Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Windows Analysis Report
rootkit.exe

Overview

General Information

Sample Name:rootkit.exe
Analysis ID:803790
MD5:9219e2cfcc64ccde2d8de507538b9991
SHA1:181e59600d057dc6b31a3b19d7f4f75301a3425e
SHA256:5af3fd53aea5e008d8725c720ea0290e2e0cd485d8a953053ccf02e5e81a94a0
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
One or more processes crash
PE file contains an invalid checksum
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality for execution timing, often used to detect debuggers

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • rootkit.exe (PID: 4040 cmdline: C:\Users\user\Desktop\rootkit.exe MD5: 9219E2CFCC64CCDE2D8DE507538B9991)
    • WerFault.exe (PID: 6096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 260 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: rootkit.exeAvira: detected
Source: rootkit.exeReversingLabs: Detection: 85%
Source: rootkit.exeJoe Sandbox ML: detected
Source: 0.2.rootkit.exe.400000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
Source: 0.0.rootkit.exe.400000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
Source: rootkit.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net
Source: rootkit.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: rootkit.exeBinary or memory string: OriginalFilename vs rootkit.exe
Source: rootkit.exe, 00000000.00000002.392496931.0000000000414000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamenotepad.exeD vs rootkit.exe
Source: rootkit.exeBinary or memory string: OriginalFilenamenotepad.exeD vs rootkit.exe
Source: C:\Users\user\Desktop\rootkit.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 260
Source: C:\Users\user\Desktop\rootkit.exeCode function: 0_2_004120000_2_00412000
Source: C:\Users\user\Desktop\rootkit.exeCode function: 0_2_004134070_2_00413407
Source: C:\Users\user\Desktop\rootkit.exeCode function: 0_2_0041330C0_2_0041330C
Source: C:\Users\user\Desktop\rootkit.exeCode function: 0_2_004132D60_2_004132D6
Source: C:\Users\user\Desktop\rootkit.exeCode function: 0_2_004133D60_2_004133D6
Source: C:\Users\user\Desktop\rootkit.exeCode function: 0_2_004134580_2_00413458
Source: C:\Users\user\Desktop\rootkit.exeCode function: 0_2_0041335F0_2_0041335F
Source: C:\Users\user\Desktop\rootkit.exeCode function: 0_2_004134270_2_00413427
Source: C:\Users\user\Desktop\rootkit.exeCode function: 0_2_0041332C0_2_0041332C
Source: C:\Users\user\Desktop\rootkit.exeCode function: 0_2_004132B90_2_004132B9
Source: rootkit.exeStatic PE information: Section: .dKVU ZLIB complexity 0.9956856343283582
Source: rootkit.exeReversingLabs: Detection: 85%
Source: C:\Users\user\Desktop\rootkit.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\rootkit.exe C:\Users\user\Desktop\rootkit.exe
Source: C:\Users\user\Desktop\rootkit.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 260
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4040
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF96.tmpJump to behavior
Source: classification engineClassification label: mal60.winEXE@2/6@0/0
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: rootkit.exeStatic PE information: real checksum: 0x1504a should be: 0x224c3
Source: rootkit.exeStatic PE information: section name: .dKVU
Source: rootkit.exeStatic PE information: section name: .cPBG
Source: rootkit.exeStatic PE information: section name: .aFUR
Source: rootkit.exeStatic PE information: section name: .rOPG
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\rootkit.exeCode function: 0_2_004130BF rdtsc 0_2_004130BF
Source: Amcache.hve.3.drBinary or memory string: VMware
Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.3.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.drBinary or memory string: VMware7,1
Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.me
Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: C:\Users\user\Desktop\rootkit.exeCode function: 0_2_004130BF IsDebuggerPresent,GlobalFree,SetProcessAffinityMask,CloseHandle,IsDebuggerPresent,GetModuleHandleA,GetProcAddress,GetCurrentThread,0_2_004130BF
Source: C:\Users\user\Desktop\rootkit.exeCode function: 0_2_004130BF mov eax, dword ptr fs:[00000030h]0_2_004130BF
Source: C:\Users\user\Desktop\rootkit.exeCode function: 0_2_004130BF mov eax, dword ptr fs:[00000030h]0_2_004130BF
Source: C:\Users\user\Desktop\rootkit.exeCode function: 0_2_004130BF mov eax, dword ptr fs:[00000030h]0_2_004130BF
Source: C:\Users\user\Desktop\rootkit.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\rootkit.exeCode function: 0_2_004130BF rdtsc 0_2_004130BF
Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping41
Security Software Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
Software Packing		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
Remote System Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 803790 Sample: rootkit.exe Startdate: 10/02/2023 Architecture: WINDOWS Score: 60 13 Antivirus / Scanner detection for submitted sample 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 Machine Learning detection for sample 2->17 6 rootkit.exe 2->6         started        process3 process4 8 WerFault.exe 24 9 6->8         started        file5 11 C:\ProgramData\Microsoft\...\Report.wer, Unicode 8->11 dropped

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
rootkit.exe85%ReversingLabsWin32.Trojan.Zeus
rootkit.exe100%AviraTR/Crypt.EPACK.Gen2
rootkit.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.rootkit.exe.400000.0.unpack100%AviraTR/Crypt.EPACK.Gen2Download File
0.0.rootkit.exe.400000.0.unpack100%AviraTR/Crypt.EPACK.Gen2Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.3.drfalse
    		high

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:36.0.0 Rainbow Opal
    Analysis ID:803790
    Start date and time:2023-02-10 09:53:06 +01:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 6m 8s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Run name:Run with higher sleep bypass
    Number of analysed new started processes analysed:9
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample file name:rootkit.exe
    Detection:MAL
    Classification:mal60.winEXE@2/6@0/0
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 97.2% (good quality ratio 61.1%)
    • Quality average: 47.8%
    • Quality standard deviation: 39.4%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 1
    • Number of non-executed functions: 10
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 20.189.173.20
    • Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, watson.telemetry.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • VT rate limit hit for: rootkit.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rootkit.exe_ec1bb695ca8315da90cabf747ae82e797a31875_3e09e6f2_179ef958\Report.wer

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):0.6698785818400529
    Encrypted:false
    SSDEEP:96:IFUlFlGsFslgU3Chf1pXIQcQvc6QcEDMcw3Db+HbHg/vtuuzOOyWZAXGng5FMTPE:QUl3vNHBUZMXYjOq/u7shS274It0o
    MD5:6EA133732BD0C649684FF4C22EA8E3A7
    SHA1:7D06C8E05011D9F41178F38427D4930176FEF340
    SHA-256:8EB6C87EE3593DC79EB24C5DEE934DC2D20A3B3D475779433AFA854B6AD977BE
    SHA-512:3CC45F26601DA16B06635BACAAB3CBD0BB16AA6FB0C77521AC78DE08C0888777D461BA04DEA86712524B0602467E6F8C29E7E808D0A9CE02597F844CF91CC915
    Malicious:true
    Reputation:low
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.0.4.9.2.8.4.4.5.4.9.5.3.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.0.4.9.2.8.4.5.2.0.5.7.9.2.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.f.9.f.b.e.9.-.2.8.8.2.-.4.7.a.2.-.9.8.4.8.-.5.8.d.2.6.1.e.f.5.7.f.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.0.5.b.6.8.9.3.-.3.2.a.0.-.4.e.e.a.-.9.3.c.9.-.b.f.3.0.5.c.f.7.4.b.6.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.o.o.t.k.i.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.c.8.-.0.0.0.1.-.0.0.1.f.-.3.8.2.0.-.b.3.3.9.2.d.3.d.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.a.0.3.0.a.c.c.0.a.3.c.5.2.3.4.9.1.c.c.5.b.f.2.a.0.1.2.a.c.a.a.0.0.0.0.0.9.0.4.!.0.0.0.0.1.8.1.e.5.9.6.0.0.d.0.5.7.d.c.6.b.3.1.a.3.b.1.9.d.7.f.4.f.7.5.3.0.1.a.3.4.2.5.e.!.r.o.o.t.k.i.t...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF96.tmp.dmp

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Mini DuMP crash report, 14 streams, Fri Feb 10 08:54:04 2023, 0x1205a4 type
    Category:dropped
    Size (bytes):30946
    Entropy (8bit):1.9662363757620618
    Encrypted:false
    SSDEEP:96:5t87a85GYgJjSQfvi7oWJDvvxgX83e5wnPxRBy36oTVE+/WruV2/E+IRHWInWIXq:E7ZgJjSuvOtOpwJRB26orWq7vfHFzL
    MD5:45BC23C74BE1D24BED8695EA853B25E4
    SHA1:21876E866E976DC1592FB392AC058D174DFF0F53
    SHA-256:7B9AAFE4FC3A498E024EE9AEE1C1429D0F7EAF1E03D88CFD835401A4EFFA5D88
    SHA-512:69D049F3746674B8CF84F00799F5CE34E1A23CB12CA4AA0CDFCD8E19942965188BE1718FAB88747DED79F77AD9B16C2522D896C61C2D391337049F1B5E1DD01A
    Malicious:false
    Reputation:low
    Preview:MDMP....... .......,..c....................................................T.......8...........T................n...........................................................................................U...........B......4.......GenuineIntelW...........T...........+..c.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0EF.tmp.WERInternalMetadata.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):8260
    Entropy (8bit):3.687643557806207
    Encrypted:false
    SSDEEP:192:Rrl7r3GLNiJN6DkwY6YeUSUEkigmfMSs+pr789bPqsfkwAlm:RrlsNiD6Dk6Y9SUFigmfMScPJfke
    MD5:07F17224D7742A09FE7F44DE6F3EACDD
    SHA1:0162072A79982E595984C96C6BA65318E4EEA9B9
    SHA-256:C9B1554CCCDEDDD44976741DBCD8CB6F11816E2E77E9B57D674FD20382626416
    SHA-512:2F245CDA7BB620049A80FF4555500C4F89119E5412038CD27394C18DCFBFAD024BC4B4ACECB6C4A6FEBC9A250704D257624A60263A93EB96B54F5F8B40A49FA2
    Malicious:false
    Reputation:low
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.4.0.<./.P.i.d.>.......

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE12F.tmp.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4546
    Entropy (8bit):4.425706109342723
    Encrypted:false
    SSDEEP:48:cvIwSD8zsoJgtWI9vg7IhWgc8sqYja8fm8M4Ji+uFFD+q8oNSm9bpWwd:uITfuXXgrsqY7JV0DPSm9bpWwd
    MD5:8FD7F49B207535C052309FB29E952B64
    SHA1:E545E19F434D6BA28E054D3D1FEE67DBDF5885BF
    SHA-256:0886DF131AE430DB2DA6D2D4E49ADCFA744F6D4F8AD79871C318B753380C20DE
    SHA-512:2FCB8B0F5BE78AD3E3DB693D5C4D4EE668BF3D6811B2B30FF15F1412AA397AEB79C991535EE1A76AEBA6A2042B424D1644D073CE67171E7F03A6F90248EAA121
    Malicious:false
    Reputation:low
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1906204" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

    C:\Windows\appcompat\Programs\Amcache.hve

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:MS Windows registry file, NT/2000 or above
    Category:dropped
    Size (bytes):1572864
    Entropy (8bit):4.308369348607176
    Encrypted:false
    SSDEEP:12288:U3jXUOcSwiyFUoJCaq9odTlW+ACEqarKXMSWKUKnGOZWs6RP8a:EjXUOcSwiy+oJCq6+j
    MD5:7545D1964079915FADA3485482AF779A
    SHA1:F20DA76A05E455451C1CE54122F4415478669A73
    SHA-256:59BF45FA42E13ED1199666215A4C8DD3706ACED75C70C3605DABE2A8D23F1986
    SHA-512:F87F9BB10977175D6BD1D02C0457DF28FD76127A00D744E7120FF964C5AB4BA3A66D02EDB9EA3295F515E027AB3DC7DFF2B4051064473F6EE1F6DBE411756C0C
    Malicious:false
    Reputation:low
    Preview:regfQ...Q...p.\..,.................. .... ......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.(.:-=...............................................................................................................................................................................................................................................................................................................................................V.g........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Windows\appcompat\Programs\Amcache.hve.LOG1

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:MS Windows registry file, NT/2000 or above
    Category:dropped
    Size (bytes):36864
    Entropy (8bit):4.0782965125175386
    Encrypted:false
    SSDEEP:768:7J/0gGK6i5auf3g/eeDzenNYtjIHaysoSw+aOi/qf4WwssWB3o4o:p6qGhDxo8o
    MD5:907B95F8014537CD287EC84BAEABEADF
    SHA1:F4FEF926677DECF96E9656807F0AB449D4DDE3B9
    SHA-256:824C8CB33EE7013DA56F28207DDED4140601DF6768F0971C601817F9D7AFA998
    SHA-512:B9894DDA758D9581E428796B09DA964663510D80719F8A185AA412909D68A4840B8472DBF048BC460836A31B4B493143F1E055A726DC8541E9D320B1E71C678A
    Malicious:false
    Reputation:low
    Preview:regfP...P...p.\..,.................. .... ......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.(.:-=...............................................................................................................................................................................................................................................................................................................................................V.gHvLE........P.... ......,.[.....+G...{.............0....................... ..hbin................p.\..,..........nk,..(.:-=.................................. ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..(.:-=...... ........................... .......Z.......................Root........lf......Root....nk ..(.:-=.................................. ...............*...............DeviceCensus.......................vk..................WritePermissions

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):7.884573875584192
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • VXD Driver (31/22) 0.00%
    File name:rootkit.exe
    File size:76288
    MD5:9219e2cfcc64ccde2d8de507538b9991
    SHA1:181e59600d057dc6b31a3b19d7f4f75301a3425e
    SHA256:5af3fd53aea5e008d8725c720ea0290e2e0cd485d8a953053ccf02e5e81a94a0
    SHA512:81aa2fbde8567f4a3446d56a8fec8b346f9c4093f5baa32db4069644ad3fec64c6c2d749173557e5247144b92fa12ddb14de55ca3687867d4aea4c37124c9f54
    SSDEEP:1536:m+6OXCt1SXBW0bBaKLXDduSOxqEDX0+G3L6f2X4ZmfwhRYE:/6Y41aBNbBBXkSCPDMV4hmE
    TLSH:937302DEB7BC08E8C53986BA773709FAC65FF15243150E7A489024BDDE4469A8B07D34
    File Content Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L......K...............C..........................@..........................P......JP.....................................

    File Icon

    Icon Hash:00828e8e8686b000

    Static PE Info

    General

    Entrypoint:0x400000
    Entrypoint Section:
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    DLL Characteristics:
    Time Stamp:0x4B85E1CD [Thu Feb 25 02:34:53 2010 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:1
    OS Version Minor:0
    File Version Major:1
    File Version Minor:0
    Subsystem Version Major:1
    Subsystem Version Minor:0
    Import Hash:68b959f526f1bb79907383ec0f4e13e7
    Instruction
    dec ebp
    pop edx
    jmp 00007F2B08AC686Eh
    add byte ptr [eax+eax], al
    adc byte ptr [eax], al
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x137010x4d9.aFUR
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x478.rOPG
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .dKVU0x10000x10bcf0x10c00False0.9956856343283582data7.992547123865533IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .cPBG0x120000x6c30x800False0.68896484375data5.837742652863941IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .aFUR0x130000xbda0xc00False0.5748697916666666data5.994904998662308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rOPG0x140000x4780x600False0.375data3.7582822519359675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    NameRVASizeTypeLanguageCountry
    RT_VERSION0x1428c0x1ecdata
    RT_MANIFEST0x140900x1e9XML 1.0 document, ASCII text, with CRLF line terminators
    DLLImport
    KERNEL32.DLLCloseHandle, CompareFileTime, ExitProcess, GetCurrentThread, GetDiskFreeSpaceA, GetExitCodeProcess, GetFileSize, GetLastError, GetModuleHandleA, GetProcAddress, GetTickCount, GlobalFree, IsDebuggerPresent, LoadLibraryA, SearchPathA, SetProcessAffinityMask, Sleep, SleepEx, UnmapViewOfFile, VirtualAlloc, VirtualFree, VirtualProtect, lstrcatA, lstrcmpA, lstrlenA
    GDI32.DLLCreateBrushIndirect, CreateFontIndirectA, DeleteObject, GetDeviceCaps, SetBkColor, SetTextColor
    USER32.DLLAppendMenuA, EndDialog, EqualRect, FindWindowA, FindWindowExA, GetMenu, GetMessagePos, InvalidateRect, IsCharUpperA, LoadCursorA, MessageBoxA, PostQuitMessage, ScreenToClient, SetCaretPos, TrackPopupMenuEx

    Network Behavior

    Report size exceeds maximum size, please checkout the PCAP download to see all network behavior

    Statistics

    CPU Usage

    050100150s020406080100

    Click to jump to process

    Memory Usage

    050100150s0.0051015MB

    Click to jump to process

    High Level Behavior Distribution

    • File
    • Registry

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:09:54:03
    Start date:10/02/2023
    Path:C:\Users\user\Desktop\rootkit.exe
    Wow64 process (32bit):true
    Commandline:C:\Users\user\Desktop\rootkit.exe
    Imagebase:0x400000
    File size:76288 bytes
    MD5 hash:9219E2CFCC64CCDE2D8DE507538B9991
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Section Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Memory Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    General

    Target ID:3
    Start time:09:54:03
    Start date:10/02/2023
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 260
    Imagebase:0xc0000
    File size:434592 bytes
    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Show Windows behavior

    File Activities

    Show Windows behavior

    Section Activities

    Show Windows behavior

    Registry Activities

    Show Windows behavior

    Mutex Activities

    Show Windows behavior

    Process Activities

    Show Windows behavior

    Thread Activities

    Show Windows behavior

    Memory Activities

    Show Windows behavior

    System Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    Show Windows behavior

    Windows UI Activities

    Show Windows behavior

    Process Token Activities

    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

    Disassembly

    Execution Graph

    Execution Coverage

    Dynamic/Packed Code Coverage

    Signature Coverage

    Execution Coverage:1.5%
    Dynamic/Decrypted Code Coverage:46.4%
    Signature Coverage:85.7%
    Total number of Nodes:28
    Total number of Limit Nodes:2
    Show Legend
    Hide Nodes/Edges
    execution_graph 217 412000 233 4130bf 217->233 219 41200b GetModuleHandleA GetProcAddress GetCurrentThread 220 412047 SleepEx 219->220 221 412077 220->221 222 4120dd GetLastError 221->222 245 413000 GetTickCount 222->245 224 412103 246 413065 GetProcAddress 224->246 226 412108 CloseHandle 247 41269f 226->247 228 412148 GetModuleHandleA 229 4121c3 GetModuleHandleA 228->229 230 4121be 228->230 231 412248 VirtualAlloc GetTickCount GetModuleHandleA 229->231 230->229 231->231 232 4122b1 231->232 234 4130d4 IsDebuggerPresent GlobalFree 233->234 235 4126b8 233->235 236 413154 234->236 235->219 237 4131d0 SetProcessAffinityMask 236->237 238 413262 237->238 239 413207 237->239 238->238 242 413270 GetModuleHandleA GetProcAddress GetCurrentThread 238->242 239->238 240 41321a CloseHandle GetPEB 239->240 240->238 241 413232 GetPEB IsDebuggerPresent GetPEB 240->241 241->238 243 41324e 241->243 244 4132a3 242->244 243->238 244->219 245->224 246->226 248 4126a9 247->248 248->228

    Callgraph

    Hide Legend
    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_004125C1 1 Function_00413000 2 Function_00412000 2->1 5 Function_00413649 2->5 17 Function_0041365D 2->17 19 Function_0041269F 2->19 20 Function_004122DF 2->20 24 Function_00413065 2->24 35 Function_004130BF 2->35 3 Function_004135C3 4 Function_00413407 6 Function_00412549 7 Function_0041248D 8 Function_0041240D 9 Function_0041330C 10 Function_0041304E 11 Function_00412351 12 Function_00412655 13 Function_004124D4 14 Function_004132D6 15 Function_004133D6 16 Function_00413458 18 Function_0040115D 22 Function_00412620 19->22 23 Function_004125E0 19->23 28 Function_004122EA 20->28 21 Function_0041335F 31 Function_004124EE 22->31 32 Function_00412573 23->32 25 Function_00412425 26 Function_004123A5 27 Function_00413427 28->7 28->25 28->26 29 Function_0041352A 30 Function_0041332C 33 Function_004132B9 34 Function_004125FB 35->23

    Executed Functions

    Control-flow Graph

    C-Code - Quality: 64%
    			E00412000() {
				void* _v12;
				void* _t20;
				signed int _t26;
				long _t34;
				void* _t37;
				void* _t43;
				signed int _t57;
				signed int _t59;
				void* _t69;
				signed int _t76;
				signed int _t78;
				signed int _t79;
				signed int _t84;
				signed int _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				signed int _t95;
				void* _t96;
				signed int _t121;
				signed int _t125;
				signed int _t127;
				signed int _t128;
				signed int _t130;
				signed int _t132;
				signed int _t134;
				signed int _t135;
				signed int _t137;
				signed int _t150;
				signed int _t151;
				void* _t152;
				signed int _t154;
				void* _t161;
				long _t182;
				signed int _t184;
				signed int _t189;
				signed int _t190;

				E004130BF(_t92, _t161); // executed
				ss = ss;
				_t121 = 0;
				 *0x411b7d = GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "ZwSetInformationThread");
				_t20 = GetCurrentThread();
				 *0x411b7d(_t20, 0x11, 0, 0);
				_t26 = SleepEx(1, 0) | 0x00200020;
				_t93 = ss;
				asm("int 0x2a");
				ss = _t93;
				asm("int 0x2a");
				ss = _t93;
				asm("int 0x2a");
				_t94 = ss;
				do {
					asm("int 0x2a");
				} while (_t26 == _t94);
				 *_t190(0x90909090, 0xc3, 0x41209f, 0xffffffff);
				ss = _t94;
				asm("int 0x2a");
				_t95 = 2;
				do {
					E00413649();
					_t162 = _t121;
					_t78 = _t95;
					_t121 = 0x7b5 + _t121;
					_t137 = (_t137 | 0x0000cdff) + _t78 + _t189;
					_t79 = _t78 & _t95;
					_t96 = _t95;
					E0041365D();
					_t95 = _t96 + 1;
				} while (_t95 != 0xff);
				_t97 = _t189;
				_t34 = GetLastError();
				_t125 =  !_t121;
				_t37 = E00413065(E00413000(_t34 + _t121, _t79, _t189 - _t190, _t125, _t137 - _t121 + _t137 - _t121 - 1, _t162 + _t97), _t79, _t189 - _t190, _t125, _t162 + _t97);
				_t127 = _t125 - _t37 + _t79 - CloseHandle(0x737c);
				_t43 = E0041269F((_t137 - _t121 + _t137 - _t121 - 0x00000001 ^ _t189) + _t189,  !(_t162 + _t97) - (_t189 - _t190 | 0x0000a8e0) ^ _t127);
				asm("pushad");
				_t128 = _t127 - _t190 + _t43 + _t189;
				GetModuleHandleA(0);
				_t57 =  !(_t128 - 0x19c5) ^ 0x00005b83;
				_t84 =  !(_t79 + _t190 - _t190 ^ _t190 ^ (_t190 & _t128) + 0 + _t190 + 0x00006e5f + 0x00000001);
				asm("popad");
				if(_t57 == 0x392fa) {
					E004122DF();
				}
				_t130 =  *(0x40115c +  *0x00401198 + 0x50);
				asm("pushad");
				_t59 = _t57 + _t57 ^ _t84;
				_t132 = _t130 ^ _t189 ^ _t59;
				_t150 = _t130 +  *0x00401190 ^ _t190;
				GetModuleHandleA(0);
				asm("popad");
				_t182 = 0x30000;
				asm("pushad");
				_t134 = (_t132 ^ (_t84 - _t132 & (_t59 | 0x0000e130)) - _t189 - _t189) + 1;
				_t151 =  ~_t150;
				_t91 = (_t132 | 0x0000989b) + _t150 & 0x0001331c;
				asm("popad");
				do {
					_t152 = _t151 + 0x10000;
					_t69 = VirtualAlloc(_t152, _t182, 0x3000, 0x40);
					asm("pushad");
					_t135 = _t69 + _t134;
					_t184 = _t135 + 1;
					_t91 = _t91 & _t184;
					_t154 = (_t152 | 0x00006c72) & _t135;
					GetTickCount();
					GetModuleHandleA(0);
					_t134 = _t135 + _t190 & _t154;
					_t182 = (_t184 ^ _t190) - _t154 & _t134;
					_t151 = _t154 + _t154;
					_t76 = _t134;
					asm("popad");
				} while (_t76 == 0);
				_v12 = _t76;
				while(1) {
					asm("lodsd");
					if(_t76 == 0) {
						break;
					}
					_t76 =  *_t76;
					asm("stosd");
				}
				memcpy(_v12, 0x40115c, 0x1331c);
				goto __edi;
			}








































    0x00412006
    0x0041200c
    0x00412012
    0x0041202f
    0x00412034
    0x00412041
    0x0041205f
    0x00412064
    0x00412067
    0x00412069
    0x0041206b
    0x0041206d
    0x0041206f
    0x00412071
    0x00412077
    0x00412077
    0x00412079
    0x00412099
    0x0041209b
    0x0041209d
    0x0041209f
    0x004120a4
    0x004120a5
    0x004120aa
    0x004120b1
    0x004120c6
    0x004120ca
    0x004120cc
    0x004120ce
    0x004120cf
    0x004120d4
    0x004120d5
    0x004120dd
    0x004120e8
    0x004120fb
    0x00412103
    0x00412131
    0x00412143
    0x00412148
    0x00412150
    0x00412172
    0x004121a1
    0x004121ae
    0x004121b6
    0x004121bc
    0x004121be
    0x004121be
    0x004121ce
    0x004121d4
    0x004121d9
    0x004121db
    0x004121ee
    0x004121f7
    0x00412217
    0x00412229
    0x0041222f
    0x00412240
    0x00412241
    0x00412245
    0x00412247
    0x00412248
    0x00412248
    0x00412257
    0x0041225d
    0x00412260
    0x0041226c
    0x0041226f
    0x00412273
    0x00412283
    0x00412293
    0x004122a4
    0x004122a6
    0x004122a8
    0x004122aa
    0x004122ac
    0x004122ad
    0x004122b1
    0x004122bb
    0x004122bb
    0x004122be
    0x00000000
    0x00000000
    0x004122c0
    0x004122c2
    0x004122c2
    0x004122d2
    0x004122dd

    APIs
      • Part of subcall function 004130BF: IsDebuggerPresent.KERNEL32 ref: 0041311D
      • Part of subcall function 004130BF: GlobalFree.KERNEL32 ref: 00413125
      • Part of subcall function 004130BF: SetProcessAffinityMask.KERNEL32(000000FF,00000001), ref: 004131F0
    • GetModuleHandleA.KERNEL32(NTDLL.DLL), ref: 00412019
    • GetProcAddress.KERNEL32(00000000,ZwSetInformationThread), ref: 00412027
    • GetCurrentThread.KERNEL32 ref: 00412034
    • SleepEx.KERNEL32(00000001,00000000), ref: 00412059
    • GetLastError.KERNEL32 ref: 004120E8
    • CloseHandle.KERNEL32(0000737C), ref: 0041212B
    • GetModuleHandleA.KERNEL32(00000000), ref: 00412172
    • GetModuleHandleA.KERNEL32(00000000), ref: 004121F7
    • VirtualAlloc.KERNEL32(?,-0000D6E4,00003000,00000040), ref: 00412257
    • GetTickCount.KERNEL32 ref: 00412283
    • GetModuleHandleA.KERNEL32(00000000,?,-0000D6E4,00003000,00000040), ref: 00412293
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.392485487.0000000000412000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.392470768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392474970.0000000000401000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392489217.0000000000413000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392496931.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rootkit.jbxd
    Similarity
    • API ID: Handle$Module$AddressAffinityAllocCloseCountCurrentDebuggerErrorFreeGlobalLastMaskPresentProcProcessSleepThreadTickVirtual
    • String ID: NTDLL.DLL$ZwSetInformationThread
    • API String ID: 91094156-2735485441
    • Opcode ID: bd6b56195b889bc8101589dc9c5b161f3f05c47de24ae2f64d4450ae4cc7002e
    • Instruction ID: 8282ee7e5fb114520c4e8c144072c7b164344765bee9e69cfdae1f4e05fc701e
    • Opcode Fuzzy Hash: bd6b56195b889bc8101589dc9c5b161f3f05c47de24ae2f64d4450ae4cc7002e
    • Instruction Fuzzy Hash: 23714B73B206100BE7289EB9CD963EE3583DBC4311F1AC23D9A4AD72C5EDB8D9454188
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Control-flow Graph

    C-Code - Quality: 55%
    			E004130BF(void* __ecx, void* __esi) {
				void* _t21;

				ss = ss;
				asm("int 0x2a");
				if(9 == __ecx) {
					asm("lodsb");
					_t21 = E004125E0(9);
					asm("stosb");
					asm("loop 0xfffffff8");
					return _t21;
				} else {
					ss = ss;
					__eax = 9;
					__edx = 0;
					asm("int 0x2a");
					ss = __ecx;
					asm("int 0x2a");
					ss = __ecx;
					asm("int 0x2a");
					__ecx = ss;
					ss = __ecx;
					asm("int 0x2a");
					__eax = 3;
					__edx = 0;
					gs = 3;
					_push( *[fs:0x0]);
					 *[fs:0x0] = __esp;
					0 = 0 / 0;
					__edx = 0 % 0;
					_pop( *[fs:0x0]);
					__esp = __esp + 4;
					0 = IsDebuggerPresent();
					__eax = GlobalFree(1);
					1 = 2;
					0x82 = 0x42;
					__ecx = 0;
					__esi = __esi;
					__ecx = __ecx;
					asm("pminsw xmm0, xmm1");
					_push(0);
					_push("OLLYDBG");
					__imp__FindWindowA();
					if(__eax != 0) {
						_push(0x30);
						_push("Debugger status:");
						_push("Debugger found!");
						_push(0);
						__imp__MessageBoxA();
					} else {
						_push(0x40);
						_push("Debugger status:");
						_push("Debugger not found!");
						_push(0);
						__imp__MessageBoxA();
					}
					_push(0);
					__imp__ExitProcess();
					_push(0x2040001);
					_push(0x40);
					_push(0x1000);
					_push(0x400000);
					__imp__VirtualProtect();
					__ebx = 0x40003c;
					__ecx =  *0x40003c;
					__ecx =  *0x40003c + 0x400006;
					__ebx = 0;
					__bx =  *__ecx;
					_push(__ecx);
					__ecx = __ecx + 0xf2;
					goto L6;
					do {
						L7:
						 *__ecx = 0;
						__ecx = __ecx + 1;
						__edx = __edx - 1;
					} while (__edx != 0);
					__ebx = __ebx - 1;
					if(__ebx != 0) {
						L6:
						__edx = 0x28;
						goto L7;
					} else {
						_pop(__ecx);
						 *__ecx = __bx;
						_push(0);
						__imp__ExitProcess();
						 *((intOrPtr*)(__esp - 0x3c)) = 0x310fac09;
						0x30 = 0xc;
						__eax = 0xc;
						__eax = SetProcessAffinityMask(0xffffffff, 1);
						asm("rdtsc");
						0 = __eax + 0;
						asm("rdtsc");
						if(__eax < 0xfff) {
							__eax =  *[fs:0x18];
							__eax =  *( *[fs:0x18] + 0x30);
							__eax =  *( *( *[fs:0x18] + 0x30) + 0x18);
							if( *((intOrPtr*)( *( *( *[fs:0x18] + 0x30) + 0x18) + 0x10)) == 0) {
								__eax = CloseHandle(0xdeadc0de);
								__eax =  *[fs:0x30];
								__eax =  *( *[fs:0x30] + 0x68);
								if( *( *[fs:0x30] + 0x68) == 0) {
									__eax =  *[fs:0x30];
									 *((char*)( *[fs:0x30] + 2)) = 0xba;
									__eax = IsDebuggerPresent();
									__eax =  *[fs:0x30];
									if( *((char*)( *[fs:0x30] + 2)) == 0xba) {
										__eax =  *[fs:0x18];
										__eax =  *( *[fs:0x18] + 0x30);
										__eax =  *( *( *[fs:0x18] + 0x30) + 2) & 0x000000ff;
										__eax =  *( *( *[fs:0x18] + 0x30) + 2) & 0x000000ff;
										if(( *( *( *[fs:0x18] + 0x30) + 2) & 0x000000ff) == 0) {
											asm("fclex");
											asm("wait");
										}
									}
								}
							}
						}
						goto L15;
					}
					do {
						L15:
						asm("smsw eax");
					} while ((__al & 0x00000008) != 0);
					do {
						asm("smsw eax");
					} while ((__al & 0x00000002) == 0);
					__eax = GetModuleHandleA("NTDLL.DLL");
					 *0x411b7d = __eax;
					__eax = GetCurrentThread();
					 *0x411b7d(__eax, 0x11, 0, 0) = 0;
					0x14a = 0;
					__eax = 0;
					__ecx =  *((intOrPtr*)(__esp + 0xc));
					return 0;
				}
			}




    0x004130c1
    0x004130ca
    0x004130ce
    0x004126b8
    0x004126ba
    0x004126bf
    0x004126c0
    0x004126c2
    0x004130d4
    0x004130d5
    0x004130d6
    0x004130db
    0x004130e1
    0x004130e3
    0x004130e5
    0x004130e7
    0x004130e9
    0x004130ec
    0x004130f2
    0x004130f4
    0x004130f6
    0x004130fb
    0x004130fd
    0x004130ff
    0x00413106
    0x0041310f
    0x0041310f
    0x00413111
    0x00413118
    0x0041311d
    0x00413125
    0x00413133
    0x0041313a
    0x0041313f
    0x00413141
    0x00413142
    0x00413143
    0x00413148
    0x0041314a
    0x0041314f
    0x00413156
    0x0041316d
    0x0041316f
    0x00413174
    0x00413179
    0x0041317b
    0x00413158
    0x00413158
    0x0041315a
    0x0041315f
    0x00413164
    0x00413166
    0x00413166
    0x00413180
    0x00413182
    0x00413187
    0x0041318c
    0x0041318e
    0x00413193
    0x00413198
    0x0041319d
    0x004131a2
    0x004131a4
    0x004131aa
    0x004131ac
    0x004131af
    0x004131b0
    0x004131b0
    0x004131bb
    0x004131bb
    0x004131bb
    0x004131be
    0x004131bf
    0x004131bf
    0x004131c2
    0x004131c3
    0x004131b6
    0x004131b6
    0x00000000
    0x004131c5
    0x004131c5
    0x004131c6
    0x004131c9
    0x004131cb
    0x004131d7
    0x004131e1
    0x004131e6
    0x004131f0
    0x004131f6
    0x004131fa
    0x004131fc
    0x00413205
    0x00413208
    0x0041320e
    0x00413211
    0x00413218
    0x0041321f
    0x00413225
    0x0041322b
    0x00413230
    0x00413232
    0x00413238
    0x0041323c
    0x00413242
    0x0041324c
    0x0041324e
    0x00413254
    0x00413257
    0x0041325b
    0x0041325d
    0x0041325f
    0x00413261
    0x00413261
    0x0041325d
    0x0041324c
    0x00413230
    0x00413218
    0x00000000
    0x00413205
    0x00413262
    0x00413262
    0x00413262
    0x00413265
    0x00413269
    0x00413269
    0x0041326c
    0x00413275
    0x0041328b
    0x00413290
    0x004132a3
    0x004132af
    0x004132b1
    0x004132b3
    0x004132b7
    0x004132b7

    APIs
    • IsDebuggerPresent.KERNEL32 ref: 0041311D
    • GlobalFree.KERNEL32 ref: 00413125
    • SetProcessAffinityMask.KERNEL32(000000FF,00000001), ref: 004131F0
    • CloseHandle.KERNEL32(DEADC0DE), ref: 0041321F
    • IsDebuggerPresent.KERNEL32 ref: 0041323C
    • GetModuleHandleA.KERNEL32(NTDLL.DLL), ref: 00413275
    • GetProcAddress.KERNEL32(00000000,ZwSetInformationThread), ref: 00413283
    • GetCurrentThread.KERNEL32 ref: 00413290
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.392489217.0000000000413000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.392470768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392474970.0000000000401000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392485487.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392496931.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rootkit.jbxd
    Similarity
    • API ID: DebuggerHandlePresent$AddressAffinityCloseCurrentFreeGlobalMaskModuleProcProcessThread
    • String ID: Debugger found!$Debugger not found!$Debugger status:$Debugger status:$NTDLL.DLL$OLLYDBG$ZwSetInformationThread
    • API String ID: 2603286415-200480303
    • Opcode ID: 746a7a1171b543e93944868ad40a3ccee5e6b4541f1a35bf109a03e4a3d2859d
    • Instruction ID: 067595436e4dde21776fe6fe6c7f3679cb4cf05b0856d67bdb198760690171cd
    • Opcode Fuzzy Hash: 746a7a1171b543e93944868ad40a3ccee5e6b4541f1a35bf109a03e4a3d2859d
    • Instruction Fuzzy Hash: 785115B0755300AFE724AF78DC06FD23250EF05B52F1085B6F645EB2E1E6ACD981820C
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 75 4132b9-4132d0 76 4132d4-4132ec 75->76 78 4132ee-413648 76->78
    Memory Dump Source
    • Source File: 00000000.00000002.392489217.0000000000413000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.392470768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392474970.0000000000401000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392485487.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392496931.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rootkit.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 206fec85d87c49cb6bad57ef0e62953d14d2dccf922d2afebeacab3054b7f133
    • Instruction ID: 5bbda3cfca8cf9b03157a022b51cab81f9ffa2e6cf655793dd906506510fea2d
    • Opcode Fuzzy Hash: 206fec85d87c49cb6bad57ef0e62953d14d2dccf922d2afebeacab3054b7f133
    • Instruction Fuzzy Hash: 6A9144313A8B864FF31A8DB9D9F17563A8DD74B310F61853AAD20CB6E1EBADC8458144
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 88 4132d6-4132ea call 41397e 91 4132ec 88->91 92 4132d4 91->92 93 4132ee-413648 91->93 92->91
    Memory Dump Source
    • Source File: 00000000.00000002.392489217.0000000000413000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.392470768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392474970.0000000000401000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392485487.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392496931.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rootkit.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9d0abcb858c4f38db5ba07f2563dd37be69eeed8e65cb27210cd17e63133b703
    • Instruction ID: 356d5e93d71bec755060ca59f249b9abe5fa732feb9cb5a6e203e02ce0992b18
    • Opcode Fuzzy Hash: 9d0abcb858c4f38db5ba07f2563dd37be69eeed8e65cb27210cd17e63133b703
    • Instruction Fuzzy Hash: C3914531398B464FF31A8DB9D9F1716398DD74B310F62893AAD20CB5E1DBADC8458048
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 103 41330c-413648
    Memory Dump Source
    • Source File: 00000000.00000002.392489217.0000000000413000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.392470768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392474970.0000000000401000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392485487.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392496931.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rootkit.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: da1f7350871bff56d71c2fd011dd5bbaa0fb32b3985bdf621df0450e843406a6
    • Instruction ID: d541d2dea92dab1a9a9dfa69b86dd95eeee2968e6840a622f10faa52f4e96b98
    • Opcode Fuzzy Hash: da1f7350871bff56d71c2fd011dd5bbaa0fb32b3985bdf621df0450e843406a6
    • Instruction Fuzzy Hash: 418133313A8B464FF31A8DF9D9F1716298DD74B311F51863EAE20CB5E1DBACC8498144
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 113 41332c-413648
    Memory Dump Source
    • Source File: 00000000.00000002.392489217.0000000000413000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.392470768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392474970.0000000000401000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392485487.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392496931.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rootkit.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9f8ac9501f6e9e92bdb16f2b6d6f6d022ece3f30951546948aca36ba33d07521
    • Instruction ID: 5a7f1a2ba5ae1f87c10594aee80991c61c1d2ca796ec0c84db5ee1ffddc5c7d1
    • Opcode Fuzzy Hash: 9f8ac9501f6e9e92bdb16f2b6d6f6d022ece3f30951546948aca36ba33d07521
    • Instruction Fuzzy Hash: D48154313A8B864FF31A8CF9D9F1316294DD74B311F51963EAE20CB6E5DBACC9498144
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 122 41335f-413648
    Memory Dump Source
    • Source File: 00000000.00000002.392489217.0000000000413000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.392470768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392474970.0000000000401000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392485487.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392496931.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rootkit.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 86a563fc8ce0f68e418df05f5dfd53458a0ff3a3559ffb355084a845484d6d66
    • Instruction ID: 575f5ce6e922a71e6b0426f605779fa1f9778fdfa9f38adf9b686e0ce3907743
    • Opcode Fuzzy Hash: 86a563fc8ce0f68e418df05f5dfd53458a0ff3a3559ffb355084a845484d6d66
    • Instruction Fuzzy Hash: DA7141303A8B864FF31A8CF9D9E1316294DC74B311F51963EAE20CB2E5EBACC8498145
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 130 4133d6-413648
    Memory Dump Source
    • Source File: 00000000.00000002.392489217.0000000000413000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.392470768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392474970.0000000000401000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392485487.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392496931.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rootkit.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 75ca4a5b588daceeeb1a64c7a1ab356ab1e66af5ed2a0d16f3e423e7fcff95e2
    • Instruction ID: a757a869bdaac80de4574a08fbb83ba724f474c7d57f81f7ac703be073c9f54b
    • Opcode Fuzzy Hash: 75ca4a5b588daceeeb1a64c7a1ab356ab1e66af5ed2a0d16f3e423e7fcff95e2
    • Instruction Fuzzy Hash: 3E5131303A8B874FF31A8CF9D9E1726294DC74B310F51963E6E60CB2E5EBACC8498145
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 137 413407-413648
    Memory Dump Source
    • Source File: 00000000.00000002.392489217.0000000000413000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.392470768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392474970.0000000000401000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392485487.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392496931.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rootkit.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ae0e9f4fe4a459bb64c7ec51f410260590e383e812e641d17bf22a88cc96b92a
    • Instruction ID: 3be8cdd1fc41434306fc59476419b31fb02b30b35a3fdd8ddee032f560c348c3
    • Opcode Fuzzy Hash: ae0e9f4fe4a459bb64c7ec51f410260590e383e812e641d17bf22a88cc96b92a
    • Instruction Fuzzy Hash: 0C5130303A8B860FF31A8CF9DAE1716254DC74B311F50963E6E60CB2E5DBACC9498144
    Uniqueness

    Uniqueness Score: -1.00%

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 143 413427-413648
    Memory Dump Source
    • Source File: 00000000.00000002.392489217.0000000000413000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.392470768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392474970.0000000000401000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392485487.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392496931.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rootkit.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: eaeb8ac6ad33d0ab621dad1096828db01d2ce94ed96093b9b9b354feb3c81d41
    • Instruction ID: 5c030c4fb91e0c2b54bd9c5e94a70051661268a7d31fc37f61b262debab600b7
    • Opcode Fuzzy Hash: eaeb8ac6ad33d0ab621dad1096828db01d2ce94ed96093b9b9b354feb3c81d41
    • Instruction Fuzzy Hash: FB51FD303A8B960FF31A4CF9DAE1716244DC75B311F50963E2E61CF2E5DBADC9498285
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.392489217.0000000000413000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.392470768.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392474970.0000000000401000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392485487.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.392496931.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_rootkit.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 6708f999a475f67738a0c3b012887c09b14d1def2d54171ee1700372a5d4c290
    • Instruction ID: 15093cdcaba1a63eb9ccc3ecf72ad60f6c21625a20879dddb5b5b8cea8a3d284
    • Opcode Fuzzy Hash: 6708f999a475f67738a0c3b012887c09b14d1def2d54171ee1700372a5d4c290
    • Instruction Fuzzy Hash: 2241BC303A4B970FF31A4CF9DAE171A244EC75B310F50963E2E61CB2E6DB99C9498281
    Uniqueness

    Uniqueness Score: -1.00%