dc4dd555625cd9d9f3
Instruction Fuzzy Hash: 4F11D6B2B08AC682E7289F21E4905B9B7A1FFCDB84F45C574DA6E83655DF3CD404D600

Analysis Process: WUDFHost.exePID: 7484, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	21.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.1%
Total number of Nodes:	354
Total number of Limit Nodes:	11

Executed Functions

Function 00007FFE13201450 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 167
filesynchronizationpipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00007FFE13201498
CreateNamedPipeW.KERNELBASE ref: 00007FFE132014C8
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE132014F7
OutputDebugStringA.KERNEL32 ref: 00007FFE13201500
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13201542
OutputDebugStringA.KERNEL32 ref: 00007FFE1320154B
ConnectNamedPipe.KERNELBASE ref: 00007FFE1320155A
GetLastError.KERNEL32 ref: 00007FFE13201568
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE1320159C
OutputDebugStringA.KERNEL32 ref: 00007FFE132015A5
WriteFile.KERNEL32 ref: 00007FFE132015E1
SleepEx.KERNEL32 ref: 00007FFE13201606
ReadFile.KERNELBASE ref: 00007FFE13201625
FindCloseChangeNotification.KERNELBASE ref: 00007FFE13201656
ReleaseMutex.KERNEL32 ref: 00007FFE1320167A
WaitForSingleObject.KERNEL32 ref: 00007FFE13201689
WriteFile.KERNEL32 ref: 00007FFE132016BA
PeekNamedPipe.KERNELBASE ref: 00007FFE132016F4
CloseHandle.KERNEL32 ref: 00007FFE13201705
ReleaseMutex.KERNEL32 ref: 00007FFE13201718

Strings

Client connected to Tx Pipe, xrefs: 00007FFE1320158E
Couldn't create TX PIPE, xrefs: 00007FFE132014E9
Tx Pipe waiting for client to connect, xrefs: 00007FFE13201534

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugFileNamedOutputPipeStringswprintf$CloseMutexReleaseSleepWrite$ChangeConnectCreateErrorFindHandleLastNotificationObjectPeekReadSingleWait
String ID: Client connected to Tx Pipe$Couldn't create TX PIPE$Tx Pipe waiting for client to connect
API String ID: 2104952168-620275337
Opcode ID: ccde033439e10b9cae6ee0591f6f41d027f13791ba550421f44d8fdc33a4abd9
Instruction ID: 07880865cd859bd3bac8a6008a860a249505fd55eed83b92ccb8a9b1cf89d2f5
Opcode Fuzzy Hash: ccde033439e10b9cae6ee0591f6f41d027f13791ba550421f44d8fdc33a4abd9
Instruction Fuzzy Hash: 47811D65E18E468AF720AB13E9402BD67A2FFE4BA0F9041B5D94D66674CF3CE54CC740

Function 00007FFE1320103C Relevance: 7.5, APIs: 5, Instructions: 47
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE ref: 00007FFE13201049
CreateMutexW.KERNELBASE ref: 00007FFE1320105D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE1320107F
CreateThread.KERNELBASE ref: 00007FFE132010A4
CreateThread.KERNELBASE ref: 00007FFE132010CE

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: Create$MutexThread$malloc
String ID:
API String ID: 526595258-0
Opcode ID: 2a8761151093c3bb8fe723215a9311d83cc1d2543bc904fd2bb983a195674f77
Instruction ID: bff5df80578c5e7b74d3a120ee1c9359a014916da90ad64245080c0af561495c
Opcode Fuzzy Hash: 2a8761151093c3bb8fe723215a9311d83cc1d2543bc904fd2bb983a195674f77
Instruction Fuzzy Hash: 1811A031B18F014BF728AB62E88676E6392FBE8724F94817DDA4E55670CF3CA00CC600

Function 00007FFE132011A0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 155
filesynchronizationpipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00007FFE132011E8
CreateNamedPipeW.KERNELBASE ref: 00007FFE13201218
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13201247
OutputDebugStringA.KERNEL32 ref: 00007FFE13201250
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13201292
OutputDebugStringA.KERNEL32 ref: 00007FFE1320129B
ConnectNamedPipe.KERNELBASE ref: 00007FFE132012AA
GetLastError.KERNEL32 ref: 00007FFE132012B8
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE132012EC
OutputDebugStringA.KERNEL32 ref: 00007FFE132012F5
WriteFile.KERNEL32 ref: 00007FFE13201331
SleepEx.KERNEL32 ref: 00007FFE1320135A
ReadFile.KERNELBASE ref: 00007FFE13201379
CloseHandle.KERNEL32 ref: 00007FFE132013AA
WaitForSingleObject.KERNEL32 ref: 00007FFE132013BF
ReadFile.KERNELBASE ref: 00007FFE132013F0
CloseHandle.KERNEL32 ref: 00007FFE13201401
ReleaseMutex.KERNEL32 ref: 00007FFE13201422
ReleaseMutex.KERNEL32 ref: 00007FFE13201437

Strings

Couldn't create RX PIPE, xrefs: 00007FFE13201239
Client connected to Rx Pipe, xrefs: 00007FFE132012DE
Rx Pipe waiting for client to connect, xrefs: 00007FFE13201284

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugFileOutputStringswprintf$CloseHandleMutexNamedPipeReadReleaseSleep$ConnectCreateErrorLastObjectSingleWaitWrite
String ID: Client connected to Rx Pipe$Couldn't create RX PIPE$Rx Pipe waiting for client to connect
API String ID: 1972074743-3588961759
Opcode ID: ff1bbc41128ba2a93588fd681ccb65bf33ce0c646b4688b609364b64b3b30b10
Instruction ID: 6b6a1c62639909009fd94aa77b86f7a6925d8b72375d01ccbaab7c162f9e9938
Opcode Fuzzy Hash: ff1bbc41128ba2a93588fd681ccb65bf33ce0c646b4688b609364b64b3b30b10
Instruction Fuzzy Hash: 4181FC65E18E428AF620AB63E9401BD73A1FFE4B60FA041B6D54E666B4CF7CE50DC740

Function 00007FFE13203940 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DbgPrintEx.NTDLL ref: 00007FFE132039A9
DbgPrintEx.NTDLL ref: 00007FFE132039BF
DbgPrintEx.NTDLL ref: 00007FFE13203A11
DbgPrintEx.NTDLL ref: 00007FFE13203A27
DbgPrintEx.NTDLL ref: 00007FFE13203A4A
DbgPrintEx.NTDLL ref: 00007FFE13203A60
DbgPrintEx.NTDLL ref: 00007FFE13203A98
DbgPrintEx.NTDLL ref: 00007FFE13203AAE
DbgPrintEx.NTDLL ref: 00007FFE13203AD9
DbgPrintEx.NTDLL ref: 00007FFE13203AF7
DbgPrintEx.NTDLL ref: 00007FFE13203B0D
DbgPrintEx.NTDLL ref: 00007FFE13203B29

Strings

FxDriverEntryUm: invalid LoaderInterface 0x%x, xrefs: 00007FFE13203B17
FxDriverEntryUm: DriverEntry failed 0x%x for driver %wZ, xrefs: 00007FFE13203ACF
Wudfx2000: , xrefs: 00007FFE1320399C, 00007FFE13203A04, 00007FFE13203A3D, 00007FFE13203A8B, 00007FFE13203AEA
FxDriverEntryUm: VersionBind status 0x%x, xrefs: 00007FFE13203A1A
FxDriverEntryUm: PDRIVER_OBJECT_UM 0x%p Successfully bound to version library, xrefs: 00007FFE13203A53
FxDriverEntryUm: PDRIVER_OBJECT_UM 0x%p Successfully bound to class library if present, xrefs: 00007FFE13203AA1
FxDriverEntrydUm Enter PDRIVER_OBJECT_UM 0x%p, xrefs: 00007FFE132039B2
FxDriverEntryUm: PDRIVER_OBJECT_UM 0x%p Successfully returned from driver's DriverEntry, xrefs: 00007FFE13203B00

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: Print
String ID: FxDriverEntryUm: DriverEntry failed 0x%x for driver %wZ$FxDriverEntryUm: PDRIVER_OBJECT_UM 0x%p Successfully bound to class library if present$FxDriverEntryUm: PDRIVER_OBJECT_UM 0x%p Successfully bound to version library$FxDriverEntryUm: PDRIVER_OBJECT_UM 0x%p Successfully returned from driver's DriverEntry$FxDriverEntryUm: VersionBind status 0x%x$FxDriverEntryUm: invalid LoaderInterface 0x%x$FxDriverEntrydUm Enter PDRIVER_OBJECT_UM 0x%p$Wudfx2000:
API String ID: 3558298466-464219049
Opcode ID: f9f4fa4e0a429dc2f3b1f90cd808eaf3d505fd65c7824ea117bca7e17036aa37
Instruction ID: dd8d290e321b7647ec117f724c494d22b5b7ea0da5c39e6f9c15f95b73c23f8e
Opcode Fuzzy Hash: f9f4fa4e0a429dc2f3b1f90cd808eaf3d505fd65c7824ea117bca7e17036aa37
Instruction Fuzzy Hash: 8D51EB35A08F429EF624AB53E8045AE6261FFE8BB8F5441B2D95973371CE3DE58DC240

Function 00007FFE13201C40 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13201C94
OutputDebugStringA.KERNEL32 ref: 00007FFE13201C9D
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13201D4D
OutputDebugStringA.KERNEL32 ref: 00007FFE13201D59

Strings

Using Hard-coded Report descriptor, xrefs: 00007FFE13201E75
Enter EvtDeviceAdd, xrefs: 00007FFE13201C87
Error: WdfDeviceCreate failed 0x%x, xrefs: 00007FFE13201D3D
PipesInit returned: %d, xrefs: 00007FFE13201EB5
8, xrefs: 00007FFE13201D06
Failed to read descriptor from registry, xrefs: 00007FFE13201E36

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugOutputStringswprintf
String ID: PipesInit returned: %d$8$Enter EvtDeviceAdd$Error: WdfDeviceCreate failed 0x%x$Failed to read descriptor from registry$Using Hard-coded Report descriptor
API String ID: 79745889-3959671834
Opcode ID: 16241715f71f7b2e78ff04d06a918d562623767d11e0113e24a21ebd294e7297
Instruction ID: 38bcc5f08ab4ae6235d934f7d513b1da4bd396c43e3673a305765dac9143b913
Opcode Fuzzy Hash: 16241715f71f7b2e78ff04d06a918d562623767d11e0113e24a21ebd294e7297
Instruction Fuzzy Hash: 78815025A18F8689E750EF22E8402AD2364FBE8B64F508172EA4DA7775DF3CE54CC740

Function 00007FFE13202B38 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13202B8C
OutputDebugStringA.KERNEL32 ref: 00007FFE13202B95
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13202C62
OutputDebugStringA.KERNEL32 ref: 00007FFE13202C6E

Strings

8, xrefs: 00007FFE13202C13
WdfIoQueueCreate failed 0x%x, xrefs: 00007FFE13202C51
QUEUecre, xrefs: 00007FFE13202B7E

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugOutputStringswprintf
String ID: 8$QUEUecre$WdfIoQueueCreate failed 0x%x
API String ID: 79745889-1312770787
Opcode ID: 90a3f2d5762d31625a14d2fc45adea2f86764422d7893843a7f10a0f03dde394
Instruction ID: c87c3f500a32ec8b673cfc9d14bff116f7034fc4ba7d4c86daed51fca821a68c
Opcode Fuzzy Hash: 90a3f2d5762d31625a14d2fc45adea2f86764422d7893843a7f10a0f03dde394
Instruction Fuzzy Hash: 1F51FE26A18B8189E710DB26E8802AD7760FBE8BA4F504176EE4D67775DF3CD149C700

Function 00007FFE13201B18 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13201B64
OutputDebugStringA.KERNEL32 ref: 00007FFE13201B6E
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13201BF9
OutputDebugStringA.KERNEL32 ref: 00007FFE13201C06

Strings

DriverEntry for IDmelonHIDdrv, xrefs: 00007FFE13201B56
, xrefs: 00007FFE13201BA3
Error: WdfDriverCreate failed 0x%x, xrefs: 00007FFE13201BE8

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugOutputStringswprintf
String ID: $DriverEntry for IDmelonHIDdrv$Error: WdfDriverCreate failed 0x%x
API String ID: 79745889-3519952669
Opcode ID: a22b21f8a936388fc97461c0f9945eeb537ba2ea1cc19efaa65f3d543d1f3138
Instruction ID: 3b7667670efea88c8d5e697355b7252160a1300cdfd2466236bf01959fc6a409
Opcode Fuzzy Hash: a22b21f8a936388fc97461c0f9945eeb537ba2ea1cc19efaa65f3d543d1f3138
Instruction Fuzzy Hash: 53216432A18F8585E720EB12F8453AE6364FBE8BA0F904171DA8D93769DF3DD548CB40

Function 00007FFE13201A54 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL ref: 00007FFE13201AAA

Strings

ReadFromRegistry, xrefs: 00007FFE13201A9E

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: InitStringUnicode
String ID: ReadFromRegistry
API String ID: 4228678080-2823807924
Opcode ID: d7045735b450d10ca7eef2bf90baf95b1a0a9490a264fc47a8becad569abb2c4
Instruction ID: c608d836ea9827d806bc395123a8922fb8fede801d42632df73f94415806c39b
Opcode Fuzzy Hash: d7045735b450d10ca7eef2bf90baf95b1a0a9490a264fc47a8becad569abb2c4
Instruction Fuzzy Hash: 89112B75B08F068AEB009B16E88476D7360FBA8BA5F5001B2DE5C57334DF2EE499C740

Non-executed Functions

Function 00007FFE132027CC Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE132028B3
OutputDebugStringA.KERNEL32 ref: 00007FFE132028BF
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE132029E0

Strings

(, xrefs: 00007FFE13202A7A
WdfIoQueueCreate failed 0x%x, xrefs: 00007FFE132028A3
WdfTimerCreate failed 0x%x, xrefs: 00007FFE132029D0, 00007FFE13202ACA
(, xrefs: 00007FFE1320296D

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: swprintf$DebugOutputString
String ID: ($($WdfIoQueueCreate failed 0x%x$WdfTimerCreate failed 0x%x
API String ID: 2627967256-2377412015
Opcode ID: c736806c944dfe9459cdeb6948cce325341392466bc6cae8614ca52d8a592f4c
Instruction ID: 90059fb9455ff816abcdd71ea05e86216791d7933f64b6c6926b90f0a07fc0cf
Opcode Fuzzy Hash: c736806c944dfe9459cdeb6948cce325341392466bc6cae8614ca52d8a592f4c
Instruction Fuzzy Hash: 30A13E62A18B8189E710DF62E8802ED3760F7E4BA8F505276EE4D63779DF38D198C740

Function 00007FFE132046C8 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFE132046E4
RtlCaptureContext.KERNEL32 ref: 00007FFE13204711
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE1320472B
RtlVirtualUnwind.KERNEL32 ref: 00007FFE1320476C
IsDebuggerPresent.KERNEL32 ref: 00007FFE132047C0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE132047E1
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE132047EC

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 344297d84c8067e6abf24d991a323fa6e0dc01afb207876c91f4e9e0aea85330
Instruction ID: 70008aee4d89971716d6615a739e3821c33a614b7436b7f5e456fb0145bdc15d
Opcode Fuzzy Hash: 344297d84c8067e6abf24d991a323fa6e0dc01afb207876c91f4e9e0aea85330
Instruction Fuzzy Hash: 11316E72608E8189EB60AF61E8503ED3361FB94764F40847ADA4E67BA4EF3CD54CCB10

Function 00007FFE13203158 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE132031AF
OutputDebugStringA.KERNEL32 ref: 00007FFE132031B9

Part of subcall function 00007FFE13203860: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE132038D3
Part of subcall function 00007FFE13203860: OutputDebugStringA.KERNEL32 ref: 00007FFE132038DD

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13203203
OutputDebugStringA.KERNEL32 ref: 00007FFE1320320C

Strings

SetFeature: invalid input buffer. size %d, expect %d, xrefs: 00007FFE1320323C
SetFeature: IDMELONHID_CONTROL_CODE_DUMMY1, xrefs: 00007FFE132032FF
SetFeature: IDMELONHID_CONTROL_CODE_DUMMY2, xrefs: 00007FFE132032D2
SetFeature, xrefs: 00007FFE132031A0
SetFeature: Unknown control Code 0x%x, xrefs: 00007FFE132032A7
SetFeature: invalid report id %d, xrefs: 00007FFE132031F5

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugOutputStringswprintf
String ID: SetFeature$SetFeature: IDMELONHID_CONTROL_CODE_DUMMY1$SetFeature: IDMELONHID_CONTROL_CODE_DUMMY2$SetFeature: Unknown control Code 0x%x$SetFeature: invalid input buffer. size %d, expect %d$SetFeature: invalid report id %d
API String ID: 79745889-321838564
Opcode ID: e010d420a2bb48320439f17d13db64a889c1f4fd4f3445e748223449e5cc304c
Instruction ID: 66f68b39dd571b6cf0aeb87a4acc731d0943dcaab66e3a907ddf893dd6081654
Opcode Fuzzy Hash: e010d420a2bb48320439f17d13db64a889c1f4fd4f3445e748223449e5cc304c
Instruction Fuzzy Hash: C4516065618E828DE720EB23E8502FE6360FBE4764F5440B1EA4D676B5DE3CE64CC740

Function 00007FFE132034B4 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE1320350C
OutputDebugStringA.KERNEL32 ref: 00007FFE13203516

Part of subcall function 00007FFE13203860: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE132038D3
Part of subcall function 00007FFE13203860: OutputDebugStringA.KERNEL32 ref: 00007FFE132038DD

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE1320354E
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE1320357E
OutputDebugStringA.KERNEL32 ref: 00007FFE1320358A
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE132035C9
OutputDebugStringA.KERNEL32 ref: 00007FFE132035D5
OutputDebugStringA.KERNEL32 ref: 00007FFE13203669

Strings

WriteReport, xrefs: 00007FFE132034FD
WriteReport: information set bytes %d, xrefs: 00007FFE1320364C
WriteReport: input buffer. size %d, xrefs: 00007FFE1320356D
WriteReport: invalid input buffer. size %d, expect %d, xrefs: 00007FFE132035B0
WriteReport: iRequestGetHidXferPacket_ToWriteToDevice failed, xrefs: 00007FFE13203540

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugOutputStringswprintf
String ID: WriteReport$WriteReport: input buffer. size %d$WriteReport: iRequestGetHidXferPacket_ToWriteToDevice failed$WriteReport: information set bytes %d$WriteReport: invalid input buffer. size %d, expect %d
API String ID: 79745889-1969825649
Opcode ID: 27dc0d55051a149a62840a266a3792bc134b13d6674b58aa0cf559228ccf8a14
Instruction ID: cc97268e4305c55e8c8233471ea9ae384d09ec48496282a1203a6d4d46bca1e7
Opcode Fuzzy Hash: 27dc0d55051a149a62840a266a3792bc134b13d6674b58aa0cf559228ccf8a14
Instruction Fuzzy Hash: B8413F25A18E8189E720EF13E8546ED6720FBE4BA4F904071EA4D676B5DF3CE64DC700

Function 00007FFE1320221C Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13202275
OutputDebugStringA.KERNEL32 ref: 00007FFE1320227F

Part of subcall function 00007FFE13203698: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13203717
Part of subcall function 00007FFE13203698: OutputDebugStringA.KERNEL32 ref: 00007FFE13203721

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE132022C9
OutputDebugStringA.KERNEL32 ref: 00007FFE132022D2

Strings

GetFeature: invalid report id %d, xrefs: 00007FFE132022BB
GetFeature: output buffer too small. Size %d, expect %d, xrefs: 00007FFE13202302
GetFeature, xrefs: 00007FFE13202266

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugOutputStringswprintf
String ID: GetFeature$GetFeature: invalid report id %d$GetFeature: output buffer too small. Size %d, expect %d
API String ID: 79745889-3916486426
Opcode ID: 01a1b0822caab69461dbe954ec9eae928e8f7ba608eb4ac28a7acc99e7c711f7
Instruction ID: 9471e1a8b0b690e3f544aa205423e357031206883c4772b9f00a9b79d8250b68
Opcode Fuzzy Hash: 01a1b0822caab69461dbe954ec9eae928e8f7ba608eb4ac28a7acc99e7c711f7
Instruction Fuzzy Hash: EA417F26618E8199EB20EB23D8442BD7360FBE8BA4F504072EA4D67B75DF3DE549C700

Function 00007FFE13202448 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE132024A0
OutputDebugStringA.KERNEL32 ref: 00007FFE132024AA

Part of subcall function 00007FFE13203698: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13203717
Part of subcall function 00007FFE13203698: OutputDebugStringA.KERNEL32 ref: 00007FFE13203721

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE132024F4
OutputDebugStringA.KERNEL32 ref: 00007FFE132024FD

Strings

GetInputReport: output buffer too small. Size %d, expect %d, xrefs: 00007FFE1320252D
GetInputReport: invalid report id %d, xrefs: 00007FFE132024E6
GetInputReport, xrefs: 00007FFE13202491

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugOutputStringswprintf
String ID: GetInputReport$GetInputReport: invalid report id %d$GetInputReport: output buffer too small. Size %d, expect %d
API String ID: 79745889-1024876767
Opcode ID: 3f22c7e6480db2682eeb50e5b7a68e78ab0da883729ff340ae19963219fc38ee
Instruction ID: b57c48b829c50da6133ef1c3411e0348e9c581b702bece2f61086ca9d5ab40b5
Opcode Fuzzy Hash: 3f22c7e6480db2682eeb50e5b7a68e78ab0da883729ff340ae19963219fc38ee
Instruction Fuzzy Hash: F5419121618E8299EB20EB23E8542FD6720FBE97A4F5040B2EA4D67775CE3CD54DC700

Function 00007FFE13203698 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 101COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13203717
OutputDebugStringA.KERNEL32 ref: 00007FFE13203721
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13203786
OutputDebugStringA.KERNEL32 ref: 00007FFE1320378F

Strings

WdfRequestRetrieveOutputMemory failed 0x%x, xrefs: 00007FFE132037EC
WdfRequestRetrieveInputMemory failed 0x%x, xrefs: 00007FFE13203709
WdfRequestRetrieveInputMemory: invalid input buffer. size %d, expect %d, xrefs: 00007FFE13203771

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugOutputStringswprintf
String ID: WdfRequestRetrieveInputMemory failed 0x%x$WdfRequestRetrieveInputMemory: invalid input buffer. size %d, expect %d$WdfRequestRetrieveOutputMemory failed 0x%x
API String ID: 79745889-1090594742
Opcode ID: 80aff233d870849c0cbc87c11f867bbff2568ec6a4f4e4078b9fa3f26c915016
Instruction ID: 50b6ebc5211e41350e4c401a6c91698e81f1f2ded92b2bf405b7c01939665795
Opcode Fuzzy Hash: 80aff233d870849c0cbc87c11f867bbff2568ec6a4f4e4078b9fa3f26c915016
Instruction Fuzzy Hash: 0A413126608E8289E710EF56E8802EE6761FBE8BA4F504072DA4D67775CF3CD549C740

Function 00007FFE13202FA4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 100COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13203025
OutputDebugStringA.KERNEL32 ref: 00007FFE1320302F
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE1320308F
OutputDebugStringA.KERNEL32 ref: 00007FFE13203098

Strings

WdfRequestRetrieveOutputMemory failed 0x%x, xrefs: 00007FFE13203017
WdfMemoryCopyFromBuffer failed 0x%x, xrefs: 00007FFE132030F5
RequestCopyFromBuffer: buffer too small. Size %d, expect %d, xrefs: 00007FFE1320307E

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugOutputStringswprintf
String ID: RequestCopyFromBuffer: buffer too small. Size %d, expect %d$WdfMemoryCopyFromBuffer failed 0x%x$WdfRequestRetrieveOutputMemory failed 0x%x
API String ID: 79745889-3405115737
Opcode ID: 2ec1cebfa06fe716da7dd59f542e31adca3a226b2322e9e272680fa5f53667f5
Instruction ID: b78c4db11058f4420094fbd849f9757b82336558c9ba3b7830894f62b4fde593
Opcode Fuzzy Hash: 2ec1cebfa06fe716da7dd59f542e31adca3a226b2322e9e272680fa5f53667f5
Instruction Fuzzy Hash: 44413026B18E418AE720AB17E8806EE6321FBE8BA4F504072EE4D67775DF3DD549C700

Function 00007FFE13203B50 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

DbgPrintEx.NTDLL ref: 00007FFE13203B9D
DbgPrintEx.NTDLL ref: 00007FFE13203C45
DbgPrintEx.NTDLL ref: 00007FFE13203CB6
DbgPrintEx.NTDLL ref: 00007FFE13203CCA

Strings

FxStubBindClasses: invalid driver image, the address of symbol __KMDF_CLASS_BIND_START 0x%p is greater than the address of symbol __KMDF_CLASS_BIND_END 0x%p, status 0x%x, xrefs: 00007FFE13203B8D
FxStubBindClasses: VersionBindClass WDF_CLASS_BIND_INFO 0x%p, class %S, returned status 0x%x, xrefs: 00007FFE13203C9E
FxGetNextClassBindInfo failed, xrefs: 00007FFE13203CC0
FxStubBindClasses: ClientBindClass %p, WDF_CLASS_BIND_INFO 0x%p, class %S, returned status 0x%x, xrefs: 00007FFE13203C27

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: Print
String ID: FxGetNextClassBindInfo failed$FxStubBindClasses: ClientBindClass %p, WDF_CLASS_BIND_INFO 0x%p, class %S, returned status 0x%x$FxStubBindClasses: VersionBindClass WDF_CLASS_BIND_INFO 0x%p, class %S, returned status 0x%x$FxStubBindClasses: invalid driver image, the address of symbol __KMDF_CLASS_BIND_START 0x%p is greater than the address of symbol __KMDF_CLASS_BIND_END 0x%p, status 0x%x
API String ID: 3558298466-25039098
Opcode ID: f02df258cd53c364223eff0353354d87365857eeac632ec2e8b57c0b11e4937c
Instruction ID: 92cbdaf28fc13c4f03893f27a3edb6afc47b2d5358da21c1b639ffb68f158449
Opcode Fuzzy Hash: f02df258cd53c364223eff0353354d87365857eeac632ec2e8b57c0b11e4937c
Instruction Fuzzy Hash: 97414E71A08E468AEA10EF17E8445AE73A0FBA8FA4F554172DA4D63374DF3CE54AC240

Function 00007FFE13203DB0 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE13203DD8
__scrt_acquire_startup_lock.LIBCMT ref: 00007FFE13203E2A
_RTC_Initialize.LIBCMT ref: 00007FFE13203E58
__scrt_dllmain_after_initialize_c.LIBCMT ref: 00007FFE13203E7E
__scrt_release_startup_lock.LIBCMT ref: 00007FFE13203EA9

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: 954c3e957acb9558f11fa21a36b279f32b61ef67e54de2f5c0e76da4e01a6560
Instruction ID: 57a90a152a49ffef8caee3764849b12e6de0ac1f218c6a351a1d1ed7df84c348
Opcode Fuzzy Hash: 954c3e957acb9558f11fa21a36b279f32b61ef67e54de2f5c0e76da4e01a6560
Instruction Fuzzy Hash: F781AF20E08E438EF654BB6794412BE62A1AFF57A0F5481B5DA0D737B6DE3CE44DCA40

Function 00007FFE13202D08 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL ref: 00007FFE13202DB7
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13202E87
OutputDebugStringA.KERNEL32 ref: 00007FFE13202E90

Strings

No. of report descriptor bytes copied: %d, xrefs: 00007FFE13202E77
8, xrefs: 00007FFE13202E00
MyReportDescriptor, xrefs: 00007FFE13202DAC

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: String$DebugInitOutputUnicodeswprintf
String ID: 8$MyReportDescriptor$No. of report descriptor bytes copied: %d
API String ID: 4008883908-1845194508
Opcode ID: b02a79a54b4ddba33779877d9069f3ab775a5e906b3da4e03cffeec6627880c0
Instruction ID: 9b9ba75050fc2f8ccab7c5b8cbb05245d233e4c2ce1f07132eaac92c5fe0d249
Opcode Fuzzy Hash: b02a79a54b4ddba33779877d9069f3ab775a5e906b3da4e03cffeec6627880c0
Instruction Fuzzy Hash: DF510736A08F468AE7109B16E8443AE7760F7E8BA4F500176DA8C57735CF7DE589C700

Function 00007FFE13202698 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE1320270C
OutputDebugStringA.KERNEL32 ref: 00007FFE13202716
swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13202783
OutputDebugStringA.KERNEL32 ref: 00007FFE13202790

Strings

GetStringId: invalid input buffer. size %d, expect %d, xrefs: 00007FFE1320276A
WdfRequestRetrieveInputMemory failed 0x%x, xrefs: 00007FFE132026FE

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugOutputStringswprintf
String ID: GetStringId: invalid input buffer. size %d, expect %d$WdfRequestRetrieveInputMemory failed 0x%x
API String ID: 79745889-555852278
Opcode ID: 38d0409d3813333f2bee9a46dfebe6d07e6bd4e1a022ccd2fc7e73a9e0900cbb
Instruction ID: e2ae582cca2db9a30b8afdeee56ea03db1908b01b14a072962f5a244842db25e
Opcode Fuzzy Hash: 38d0409d3813333f2bee9a46dfebe6d07e6bd4e1a022ccd2fc7e73a9e0900cbb
Instruction Fuzzy Hash: 04314475618E428AE721EB17E8542AE6360FBE8B60F504072DA4EA3775DF3CD549C740

Function 00007FFE13203390 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE132033DC
OutputDebugStringA.KERNEL32 ref: 00007FFE132033E6

Part of subcall function 00007FFE13203860: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE132038D3
Part of subcall function 00007FFE13203860: OutputDebugStringA.KERNEL32 ref: 00007FFE132038DD

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13203442
OutputDebugStringA.KERNEL32 ref: 00007FFE1320344F

Strings

SetOutputReport, xrefs: 00007FFE132033CD
SetOutputReport: invalid input buffer. size %d, expect %d, xrefs: 00007FFE13203428

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugOutputStringswprintf
String ID: SetOutputReport$SetOutputReport: invalid input buffer. size %d, expect %d
API String ID: 79745889-2303318144
Opcode ID: c11430cfef5bba140b3b919910bcc19f44db8ca4e0b832e1d45df74e04fbc7af
Instruction ID: 8aec76f9a958cdcc00d4f0fb3c30190635a69f3ddb1b7a7999dfc64216f2b8db
Opcode Fuzzy Hash: c11430cfef5bba140b3b919910bcc19f44db8ca4e0b832e1d45df74e04fbc7af
Instruction Fuzzy Hash: 64215321A18E8185E620EB17F8943AEA760FBE8BA0F504071EA8D67775DE3CD54DCB40

Function 00007FFE132059EC Relevance: 10.6, APIs: 7, Instructions: 53COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FFE13205815,?,?,?,?,00007FFE1320441D,?,?,?,?,00007FFE13203DDD), ref: 00007FFE13205A0B
FlsGetValue.KERNEL32(?,?,?,00007FFE13205815,?,?,?,?,00007FFE1320441D,?,?,?,?,00007FFE13203DDD), ref: 00007FFE13205A19
SetLastError.KERNEL32(?,?,?,00007FFE13205815,?,?,?,?,00007FFE1320441D,?,?,?,?,00007FFE13203DDD), ref: 00007FFE13205A96

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 3a53b49d89fcfb0990be15416f23b776ae89fad4ae039d28db4b36a074390e63
Instruction ID: a35c40a86d97186b5d726e9d0991bf851a03447b25232bd14c59104c62b558f8
Opcode Fuzzy Hash: 3a53b49d89fcfb0990be15416f23b776ae89fad4ae039d28db4b36a074390e63
Instruction Fuzzy Hash: 8B110020A0DE528AFE64AB27D84413D7251AFECBB0B6446B4D96E377F5DE2CA449C600

Function 00007FFE132025BC Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13202698: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE1320270C
Part of subcall function 00007FFE13202698: OutputDebugStringA.KERNEL32 ref: 00007FFE13202716

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE1320262F
OutputDebugStringA.KERNEL32 ref: 00007FFE13202639

Strings

UMDF Virtual AccessKey FIDO HID Device Product string, xrefs: 00007FFE1320265B
UMDF Virtual AccessKey FIDO HID Device Manufacturer string, xrefs: 00007FFE1320266A
GetString: unkown string id %d, xrefs: 00007FFE13202621
UMDF Virtual AccessKey FIDO HID Device Serial Number string, xrefs: 00007FFE1320264C

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugOutputStringswprintf
String ID: GetString: unkown string id %d$UMDF Virtual AccessKey FIDO HID Device Manufacturer string$UMDF Virtual AccessKey FIDO HID Device Product string$UMDF Virtual AccessKey FIDO HID Device Serial Number string
API String ID: 79745889-1896618911
Opcode ID: c4f2a244a1dc23aea743032f213965f659474282e2358e41eed4bfeb1af6266f
Instruction ID: 18d39f626284c223d521a1fc6e304047880b3acaaf4c8665db69219b150a794f
Opcode Fuzzy Hash: c4f2a244a1dc23aea743032f213965f659474282e2358e41eed4bfeb1af6266f
Instruction Fuzzy Hash: 00116061A1CA4289FA71BB17E4543BD6250EBEA760F8040B3E94D666B5DE2CE60CCB40

Function 00007FFE13205533 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFE132055E3
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1320567F
RtlUnwindEx.NTDLL ref: 00007FFE132056CE

Strings

csm, xrefs: 00007FFE13205665
f, xrefs: 00007FFE132055F6

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: fba172f9e0be19d4b70c4800c4adb321cd4f8c035479ce89570abe1b3d123658
Instruction ID: aafe0c0381131ff3246a8c69008c5dc05e9e969af15165aa8bc03d0de6e1216f
Opcode Fuzzy Hash: fba172f9e0be19d4b70c4800c4adb321cd4f8c035479ce89570abe1b3d123658
Instruction Fuzzy Hash: FA51B336A0DA02CED714EB16E404A3C3795FBA4BA8F708570DA0A67768DF78E848C700

Function 00007FFE132023A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE13202698: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE1320270C
Part of subcall function 00007FFE13202698: OutputDebugStringA.KERNEL32 ref: 00007FFE13202716

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE132023FF
OutputDebugStringA.KERNEL32 ref: 00007FFE13202409

Strings

GetString: unkown string index %d, xrefs: 00007FFE132023F1
UMDF Virtual AccessKey FIDO HID Device, xrefs: 00007FFE1320241F

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugOutputStringswprintf
String ID: GetString: unkown string index %d$UMDF Virtual AccessKey FIDO HID Device
API String ID: 79745889-2538044269
Opcode ID: eeeb98476b812c8bfa2d5e2a05108d0f48fbaa56241f4f89c7e4470fe9665883
Instruction ID: cefa436e77eb407c765e4b5b4b98c76aa84bbefd7c80a7da774c65c83d08cdcc
Opcode Fuzzy Hash: eeeb98476b812c8bfa2d5e2a05108d0f48fbaa56241f4f89c7e4470fe9665883
Instruction Fuzzy Hash: E6012165B28A4246E631BB13E4513EE6350FFE9764F805072EA4D66A75DF3CE14CCB40

Function 00007FFE13203860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE132038D3
OutputDebugStringA.KERNEL32 ref: 00007FFE132038DD

Strings

WdfRequestRetrieveInputMemory failed 0x%x, xrefs: 00007FFE132038C5

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugOutputStringswprintf
String ID: WdfRequestRetrieveInputMemory failed 0x%x
API String ID: 79745889-1324185097
Opcode ID: bd0ce6cc008070f1534a7335cc03115e47e4efc729aa8a19adac5ad3c39e0905
Instruction ID: 560392792d2f0ac11551d2f67fb1913b51e28d10752cf44bd1d7194bdc785f75
Opcode Fuzzy Hash: bd0ce6cc008070f1534a7335cc03115e47e4efc729aa8a19adac5ad3c39e0905
Instruction Fuzzy Hash: 31111D35A18E4589E720AB17F8902AE73A0FBECBA4F404172DA8D93775DE3CD158CB40

Function 00007FFE13202EF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FFE13202F6A
OutputDebugStringA.KERNEL32 ref: 00007FFE13202F74

Strings

WdfRequestForwardToIoQueue failed with 0x%x, xrefs: 00007FFE13202F59

Memory Dump Source

Source File: 00000036.00000002.3598617377.00007FFE13201000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00007FFE13200000, based on PE: true

Associated: 00000036.00000002.3598576040.00007FFE13200000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598653168.00007FFE13206000.00000002.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598685469.00007FFE1320A000.00000004.00000001.01000000.0000000E.sdmpDownload File
Associated: 00000036.00000002.3598716690.00007FFE1320B000.00000002.00000001.01000000.0000000E.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_54_2_7ffe13200000_WUDFHost.jbxd

Similarity

API ID: DebugOutputStringswprintf
String ID: WdfRequestForwardToIoQueue failed with 0x%x
API String ID: 79745889-420988317
Opcode ID: 4570f5cfa8f07c1f8e7aa15afdc99eb437d33734220852b2caeb4416c538655f
Instruction ID: a9143db5b319ac119cfc543f211a68066df2113dfafbbeb658c5ee8671fb2786
Opcode Fuzzy Hash: 4570f5cfa8f07c1f8e7aa15afdc99eb437d33734220852b2caeb4416c538655f
Instruction Fuzzy Hash: AC111B36B18E8189E721AF16E8913EE6360FBECBA4F804172DA8D53775DE2CD559C700

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\IDmelon\Accesskey\.accesskey

C:\Program Files (x86)\IDmelon\Accesskey\Accesskey website.url

C:\Program Files (x86)\IDmelon\Accesskey\AccesskeyCli.exe

C:\Program Files (x86)\IDmelon\Accesskey\AccesskeyCli.exe.config

C:\Program Files (x86)\IDmelon\Accesskey\BioKey.dll

C:\Program Files (x86)\IDmelon\Accesskey\BioKey.dll.config

C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFMatcher.dll

C:\Program Files (x86)\IDmelon\Accesskey\BioMini.UFScanner.dll

C:\Program Files (x86)\IDmelon\Accesskey\CBOR.dll

C:\Program Files (x86)\IDmelon\Accesskey\CSharpControls.Wpf.dll

C:\Program Files (x86)\IDmelon\Accesskey\ClientLog.config

C:\Program Files (x86)\IDmelon\Accesskey\CommandLine.dll

C:\Program Files (x86)\IDmelon\Accesskey\DB.dll

C:\Program Files (x86)\IDmelon\Accesskey\DB.dll.config

C:\Program Files (x86)\IDmelon\Accesskey\DefaultLog.config

C:\Program Files (x86)\IDmelon\Accesskey\DeviceId.dll

C:\Program Files (x86)\IDmelon\Accesskey\Driver\AccessKeyFidoVhid.dll

Windows Analysis Report
SecuriteInfo.com.PUA.Tool.InstSrv.10.14191.25974.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre