Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe
Analysis ID:1521526
MD5:44263157176d2dce120e56ae6d3ef234
SHA1:56a7650df487782d51c8974fa0e2686f86132c33
SHA256:bc72cde1d16c58b721d38dae2bcaa61b3a9bc7c22eae128e0439329f32ddef05
Tags:exe
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
One or more processes crash
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeJoe Sandbox ML: detected
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_0041F0F0 FindFirstFileA,RemoveDirectoryA,RemoveDirectoryA,DeleteFileA,FindNextFileA,FindClose,0_2_0041F0F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_0041ED60 FindClose,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA,0_2_0041ED60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_00407847 GetLogicalDriveStringsA,0_2_00407847
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 4x nop then push esi0_2_0041F4D1
Source: Amcache.hve.3.drString found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_0040CC61 SetWindowsHookExA 0000000D,0040D0C3,?,000000000_2_0040CC61
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_0040C4BD OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0040C4BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_0040C4BD OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0040C4BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_0040C39B GlobalAlloc,GlobalLock,RtlMoveMemory,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0040C39B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_0040DEC4 GetCurrentProcess,OpenProcess,LocalAlloc,NtQueryInformationProcess,LocalFree,CloseHandle,0_2_0040DEC4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_0041293F OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,0_2_0041293F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_00423D600_2_00423D60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_004242E00_2_004242E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_004216A00_2_004216A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_00422F900_2_00422F90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 488
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe, 00000000.00000000.1893032318.000000000043A000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewininit.exeD vs SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe, 00000000.00000002.2033501137.000000000077E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewininit.exeD vs SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeBinary or memory string: OriginalFilenamewininit.exeD vs SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: mal68.spyw.winEXE@2/5@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,0_2_0041273E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_0040C6B5 CreateToolhelp32Snapshot,Process32First,CloseHandle,Process32Next,CloseHandle,0_2_0040C6B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_00413144 OpenSCManagerA,OpenServiceA,ChangeServiceConfigA,CloseServiceHandle,CloseServiceHandle,0_2_00413144
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7008
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\6511a8d9-44cd-43fa-b20c-0b3db0d90bacJump to behavior
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 488
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_004012AD KiUserExceptionDispatcher,GetSystemMetrics,LoadLibraryA,GetProcAddress,CreateFileA,0_2_004012AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_00424950 push eax; ret 0_2_0042497E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_0040BA88 push E8000001h; iretd 0_2_0040BA8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_00412AB1 OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,0_2_00412AB1
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetProcessHeap,HeapAlloc,EnumServicesStatusA,RtlMoveMemory,OpenServiceA,QueryServiceConfigA,GetProcessHeap,HeapAlloc,QueryServiceConfigA,RtlMoveMemory,GetProcessHeap,HeapFree,CloseServiceHandle,GetProcessHeap,HeapFree,CloseServiceHandle,0_2_00414175
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: OpenSCManagerA,EnumServicesStatusA,GlobalAlloc,EnumServicesStatusA,GlobalFree,CloseServiceHandle,0_2_00415536
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: OpenSCManagerA,EnumServicesStatusExA,GlobalAlloc,EnumServicesStatusExA,RtlMoveMemory,OpenServiceA,QueryServiceConfigA,GlobalAlloc,QueryServiceConfigA,RtlMoveMemory,GlobalFree,CloseServiceHandle,GlobalFree,CloseServiceHandle,0_2_00415BE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeAPI coverage: 1.7 %
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_0041F0F0 FindFirstFileA,RemoveDirectoryA,RemoveDirectoryA,DeleteFileA,FindNextFileA,FindClose,0_2_0041F0F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_0041ED60 FindClose,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA,0_2_0041ED60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_00407847 GetLogicalDriveStringsA,0_2_00407847
Source: Amcache.hve.3.drBinary or memory string: VMware
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.3.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.3.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.drBinary or memory string: vmci.sys
Source: Amcache.hve.3.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.3.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.drBinary or memory string: VMware20,1
Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeAPI call chain: ExitProcess graph end nodegraph_0-14781
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeAPI call chain: ExitProcess graph end nodegraph_0-14972
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeAPI call chain: ExitProcess graph end nodegraph_0-14942
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeAPI call chain: ExitProcess graph end nodegraph_0-14769
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_004012AD KiUserExceptionDispatcher,GetSystemMetrics,LoadLibraryA,GetProcAddress,CreateFileA,0_2_004012AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_0041D500 GetProcessHeap,RtlAllocateHeap,MessageBoxA,0_2_0041D500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_004022EE SetUnhandledExceptionFilter,0_2_004022EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_0040234C SetUnhandledExceptionFilter,0_2_0040234C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_00420290 cpuid 0_2_00420290
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: 0_2_0041D770 GetVersionExA,0_2_0041D770
Source: Amcache.hve.3.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.3.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.drBinary or memory string: MsMpEng.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exeCode function: \cmd.exe0_2_00410A09

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		12
Windows Service		12
Windows Service		1
Virtualization/Sandbox Evasion		11
Input Capture		31
Security Software Discovery		Remote Services11
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts12
Service Execution		1
DLL Side-Loading		1
Process Injection		1
Process Injection		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API		Logon Script (Windows)1
DLL Side-Loading		2
Obfuscated Files or Information		Security Account Manager1
Process Discovery		SMB/Windows Admin Shares2
Clipboard Data		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
System Service Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials12
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe63%ReversingLabsWin32.Trojan.Generic
SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe100%AviraTR/Spy.Gen
SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.3.drfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1521526
Start date and time:2024-09-28 22:24:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 38s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe
Detection:MAL
Classification:mal68.spyw.winEXE@2/5@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 77%
  • Number of executed functions: 4
  • Number of non-executed functions: 74
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.42.73.29
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe

Simulations

Behavior and APIs

TimeTypeDescription
16:25:34API Interceptor1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_7212a4befdb83f9e6522613afc3cc91592917d_71cefb02_7c5facf3-cc09-463c-9c66-220058371a9e\Report.wer

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.8205709485769352
Encrypted:false
SSDEEP:96:bBFYglVWxwCjpFA8YstzkPtRmyf8QXIDcQvc6QcEVcw3cE/6wd+HbHg/8BRTf3ue:l1h2phYN0BU/YjeoqzuiFMZ24IO8i5J
MD5:6995E80BACC69EB4FBFCFE68CD16FF4F
SHA1:74D662CED532760D3B9E3B9A5D3D38D001E5EBC9
SHA-256:2DE7605F1A8572AEF3381DAAA09E17D7004616F77A7988B586EB92CDFD67D3E0
SHA-512:9B51DA19C7B70B654030FD7BBAED16E1C5F561F1EFF015CDB6E5C0134DD307909661500FC8CE0A0CE85601E137CA4394D7EE8D5458E26BE0136CADB8078A39A1
Malicious:false
Reputation:low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.0.2.8.7.2.1.1.4.1.5.3.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.0.2.8.7.2.1.4.8.5.3.0.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.5.f.a.c.f.3.-.c.c.0.9.-.4.6.3.c.-.9.c.6.6.-.2.2.0.0.5.8.3.7.1.a.9.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.e.7.9.f.2.4.-.2.9.1.7.-.4.5.d.d.-.b.b.d.b.-.5.1.0.0.5.7.7.3.a.6.7.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.3.2...T.r.o.j.a.n.X.-.g.e.n...1.8.9.7.3...1.3.2.6.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.w.i.n.i.n.i.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.6.0.-.0.0.0.1.-.0.0.1.4.-.b.5.a.a.-.3.3.8.a.e.4.1.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.e.d.6.c.7.a.5.b.4.6.0.8.c.b.1.8.b.a.a.0.5.6.1.6.c.b.0.b.d.a.8.0.0.0.0.f.f.f.f.!.0.0.0.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF46D.tmp.dmp

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Sat Sep 28 20:25:21 2024, 0x1205a4 type
Category:dropped
Size (bytes):35888
Entropy (8bit):1.926733532911623
Encrypted:false
SSDEEP:192:jrmjTsHLOH75PZLqZ0tYoYmjDHWeR16IY:+fH75By0tpDHp
MD5:A97A0165CFCA3864453F44DF7B034A2B
SHA1:79203B6F564CBF3F83215EEAD2D73B3CDE6CF650
SHA-256:55910E1DF732A0ADD06AE9E60A3C38DB7F2063C3120E57B04AA38F014E2AD2E6
SHA-512:479817AA4B47E11E6554A80D6D0FDE6E25C00DF7355EC6FE8B039D02F1CB3DF052636E08BD8F71C489BA2D8C35A5B50F8DBA23B174AC91017001A1AA327E9EB3
Malicious:false
Reputation:low
Preview:MDMP..a..... .......1f.f........................$...............h"..........T.......8...........T................x......................................................................................................eJ......D.......GenuineIntel............T.......`...0f.f.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4DC.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8512
Entropy (8bit):3.702465045410482
Encrypted:false
SSDEEP:192:R6l7wVeJac6ig6Y9YSU9Dh7LgmffGprQ89bT5sfkKxm:R6lXJJ676YiSU9tngmff+TSfc
MD5:7FDE7E13C524DBEEF1F5940659D7BC15
SHA1:747AC211141FCC2321D8B9B8B4C606B63C3D2220
SHA-256:75AAD788BD0143A86513D3CAADFBF6F8046B33DE539000DE8AF6A61F7F434747
SHA-512:ACE12BD0CF5B2B4E663A7567DA5A7E9ED06AC30B0CC0140D9B2089453A2F12FD76E7EE7D9D20790A70217A3B9FFECC0D39E250C7E63FE2AE2C73DB2A981DAC8B
Malicious:false
Reputation:low
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF50C.tmp.xml

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4893
Entropy (8bit):4.57509558692161
Encrypted:false
SSDEEP:48:cvIwWl8zswtJg77aI9RCrWpW8VYpjYm8M4JDNmqFrG+q8mMSm/K2vFd:uIjf2I77Ca7Vq2J/GSi2vFd
MD5:612ED854CD244194286F0437441F4CB6
SHA1:74FA0C4347FC60D67B602BABD79631C750011831
SHA-256:DEE3B36F310169BC4A6B322D1D248F02867C5508E58C1C2DD6D07B424E994BEF
SHA-512:82B4263F876178D93FC0ADF755E80E021B6B59AFAB9DD3A7AED93C011E3FE0A989B5F0FE774344781A3EC28941BC7CE5732EAE625647E387204BB91734719A11
Malicious:false
Reputation:low
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="520528" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File
Process:C:\Windows\SysWOW64\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.465687853453082
Encrypted:false
SSDEEP:6144:kIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNFdwBCswSbZ:ZXD94+WlLZMM6YFHf+Z
MD5:CDBA5E40F98AC56ADB58B1DE4B789F28
SHA1:9324E4C013C11B720863610E1C139C80785B58F4
SHA-256:ED8CBAF24F2CE8B78986B35381541978255CBC5154C6F2CB5EDA8D17CCDAD8F0
SHA-512:BEC7E641D061CADF061DD4D9F577285BBA9DC02F1DB5E3F3F1A131A7578AFF635430C5261F71AF7E06DB587142A4D91E98CEA86F82DF5226E05C406C494A11DD
Malicious:false
Reputation:low
Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..l...................................................................................................................................................................................................................................................................................................................................................{.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.099336289847779
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe
File size:170'496 bytes
MD5:44263157176d2dce120e56ae6d3ef234
SHA1:56a7650df487782d51c8974fa0e2686f86132c33
SHA256:bc72cde1d16c58b721d38dae2bcaa61b3a9bc7c22eae128e0439329f32ddef05
SHA512:37aca245d40e01b49c1481a19189bd52cac9fea53b33a1393ccb0be4ec97ffb79d125b89f3e626dd1c9ee93a4730b20c0c65595ba54e4cca9e5458202bf055a7
SSDEEP:3072:RITI68njNkWEumKMQt5wFiJOVekPiyt5P0d/uR3IgfQ8m6gXe3ul0:RhIumKMQ6i8V5PiykdA3I8EhXe3ul
TLSH:85F3F733A214C8A6D02136B622F20B38EDB447563D789177EFE4DEB1AC61562CF9794C
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*\-.K2~.K2~.K2~.W>~.K2~.W<~.K2~.T6~.K2~.m8~.K2~aT8~.K2~.K3~0K2~JDo~.K2~.m9~.K2~.K2~.K2~aT9~.K2~NM4~.K2~Rich.K2~...............

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x401000
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x64C8CD50 [Tue Aug 1 09:16:00 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:1e137beb03917c84d5c479ef47f30e98

Entrypoint Preview

Instruction
call 00007F1675073160h
call 00007F1675072E71h
xor eax, eax
ret
nop
nop
nop
push ebp
mov ebp, esp
mov eax, 00000000h
jmp 00007F1675056E45h
mov esp, ebp
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 0000000Ch
mov dword ptr [ebp-04h], esp
xor eax, eax
call dword ptr [0042509Ch]
nop
nop
cmp dword ptr [ebp-04h], esp
je 00007F1675056E59h
push 00000000h
push 0402FB73h
push 00000006h
call 00007F1675072E96h
add esp, 0Ch
mov dword ptr [00428345h], 00000000h
mov dword ptr [00428349h], 00000000h
push 00000000h
mov ebx, 000008D4h
call 00007F167507353Fh
add esp, 04h
mov dword ptr [ebp-08h], eax
cmp dword ptr [ebp-08h], 03h
mov eax, 00000000h
setnl al
mov dword ptr [0042834Dh], eax
call 00007F1675056E53h
mov eax, 00000000h
jmp 00007F1675056E45h
mov esp, ebp
pop ebp
ret
push ebp
mov ebp, esp
mov esp, ebp
pop ebp
ret
test ebx, ebx
jne 00007F1675056E45h
xor eax, eax
ret
mov ecx, ebx
test ecx, 00000003h
je 00007F1675056E51h
mov al, byte ptr [ecx]
inc ecx
test al, al
je 00007F1675056E7Dh
test ecx, 00000003h
jne 00007F1675056E33h

Rich Headers

Programming Language:
  • [ C ] VS98 (6.0) SP6 build 8804
  • [ C ] VS98 (6.0) build 8168
  • [C++] VS98 (6.0) SP6 build 8804
  • [C++] VS98 (6.0) build 8168
  • [EXP] VC++ 6.0 SP5 build 8804

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x260300xdc.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a0000x3e8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x250000x2c4.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x239d20x23a004e4a8c9bf57761c03e9543dcf78c293bFalse0.3617324561403509data6.123504050230424IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x250000x1f720x2000be6f75a0e0ce694046397a15c9458685False0.3873291015625OpenPGP Public Key Version 25.263097382925648IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x270000x12e050x3800809f032558492b22bd7ad0d452ad939cFalse0.396484375data4.7946460050679045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x3a0000x3e80x400a3028926dad9a486c5651ddf0f9fdd93False0.5263671875data4.420889371032156IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x3a2700x174data0.5403225806451613
RT_MANIFEST0x3a0a00x1cbXML 1.0 document, ASCII text, with CRLF line terminators0.6318082788671024

Imports

DLLImport
KERNEL32.dllPeekNamedPipe, ReadFile, GetExitCodeProcess, Sleep, GlobalFree, HeapAlloc, HeapFree, lstrcatA, ReadProcessMemory, ExitProcess, HeapReAlloc, IsBadReadPtr, GetVersionExA, GetModuleFileNameA, GetTickCount, WaitForSingleObject, CreateProcessA, GetStartupInfoA, GetFileSize, FindNextFileA, FindFirstFileA, FindClose, GetCommandLineA, FreeLibrary, LCMapStringA, CreateProcessW, CreatePipe, CopyFileA, GetProcAddress, CreateFileA, SetUnhandledExceptionFilter, OpenEventA, CreateEventA, lstrlenW, GetTempPathW, WideCharToMultiByte, GetProcessHeap, MultiByteToWideChar, IsBadCodePtr, GetCommandLineW, RtlMoveMemory, LocalFree, GetCurrentProcessId, OpenProcess, CloseHandle, CreateToolhelp32Snapshot, Process32Next, SetFileAttributesA, CreateThread, LoadLibraryA, GetCurrentProcess, CreateIoCompletionPort, GetQueuedCompletionStatus, GetLogicalDriveStringsA, GetTempFileNameA, GetWindowsDirectoryA, CreateDirectoryW, LocalAlloc, lstrcpyn, RemoveDirectoryA, DeleteFileA, GetModuleHandleA, Process32First, GlobalUnlock, GlobalLock, GlobalAlloc, GetFileAttributesA, MoveFileA, CreateDirectoryA
USER32.dllCloseClipboard, OpenClipboard, GetSystemMetrics, SetClipboardData, EmptyClipboard, PeekMessageA, TranslateMessage, DispatchMessageA, wsprintfA, MessageBoxA, SetWindowPos, SetFocus, CreateWindowExA, IsWindowEnabled, EnableWindow, MapWindowPoints, GetParent, GetWindowRect, MoveWindow, GetWindowTextA, GetWindowTextLengthA, GetInputState, WaitForInputIdle, CallWindowProcA, SetWindowLongA, CallNextHookEx, SetWindowsHookExA, UnhookWindowsHookEx, GetForegroundWindow, GetMessageA
COMCTL32.dll
SHELL32.dllSHGetPathFromIDListA, CommandLineToArgvW, SHGetSpecialFolderLocation, SHGetSpecialFolderPathW
ADVAPI32.dllEnumServicesStatusExA, EnumServicesStatusA, ChangeServiceConfigA, ControlService, StartServiceA, DeleteService, CreateServiceA, GetServiceKeyNameA, GetServiceDisplayNameA, ChangeServiceConfig2A, QueryServiceConfig2A, QueryServiceConfigA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegOpenKeyExA, RegSetValueExA, RegFlushKey, RegQueryValueExA, RegEnumValueA, RegQueryInfoKeyA, RegEnumKeyA, RegOpenKeyA, RegCreateKeyA, CreateProcessWithTokenW, DuplicateTokenEx, OpenServiceA, OpenSCManagerA, CloseServiceHandle, QueryServiceStatus, LookupAccountSidA, GetTokenInformation, OpenProcessToken, RegCloseKey, RegSetValueExW, RegCreateKeyExW, RegOpenKeyExW, EnumDependentServicesA
WTSAPI32.dllWTSEnumerateProcessesA, WTSFreeMemory
SHLWAPI.dllPathIsDirectoryA, PathFindFileNameA, PathIsDirectoryW
ole32.dllCoCreateGuid
MSVCRT.dllsprintf, srand, rand, atoi, _ftol, _stricmp, free, malloc, __CxxFrameHandler, strrchr, strchr, modf, realloc, memmove, strncmp, ??3@YAXPAX@Z
WS2_32.dllgethostname, WSACleanup, WSAStartup

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:16:25:20
Start date:28/09/2024
Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.18973.13261.exe"
Imagebase:0x400000
File size:170'496 bytes
MD5 hash:44263157176D2DCE120E56AE6D3EF234
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:3
Start time:16:25:20
Start date:28/09/2024
Path:C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):true
Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 488
Imagebase:0x310000
File size:483'680 bytes
MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:0.4%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:20.1%
    Total number of Nodes:822
    Total number of Limit Nodes:7
    execution_graph 14494 40de4a 14497 40de6f 14494->14497 14496 40de5c 14500 40dec4 14497->14500 14499 40deb0 14499->14496 14501 40defa GetCurrentProcess 14500->14501 14502 40df2b OpenProcess 14500->14502 14503 40df0c 14501->14503 14502->14503 14504 40df78 LocalAlloc 14503->14504 14505 40df6e 14503->14505 14506 40dfa0 14504->14506 14505->14499 14507 40dfc4 NtQueryInformationProcess 14506->14507 14508 40e097 CloseHandle 14506->14508 14511 40dfe8 14507->14511 14508->14505 14509 40e06b LocalFree 14509->14508 14510 40e080 14509->14510 14510->14508 14511->14509 15399 4023cd 15400 41db10 5 API calls 15399->15400 15401 4023fa 15400->15401 15402 41dba0 5 API calls 15401->15402 15403 40240f 15402->15403 15404 402437 15403->15404 15413 41de90 CreateFileA 15403->15413 15404->15403 15406 402473 15418 41df00 15406->15418 15408 4024d0 15409 41d860 13 API calls 15408->15409 15410 4024f9 15409->15410 15411 41df40 4 API calls 15410->15411 15412 402595 15411->15412 15414 41deb4 GetFileSize 15413->15414 15415 41def9 15413->15415 15416 41d500 4 API calls 15414->15416 15415->15406 15417 41decd ReadFile CloseHandle 15416->15417 15417->15415 15419 41df08 15418->15419 15420 41df2c 15418->15420 15419->15420 15421 420a40 4 API calls 15419->15421 15420->15408 15422 41df28 15421->15422 15422->15408 14512 4012ad 14513 4012b2 14512->14513 14608 40266c OpenEventA 14513->14608 14516 4012c3 14612 402718 14516->14612 14517 40130d 14615 41d860 14517->14615 14519 401353 14520 402718 7 API calls 14519->14520 14521 4013a3 14520->14521 14522 41d860 13 API calls 14521->14522 14523 4013e9 14522->14523 14524 402718 7 API calls 14523->14524 14525 401439 14524->14525 14526 41d860 13 API calls 14525->14526 14528 40147f 14526->14528 14527 402718 7 API calls 14529 4014cf 14527->14529 14528->14527 14530 41d860 13 API calls 14529->14530 14531 401515 14530->14531 14532 402718 7 API calls 14531->14532 14533 401565 14532->14533 14534 41d860 13 API calls 14533->14534 14535 4015ab 14534->14535 14536 402718 7 API calls 14535->14536 14537 4015fb 14536->14537 14538 41d860 13 API calls 14537->14538 14539 401641 14538->14539 14540 402718 7 API calls 14539->14540 14541 401691 14540->14541 14542 41d860 13 API calls 14541->14542 14543 4016d7 14542->14543 14544 402718 7 API calls 14543->14544 14545 401727 14544->14545 14546 41d860 13 API calls 14545->14546 14548 40176d 14546->14548 14547 402718 7 API calls 14549 4017bd 14547->14549 14548->14547 14550 41d860 13 API calls 14549->14550 14551 401803 14550->14551 14552 402718 7 API calls 14551->14552 14553 401853 14552->14553 14554 41d860 13 API calls 14553->14554 14555 401899 14554->14555 14556 402718 7 API calls 14555->14556 14557 4018e9 14556->14557 14558 41d860 13 API calls 14557->14558 14560 40192f 14558->14560 14559 402718 7 API calls 14561 40197f 14559->14561 14560->14559 14562 41d860 13 API calls 14561->14562 14563 4019c5 14562->14563 14564 402718 7 API calls 14563->14564 14565 401a15 14564->14565 14566 41d860 13 API calls 14565->14566 14567 401a5b 14566->14567 14568 401a6e 14567->14568 14568->14567 14636 41db10 GetModuleFileNameA 14568->14636 14572 401ade 14584 401b6f 14572->14584 14646 41dba0 GetModuleFileNameA 14572->14646 14575 401bcf GetSystemMetrics 14577 401be6 14575->14577 14578 401c0f 14577->14578 14652 403d62 14577->14652 14655 404590 14578->14655 14581 401c14 LoadLibraryA 14582 401c43 GetProcAddress 14581->14582 14583 401c2c 14581->14583 14585 401c61 14582->14585 14583->14582 14584->14575 14588 401f28 14584->14588 14692 404b1b IsBadCodePtr 14585->14692 14587 401d28 14589 41db10 5 API calls 14587->14589 14590 401d37 CreateFileA 14589->14590 14591 401d70 14590->14591 14592 41db10 5 API calls 14591->14592 14593 401da6 14592->14593 14694 4071fe SetFileAttributesA 14593->14694 14595 401dba 14596 41db10 5 API calls 14595->14596 14597 401dd9 14596->14597 14598 41dba0 5 API calls 14597->14598 14599 401dee 14598->14599 14600 4071fe SetFileAttributesA 14599->14600 14601 401e3d 14600->14601 14696 407243 14601->14696 14605 401ed4 14701 41dc30 14605->14701 14704 41dc60 14605->14704 14707 4072dc GetCurrentProcess 14605->14707 14715 4073f9 14605->14715 14609 40269d 14608->14609 14610 4026d0 CreateEventA 14609->14610 14611 4026c1 14609->14611 14610->14611 14611->14516 14737 40273d 14612->14737 14614 40272c 14614->14517 14616 41d8e8 14615->14616 14629 41d87f 14615->14629 14617 41d9d9 14616->14617 14620 41d8f3 14616->14620 14619 41d9e0 14617->14619 14622 41da57 14617->14622 14618 41d9ca 14621 41dac7 14618->14621 14623 41da05 sprintf 14618->14623 14619->14618 14624 41da28 sprintf 14619->14624 14620->14618 14620->14621 14626 41d993 14620->14626 14627 41d975 14620->14627 14634 41d90e 14620->14634 14621->14519 14622->14621 14628 41da92 sprintf 14622->14628 14623->14634 14624->14634 14788 420100 modf 14626->14788 14630 41d7f0 4 API calls 14627->14630 14628->14634 14629->14621 14783 41d7f0 14629->14783 14633 41d984 14630->14633 14632 41d8d9 14632->14519 14633->14519 14634->14621 14635 41d500 4 API calls 14634->14635 14635->14621 14637 41db2c 14636->14637 14638 41d500 4 API calls 14637->14638 14639 401ac0 14638->14639 14640 403223 14639->14640 14641 403282 14640->14641 14642 40324c 14640->14642 14644 40338b 10 API calls 14641->14644 14802 40338b 14642->14802 14645 403262 14644->14645 14645->14572 14647 41dbc2 14646->14647 14648 41d500 4 API calls 14647->14648 14649 401b60 14648->14649 14650 403c95 GetProcessHeap 14649->14650 14651 403cb5 14650->14651 14651->14584 14828 403d78 14652->14828 14654 403d6a 14654->14578 14656 41d09b 14655->14656 14657 4045a3 LoadLibraryA 14656->14657 14658 4045e3 GetProcAddress 14657->14658 14659 4045cc 14657->14659 14660 404601 14658->14660 14659->14658 14661 404b1b IsBadCodePtr 14660->14661 14667 4046c8 14661->14667 14663 4047cf 14691 4047fd 14663->14691 14934 405ab1 CloseHandle 14663->14934 14665 404812 14666 41db10 5 API calls 14665->14666 14669 404821 14666->14669 14680 404775 14667->14680 14878 405004 GetCurrentProcessId 14667->14878 14668 405ab1 CloseHandle 14670 404a0f 14668->14670 14671 41dba0 5 API calls 14669->14671 14672 41db10 5 API calls 14670->14672 14682 404836 14671->14682 14675 404a1e 14672->14675 14674 40476f 14880 40503f OpenProcess 14674->14880 14676 41dba0 5 API calls 14675->14676 14685 404a33 14676->14685 14678 4048cc 14679 405004 GetCurrentProcessId 14678->14679 14687 4049aa 14678->14687 14681 4049a4 14679->14681 14680->14678 14922 405680 14680->14922 14683 40503f 17 API calls 14681->14683 14936 405aec 14682->14936 14683->14687 14962 40695e 14685->14962 14687->14668 14687->14691 14688 4048db 14690 40266c 2 API calls 14688->14690 14689 40489f 14689->14678 14689->14688 14690->14691 14691->14581 14693 404b39 14692->14693 14693->14587 14695 407221 14694->14695 14695->14595 15052 41ddb0 14696->15052 14698 407265 14699 407273 CreateThread 14698->14699 14700 4072a0 14699->14700 14700->14605 14702 41dc46 srand 14701->14702 14703 41dc38 GetTickCount srand 14701->14703 14702->14605 14703->14605 14705 41dc6a rand 14704->14705 14705->14605 14708 407315 CreateIoCompletionPort 14707->14708 14709 4072fe 14707->14709 14710 40733c 14708->14710 14709->14708 14711 407360 GetQueuedCompletionStatus 14710->14711 14714 4073c8 14710->14714 14712 4073b3 CloseHandle 14711->14712 14713 40739c 14711->14713 14712->14714 14713->14712 14714->14605 14720 407422 14715->14720 14716 407475 14719 41dc30 3 API calls 14716->14719 14717 407466 15151 40751e 14717->15151 14722 40748a 14719->14722 14720->14716 14720->14717 14721 40746b 14723 403d62 15 API calls 14721->14723 14724 41dc60 rand 14722->14724 14734 407470 14723->14734 14725 4074c9 14724->14725 14726 4074e3 14725->14726 14727 4074d9 14725->14727 14728 4074f7 14726->14728 14729 4074ed 14726->14729 15163 40c36d 14727->15163 14732 407501 14728->14732 14733 40750b 14728->14733 15166 40c5ca 14729->15166 14735 403d62 15 API calls 14732->14735 14733->14734 15177 40d646 14733->15177 14734->14605 14735->14734 14738 40276c 14737->14738 14742 4027fb 14738->14742 14743 41df80 14738->14743 14741 402849 14741->14742 14748 41e170 14741->14748 14742->14614 14744 41df89 14743->14744 14745 41df8d 14743->14745 14744->14741 14761 41d4b0 14745->14761 14749 41e18f 14748->14749 14751 41e1ce 14749->14751 14752 41e19b 14749->14752 14750 41e233 14750->14742 14751->14750 14753 41e1e9 14751->14753 14754 41e20b 14751->14754 14771 420a40 14752->14771 14757 420a40 4 API calls 14753->14757 14758 420a40 4 API calls 14754->14758 14756 41e1c5 14756->14742 14760 41e202 14757->14760 14759 41e22a 14758->14759 14759->14742 14760->14742 14762 41d4c4 HeapAlloc 14761->14762 14763 41d4b9 GetProcessHeap 14761->14763 14764 41d4f2 14762->14764 14765 41d4d9 MessageBoxA 14762->14765 14763->14762 14764->14741 14767 41d390 14765->14767 14768 41d398 14767->14768 14769 41d3a1 ExitProcess 14768->14769 14770 41d3ad 14768->14770 14770->14764 14772 420a49 14771->14772 14773 420a4d 14771->14773 14772->14756 14776 41d500 14773->14776 14777 41d514 RtlAllocateHeap 14776->14777 14778 41d509 GetProcessHeap 14776->14778 14779 41d545 14777->14779 14780 41d529 MessageBoxA 14777->14780 14778->14777 14779->14756 14781 41d390 ExitProcess 14780->14781 14782 41d542 14781->14782 14782->14779 14784 41d801 14783->14784 14785 41d80e 14784->14785 14786 41d500 4 API calls 14784->14786 14785->14632 14787 41d83a 14786->14787 14787->14632 14794 421150 _ftol 14788->14794 14790 420143 14795 420fd0 14790->14795 14792 420161 sprintf 14792->14634 14794->14790 14796 421125 _ftol 14795->14796 14797 420fe9 14795->14797 14796->14792 14797->14796 14798 420ffa 14797->14798 14799 421023 _ftol 14798->14799 14800 421010 _ftol 14798->14800 14801 421034 14799->14801 14800->14801 14801->14792 14803 41df80 4 API calls 14802->14803 14804 4033d2 14803->14804 14805 403415 SHGetSpecialFolderPathW 14804->14805 14809 40360e 14804->14809 14806 403437 14805->14806 14807 403465 lstrlenW 14806->14807 14819 40345b 14806->14819 14808 40347a 14807->14808 14808->14819 14822 41e280 14808->14822 14811 403728 GetTempPathW 14809->14811 14812 4037f9 14809->14812 14815 403742 14811->14815 14813 403803 14812->14813 14814 40382b 14812->14814 14816 40338b 7 API calls 14813->14816 14817 40338b 7 API calls 14814->14817 14814->14819 14818 41e280 4 API calls 14815->14818 14815->14819 14816->14819 14817->14819 14818->14819 14819->14645 14820 403500 14821 41e280 4 API calls 14820->14821 14821->14819 14823 41e28a 14822->14823 14824 41e28f 14822->14824 14823->14820 14825 41e297 14824->14825 14826 41d500 4 API calls 14824->14826 14825->14820 14827 41e2a5 14826->14827 14827->14820 14829 403d96 14828->14829 14830 41db10 5 API calls 14829->14830 14831 403dab 14830->14831 14832 41dba0 5 API calls 14831->14832 14833 403dc0 14832->14833 14836 403e48 14833->14836 14835 403e24 14835->14654 14845 403ef3 14836->14845 14838 403e65 14839 403ef3 9 API calls 14838->14839 14840 403e7c 14839->14840 14841 403ef3 9 API calls 14840->14841 14842 403e93 14841->14842 14853 404392 14842->14853 14844 403eb2 14844->14835 14846 403f13 14845->14846 14847 41e170 4 API calls 14846->14847 14848 403f28 14847->14848 14863 403fd9 14848->14863 14850 403f3d 14852 403f87 14850->14852 14871 4041bd 14850->14871 14852->14838 14854 4043ba 14853->14854 14855 4043c4 14853->14855 14854->14844 14856 404426 RegOpenKeyExW 14855->14856 14857 404439 14856->14857 14858 40448c RegCreateKeyExW 14857->14858 14859 40449f 14857->14859 14858->14859 14859->14854 14860 404520 RegSetValueExW 14859->14860 14861 404533 14860->14861 14862 40454a RegCloseKey 14860->14862 14861->14862 14862->14854 14864 404012 14863->14864 14865 404096 MultiByteToWideChar 14864->14865 14870 40415f 14864->14870 14866 4040c2 14865->14866 14867 41df80 4 API calls 14866->14867 14868 40410d 14867->14868 14869 404134 MultiByteToWideChar 14868->14869 14869->14870 14870->14850 14872 4041f2 14871->14872 14873 4042e1 14872->14873 14874 40433f 14872->14874 14877 404217 14872->14877 14875 41e280 4 API calls 14873->14875 14876 41e280 4 API calls 14874->14876 14875->14877 14876->14877 14877->14852 14879 40501f 14878->14879 14879->14674 14881 4050ad 14880->14881 14882 4050d1 14881->14882 14883 4050fa OpenProcessToken 14881->14883 14988 41e590 14882->14988 14884 405118 14883->14884 14886 405191 CloseHandle 14884->14886 14887 40513c CloseHandle 14884->14887 14888 4051a6 14886->14888 14890 405151 14887->14890 14889 4051d5 GetTokenInformation 14888->14889 14892 4051ed 14889->14892 14891 41e590 4 API calls 14890->14891 14921 4050ec 14891->14921 14893 41df80 4 API calls 14892->14893 14894 40521d 14893->14894 14895 405257 GetTokenInformation 14894->14895 14904 40526f 14895->14904 14896 405337 CloseHandle 14897 40534f 14896->14897 14898 405370 14897->14898 14899 405399 14897->14899 14900 41e590 4 API calls 14898->14900 14901 41e590 4 API calls 14899->14901 14900->14921 14902 4053b4 14901->14902 14903 41e590 4 API calls 14902->14903 14905 4053d5 14903->14905 14904->14896 14906 41e590 4 API calls 14905->14906 14907 4053f6 LookupAccountSidA 14906->14907 14908 40542e 14907->14908 14909 4054d4 14908->14909 14910 40547f CloseHandle 14908->14910 14993 41e5b0 14909->14993 14911 405494 14910->14911 14913 41e590 4 API calls 14911->14913 14913->14921 14914 4054ed 14915 41e5b0 4 API calls 14914->14915 14916 405524 14915->14916 14917 41e590 4 API calls 14916->14917 14918 40555d LookupAccountSidA 14917->14918 14919 405595 14918->14919 14920 41e590 4 API calls 14919->14920 14920->14921 14921->14680 14923 4056a1 14922->14923 14998 4057b5 14923->14998 14925 4056be 14930 405777 14925->14930 15005 405a52 OpenServiceA 14925->15005 14927 4056db 14928 405762 CloseServiceHandle 14927->14928 14929 4056e8 QueryServiceStatus 14927->14929 14928->14930 14931 405700 14929->14931 14930->14663 14932 405736 CloseServiceHandle 14931->14932 14932->14928 14933 40574b 14932->14933 14933->14928 14935 405acf 14934->14935 14935->14665 14937 405b22 14936->14937 14938 405bb9 WTSEnumerateProcessesA 14937->14938 14953 405c05 14938->14953 14939 4062d5 WTSFreeMemory 14945 4062a7 14939->14945 14940 4062d2 14940->14939 14941 405c49 RtlMoveMemory 14941->14953 14942 41e590 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 14942->14953 14943 41e590 4 API calls 14944 405ce6 LookupAccountSidA 14943->14944 14944->14953 14945->14689 14946 41e5b0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 14946->14953 14947 41e590 4 API calls 14948 405dfe LookupAccountSidA 14947->14948 14948->14953 14950 405eee OpenProcess 14950->14953 14951 405f3c OpenProcessToken 14951->14953 14952 405fc9 DuplicateTokenEx 14952->14953 14953->14939 14953->14940 14953->14941 14953->14942 14953->14943 14953->14946 14953->14947 14953->14950 14953->14951 14953->14952 14954 40601e 14953->14954 15019 40638c 14953->15019 15034 40680c 14954->15034 14956 406026 14957 40680c 6 API calls 14956->14957 14958 406049 14957->14958 14959 4060c2 CreateProcessWithTokenW 14958->14959 14960 4061b1 14959->14960 14961 40628b CloseHandle 14960->14961 14961->14945 14963 406994 14962->14963 14964 406a2b WTSEnumerateProcessesA 14963->14964 14979 406a77 14964->14979 14965 407147 WTSFreeMemory 14971 407119 14965->14971 14966 407144 14966->14965 14967 406abb RtlMoveMemory 14967->14979 14968 41e590 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 14968->14979 14969 41e590 4 API calls 14970 406b58 LookupAccountSidA 14969->14970 14970->14979 14971->14691 14972 41e5b0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 14972->14979 14973 41e590 4 API calls 14974 406c70 LookupAccountSidA 14973->14974 14974->14979 14975 40638c 18 API calls 14975->14979 14976 406d60 OpenProcess 14976->14979 14977 406dae OpenProcessToken 14977->14979 14978 406e3b DuplicateTokenEx 14978->14979 14979->14965 14979->14966 14979->14967 14979->14968 14979->14969 14979->14972 14979->14973 14979->14975 14979->14976 14979->14977 14979->14978 14980 406e90 14979->14980 14981 40680c 6 API calls 14980->14981 14982 406e98 14981->14982 14983 40680c 6 API calls 14982->14983 14984 406ebb 14983->14984 14985 406f34 CreateProcessWithTokenW 14984->14985 14986 407023 14985->14986 14987 4070fd CloseHandle 14986->14987 14987->14971 14989 41e599 14988->14989 14990 41e59d 14988->14990 14989->14921 14991 41d500 4 API calls 14990->14991 14992 41e5a4 14991->14992 14992->14921 14994 41e5b9 14993->14994 14995 41e5bd 14993->14995 14994->14914 14996 41d500 4 API calls 14995->14996 14997 41e5c8 14996->14997 14997->14914 15007 41e5f0 WSAStartup 14998->15007 15000 4057d4 15001 41d860 13 API calls 15000->15001 15002 40582d 15001->15002 15003 405843 OpenSCManagerA 15002->15003 15004 40585e 15003->15004 15004->14925 15006 405a7f 15005->15006 15006->14927 15008 41e642 15007->15008 15009 41e60f gethostname 15007->15009 15008->15000 15010 41e622 15009->15010 15011 41e63d WSACleanup 15009->15011 15014 420ab0 15010->15014 15011->15008 15013 41e638 15013->15011 15015 420ab9 15014->15015 15016 420abd 15014->15016 15015->15013 15017 41d500 4 API calls 15016->15017 15018 420ac8 15017->15018 15018->15013 15020 4063a6 15019->15020 15021 4063c7 CreateToolhelp32Snapshot 15020->15021 15022 40640b 15021->15022 15023 40644f Process32Next 15022->15023 15026 4067a0 15022->15026 15024 4064de 15023->15024 15042 41d630 15024->15042 15026->14953 15027 40678b CloseHandle 15027->15026 15028 4065cf 15029 41d860 13 API calls 15028->15029 15030 4065f3 15029->15030 15030->15027 15031 406627 Process32Next 15033 406565 15031->15033 15032 41d630 5 API calls 15032->15033 15033->15027 15033->15028 15033->15031 15033->15032 15035 406834 15034->15035 15036 406837 MultiByteToWideChar 15034->15036 15035->15036 15037 40685b 15036->15037 15038 41df80 4 API calls 15037->15038 15039 4068a6 15038->15039 15040 4068ec MultiByteToWideChar 15039->15040 15041 406910 15040->15041 15041->14956 15043 41d641 15042->15043 15044 41d646 15042->15044 15049 41d360 15043->15049 15046 41d6a4 15044->15046 15047 41d500 4 API calls 15044->15047 15046->15033 15048 41d689 15047->15048 15048->15033 15050 41d370 15049->15050 15051 41d369 GetModuleHandleA 15049->15051 15050->15044 15051->15050 15053 41de4a 15052->15053 15059 41ddc3 15052->15059 15054 41de51 15053->15054 15055 41de78 15053->15055 15056 41de6a _ftol 15054->15056 15057 41de2a 15054->15057 15055->15057 15058 41de7f _ftol 15055->15058 15056->14698 15057->14698 15058->15057 15059->15057 15066 420970 15059->15066 15061 41de04 15062 41de23 15061->15062 15063 41de0d atoi 15061->15063 15062->14698 15078 41d5c0 15063->15078 15067 42097d 15066->15067 15068 420984 15067->15068 15085 4211c0 15067->15085 15068->15061 15070 4209a4 15071 4211c0 11 API calls 15070->15071 15072 4209bb malloc LCMapStringA 15071->15072 15074 420a1b 15072->15074 15075 420a0e free 15072->15075 15076 420ab0 4 API calls 15074->15076 15075->15074 15077 420a29 free 15076->15077 15077->15061 15079 41d606 15078->15079 15080 41d5cd 15078->15080 15079->14698 15081 41d5db 15080->15081 15082 41d360 GetModuleHandleA 15080->15082 15081->15079 15083 41d5eb IsBadReadPtr 15081->15083 15082->15081 15083->15079 15084 41d5f8 HeapFree 15083->15084 15084->15079 15089 4211e5 15085->15089 15086 421232 strncmp 15086->15089 15087 421295 15104 420cf0 15087->15104 15089->15086 15089->15087 15091 420d80 8 API calls 15089->15091 15093 42128d 15089->15093 15091->15089 15092 420cf0 2 API calls 15094 4212b7 15092->15094 15093->15087 15098 4212cc 15093->15098 15094->15070 15095 4212ef malloc 15096 420cf0 2 API calls 15095->15096 15097 42133a 15096->15097 15099 421342 free 15097->15099 15100 42134e 15097->15100 15098->15095 15107 420d80 15098->15107 15099->15100 15102 420cf0 2 API calls 15100->15102 15103 42136a 15102->15103 15103->15070 15114 420d10 15104->15114 15106 420cfc 15106->15092 15108 420d9a 15107->15108 15109 420d8a 15107->15109 15108->15095 15120 420be0 15109->15120 15111 420d96 15111->15108 15137 420de0 15111->15137 15113 420db1 15113->15095 15115 420d6e 15114->15115 15116 420d1a 15114->15116 15115->15106 15117 420d2e 15116->15117 15118 420d64 HeapFree 15116->15118 15119 420d59 GetProcessHeap 15116->15119 15117->15106 15118->15115 15119->15118 15121 420bfa 15120->15121 15122 420bed 15120->15122 15123 420c01 15121->15123 15128 420c0f 15121->15128 15124 420cf0 2 API calls 15122->15124 15142 420b10 15123->15142 15134 420bf2 15124->15134 15126 420c09 15126->15111 15127 420c42 15127->15111 15128->15127 15129 420c54 GetProcessHeap 15128->15129 15130 420c5f 15128->15130 15129->15130 15131 420cc2 HeapReAlloc 15130->15131 15132 420c64 HeapAlloc 15130->15132 15131->15134 15133 420c80 15132->15133 15132->15134 15135 420d10 2 API calls 15133->15135 15134->15111 15136 420ca8 15135->15136 15136->15111 15138 420e33 15137->15138 15139 420de8 15137->15139 15138->15113 15140 420ded 15139->15140 15141 420e20 memmove 15139->15141 15140->15113 15141->15138 15143 420b1c 15142->15143 15146 420b2c 15142->15146 15144 420be0 5 API calls 15143->15144 15145 420b26 15144->15145 15145->15126 15147 420baa HeapAlloc 15146->15147 15148 420b9f GetProcessHeap 15146->15148 15149 420b34 15146->15149 15150 420bc1 15147->15150 15148->15147 15149->15126 15150->15126 15152 407531 15151->15152 15190 407847 15152->15190 15154 4077af 15216 408d43 15154->15216 15158 407554 15158->15154 15161 4085c3 8 API calls 15158->15161 15162 4087c5 39 API calls 15158->15162 15204 407c17 15158->15204 15160 4077de 15160->14721 15161->15158 15162->15158 15342 40c39b 15163->15342 15165 40c387 15165->14734 15167 403d78 15 API calls 15166->15167 15168 40c5d8 15167->15168 15363 40c6b5 15168->15363 15170 40c5e9 15378 40cb7f OpenProcess 15170->15378 15172 40c5fb 15382 40cc61 15172->15382 15174 40c607 15389 40d0e2 15174->15389 15176 40c613 15176->14734 15178 403d78 15 API calls 15177->15178 15179 40d654 LoadLibraryA 15178->15179 15180 40d683 GetProcAddress 15179->15180 15181 40d66c 15179->15181 15182 40d6a1 15180->15182 15181->15180 15183 404b1b IsBadCodePtr 15182->15183 15184 40d768 LoadLibraryA 15183->15184 15185 40d780 15184->15185 15186 40d797 GetProcAddress 15184->15186 15185->15186 15187 40d7b5 15186->15187 15188 404b1b IsBadCodePtr 15187->15188 15189 40d886 15188->15189 15189->14734 15191 407868 15190->15191 15192 41df80 4 API calls 15191->15192 15193 4078a2 15192->15193 15194 4078cd GetLogicalDriveStringsA 15193->15194 15195 4078e2 15194->15195 15196 407baf 15195->15196 15238 41df40 15195->15238 15196->15158 15198 407984 15243 41e650 15198->15243 15200 41d860 13 API calls 15203 4079d7 15200->15203 15202 41d630 5 API calls 15202->15203 15203->15196 15203->15200 15203->15202 15272 41e810 15203->15272 15205 407c4a 15204->15205 15206 41e810 4 API calls 15205->15206 15207 407c5f 15206->15207 15208 41d860 13 API calls 15207->15208 15209 407cb8 15208->15209 15284 407d9f 15209->15284 15211 407d27 15292 40837e 15211->15292 15213 407d48 15215 407d6b 15213->15215 15296 40855f CloseHandle 15213->15296 15215->15158 15217 403223 10 API calls 15216->15217 15218 4077b7 15217->15218 15219 4087c5 15218->15219 15220 4087fb 15219->15220 15221 41e860 4 API calls 15220->15221 15222 408913 15221->15222 15318 41ed60 15222->15318 15224 408ca8 15338 41eea0 15224->15338 15225 4089bc 15227 408b4b 15225->15227 15229 41ddb0 25 API calls 15225->15229 15232 408aa1 lstrcpyn 15225->15232 15233 41ed60 10 API calls 15225->15233 15227->15224 15228 41ed60 10 API calls 15227->15228 15237 408b8a 15228->15237 15231 408a67 lstrcpyn 15229->15231 15230 408cb5 15230->15160 15231->15225 15231->15232 15232->15225 15233->15225 15234 41ed60 10 API calls 15234->15237 15235 4087c5 37 API calls 15235->15237 15237->15224 15237->15234 15237->15235 15334 41eec0 PeekMessageA 15237->15334 15239 41df6b 15238->15239 15240 41df48 15238->15240 15239->15198 15240->15239 15241 420a40 4 API calls 15240->15241 15242 41df67 15241->15242 15242->15198 15244 41e661 15243->15244 15245 41e67e 15243->15245 15247 41e671 15244->15247 15248 41e697 15244->15248 15245->15244 15246 41e68a 15245->15246 15249 41d6b0 4 API calls 15246->15249 15277 41d6b0 15247->15277 15252 41e6a2 15248->15252 15253 41e6af malloc 15248->15253 15251 41e68f 15249->15251 15251->15203 15255 41d6b0 4 API calls 15252->15255 15258 41e70e 15253->15258 15264 41e71b 15253->15264 15256 41e6a7 15255->15256 15256->15203 15259 41d6b0 4 API calls 15258->15259 15261 41e713 15259->15261 15260 41e784 15262 41e7a9 15260->15262 15265 4205f0 realloc 15260->15265 15261->15203 15263 41d500 4 API calls 15262->15263 15266 41e7c0 15263->15266 15264->15260 15280 4205f0 15264->15280 15265->15262 15267 41e7f0 15266->15267 15269 420a40 4 API calls 15266->15269 15270 41e801 15267->15270 15271 41e7f8 free 15267->15271 15269->15266 15270->15203 15271->15270 15274 41e81d 15272->15274 15273 41e85b 15273->15203 15274->15273 15275 41d500 4 API calls 15274->15275 15276 41e83e 15275->15276 15276->15203 15278 41d500 4 API calls 15277->15278 15279 41d6b7 15278->15279 15279->15203 15281 420611 15280->15281 15282 420625 15280->15282 15281->15282 15283 420617 realloc 15281->15283 15282->15264 15283->15282 15285 41e5b0 4 API calls 15284->15285 15286 407dca 15285->15286 15287 407e70 GetTempFileNameA 15286->15287 15288 407e03 15286->15288 15291 407e2d 15287->15291 15298 407efb 15288->15298 15290 407e08 GetTempFileNameA 15290->15291 15291->15211 15294 4083bb CreateFileA 15292->15294 15295 408537 15294->15295 15295->15213 15297 40857d 15296->15297 15297->15215 15299 41e5b0 4 API calls 15298->15299 15300 407f26 15299->15300 15304 407f82 15300->15304 15305 41e860 15300->15305 15302 407fbb 15302->15304 15311 40808f 15302->15311 15304->15290 15306 41e86b 15305->15306 15307 41e871 15305->15307 15306->15302 15308 41e885 15307->15308 15309 41d500 4 API calls 15307->15309 15308->15302 15310 41e899 15309->15310 15310->15302 15312 4080b5 15311->15312 15313 4080d5 15312->15313 15315 4081c1 15312->15315 15317 4080c1 15312->15317 15314 41e810 4 API calls 15313->15314 15313->15317 15314->15317 15316 41e810 4 API calls 15315->15316 15315->15317 15316->15317 15317->15304 15320 41ed80 15318->15320 15328 41edb3 15318->15328 15319 41ee22 15319->15225 15324 41ed9e FindFirstFileA 15320->15324 15327 41ed97 FindClose 15320->15327 15320->15328 15321 41ee59 15330 41d500 4 API calls 15321->15330 15322 41ee04 FindNextFileA 15322->15319 15325 41ee0a 15322->15325 15323 41ee2f FindNextFileA 15323->15319 15326 41ee35 15323->15326 15324->15319 15324->15328 15325->15321 15329 41ee16 FindNextFileA 15325->15329 15326->15321 15331 41ee42 FindNextFileA 15326->15331 15327->15324 15328->15319 15328->15321 15328->15322 15328->15323 15329->15319 15329->15325 15332 41ee6b 15330->15332 15331->15326 15333 41ee4e 15331->15333 15332->15225 15333->15225 15335 41ef27 15334->15335 15336 41eee0 15334->15336 15335->15237 15336->15335 15337 41eef9 GetMessageA TranslateMessage DispatchMessageA PeekMessageA 15336->15337 15337->15335 15337->15336 15339 41eeb4 15338->15339 15340 41eea8 15338->15340 15339->15230 15340->15339 15341 41eead FindClose 15340->15341 15341->15339 15343 40c3d7 15342->15343 15344 40c416 GlobalAlloc 15343->15344 15345 40c440 GlobalLock 15344->15345 15346 40c429 15344->15346 15347 40c458 15345->15347 15348 40c46f RtlMoveMemory 15345->15348 15346->15345 15347->15348 15349 40c4a6 GlobalUnlock 15348->15349 15350 40c48f 15348->15350 15351 40c4bb 15349->15351 15350->15349 15361 40c58f GetForegroundWindow 15351->15361 15353 40c4d7 OpenClipboard 15354 40c506 EmptyClipboard 15353->15354 15355 40c4ef 15353->15355 15356 40c518 15354->15356 15357 40c52f SetClipboardData 15354->15357 15355->15354 15356->15357 15358 40c560 CloseClipboard 15357->15358 15359 40c549 15357->15359 15360 40c572 15358->15360 15359->15358 15360->15165 15362 40c5aa 15361->15362 15362->15353 15364 40c6cf 15363->15364 15365 40c6f0 CreateToolhelp32Snapshot 15364->15365 15366 40c72d 15365->15366 15367 40c77b Process32First 15366->15367 15374 40c751 15366->15374 15368 40c80a 15367->15368 15369 41d630 5 API calls 15368->15369 15377 40c891 15369->15377 15370 40cb25 CloseHandle 15370->15374 15371 41d860 13 API calls 15371->15377 15373 40c971 CloseHandle 15373->15374 15374->15170 15375 40c9c1 Process32Next 15375->15377 15376 41d630 5 API calls 15376->15377 15377->15370 15377->15371 15377->15373 15377->15375 15377->15376 15396 41f470 15377->15396 15380 40cbae 15378->15380 15379 40cc2f CloseHandle 15381 40cc44 15379->15381 15380->15379 15381->15172 15383 40cca6 GetModuleHandleA 15382->15383 15384 40cc77 UnhookWindowsHookEx 15382->15384 15385 40ccdc SetWindowsHookExA 15383->15385 15388 40ccc5 15383->15388 15384->15383 15387 40cc8f 15384->15387 15386 40cd03 15385->15386 15386->15174 15387->15383 15388->15385 15390 40d127 GetModuleHandleA 15389->15390 15391 40d0f8 UnhookWindowsHookEx 15389->15391 15392 40d15d SetWindowsHookExA 15390->15392 15394 40d146 15390->15394 15391->15390 15393 40d110 15391->15393 15395 40d184 15392->15395 15393->15390 15394->15392 15395->15176 15397 41f4b3 _stricmp 15396->15397 15398 41f478 15396->15398 15397->15377 15398->15377

    Executed Functions

    Function 004012AD Relevance: 22.0, APIs: 4, Strings: 8, Instructions: 1036libraryfileloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040266C: OpenEventA.KERNEL32(001F0003,00000000,004012C3,?,004012C3), ref: 00402690
      • Part of subcall function 0041DB10: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0041DB22
    • GetSystemMetrics.USER32(00000043), ref: 00401BD9
    • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401C1F
    • GetProcAddress.KERNEL32(00000000), ref: 00401C54
      • Part of subcall function 00404B1B: IsBadCodePtr.KERNEL32(00000000), ref: 00404B2C
    • CreateFileA.KERNEL32(?,00000001,00000000,00000000,00000003,02000000,00000000,00000000), ref: 00401D63
      • Part of subcall function 0041DC30: GetTickCount.KERNEL32 ref: 0041DC38
      • Part of subcall function 0041DC30: srand.MSVCRT ref: 0041DC3F
      • Part of subcall function 0041DC60: rand.MSVCRT ref: 0041DCA7
      • Part of subcall function 004072DC: GetCurrentProcess.KERNEL32 ref: 004072F1
      • Part of subcall function 004072DC: CreateIoCompletionPort.KERNEL32(?,00000000,00000000,00000000), ref: 0040732F
      • Part of subcall function 004072DC: GetQueuedCompletionStatus.KERNEL32(00000000,?,?,?,?), ref: 0040738F
      • Part of subcall function 004072DC: CloseHandle.KERNEL32(00000000), ref: 004073BB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CompletionCreateFile$AddressCloseCodeCountCurrentEventHandleLibraryLoadMetricsModuleNameOpenPortProcProcessQueuedStatusSystemTickrandsrand
    • String ID: rB$$sB$<sB$GrB$ZrB$_DECRAGE$grB$rB
    • API String ID: 1433877891-2002482318
    • Opcode ID: e018fdfe65e899379cdec9bdbb2122edc47a5b15eff1483f466afccf8f7176ee
    • Instruction ID: de5532e39acbadf7d349d0af006baaac2bf1eaa9ccf12f17598a4d924a59ce7f
    • Opcode Fuzzy Hash: e018fdfe65e899379cdec9bdbb2122edc47a5b15eff1483f466afccf8f7176ee
    • Instruction Fuzzy Hash: 7B7247F1F003059BEB10DFF59C85BAF77B8AB18704F04047AF605BB291E679A9448B59
    Function 0040DEC4 Relevance: 9.1, APIs: 6, Instructions: 143memorynativeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 429 40dec4-40def4 430 40defa-40df0a GetCurrentProcess 429->430 431 40df2b-40df48 OpenProcess 429->431 432 40df23-40df26 430->432 433 40df0c-40df20 call 41d0a1 430->433 434 40df61 431->434 435 40df4a-40df5e call 41d0a1 431->435 437 40df64-40df68 432->437 433->432 434->437 435->434 441 40df78-40df9e LocalAlloc 437->441 442 40df6e-40df73 437->442 443 40dfa0-40dfb4 call 41d0a1 441->443 444 40dfb7-40dfbe 441->444 445 40e0d4-40e0d7 442->445 443->444 447 40dfc4-40dfe6 NtQueryInformationProcess 444->447 448 40e097-40e0aa CloseHandle 444->448 450 40dfe8-40dffc call 41d0a1 447->450 451 40dfff-40e006 447->451 452 40e0c3-40e0cf 448->452 453 40e0ac-40e0c0 call 41d0a1 448->453 450->451 455 40e011-40e068 call 40e0da * 3 call 40120b call 404376 451->455 456 40e00c 451->456 452->445 453->452 459 40e06b-40e07e LocalFree 455->459 456->459 459->448 462 40e080-40e094 call 41d0a1 459->462 462->448
    APIs
    • GetCurrentProcess.KERNEL32(?,0040DEB0,00000000,00000000,00000000), ref: 0040DEFF
    • OpenProcess.KERNEL32(001F0FFF,00000000,00000000,?,0040DEB0,00000000,00000000,00000000), ref: 0040DF3D
    • LocalAlloc.KERNEL32(00000040,00000018,?,0040DEB0,00000000,00000000,00000000), ref: 0040DF93
    • NtQueryInformationProcess.NTDLL(00000000,00000000,00000000,00000018,00000018), ref: 0040DFDB
    • LocalFree.KERNEL32(00000000,00000000,00000000,000000A8,00000000,000000A4,00000000,00000004,?,0040DEB0,00000000,00000000,00000000), ref: 0040E073
    • CloseHandle.KERNELBASE(00000000,?,0040DEB0,00000000,00000000,00000000), ref: 0040E09F
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Process$Local$AllocCloseCurrentFreeHandleInformationOpenQuery
    • String ID:
    • API String ID: 1303139876-0
    • Opcode ID: 34e63fda9af20349dcf76c9a5327e2e7779c272701567f3987ad451c9ce10896
    • Instruction ID: d75cd8ff585bc8fcee1375bcb69126986e861aab3cd3c2c70bffb31ce769fb9f
    • Opcode Fuzzy Hash: 34e63fda9af20349dcf76c9a5327e2e7779c272701567f3987ad451c9ce10896
    • Instruction Fuzzy Hash: 58513F70E04319EBDF10AFA1DC467AEBB70EF09715F104466F6057A2C0D7B946A4CB9A
    Function 0041D500 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 474 41d500-41d507 475 41d514-41d527 RtlAllocateHeap 474->475 476 41d509-41d50f GetProcessHeap 474->476 477 41d545-41d548 475->477 478 41d529-41d542 MessageBoxA call 41d390 475->478 476->475 478->477
    APIs
    • GetProcessHeap.KERNEL32(00420AC8,?,00000000,00000000,00000000,00420A29,00000000,00000000), ref: 0041D509
    • RtlAllocateHeap.NTDLL(00770000,00000000,00000000,00000000,00420AC8,?,00000000,00000000,00000000,00420A29,00000000,00000000), ref: 0041D51D
    • MessageBoxA.USER32(00000000,004286B8,error,00000010), ref: 0041D536
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Heap$AllocateMessageProcess
    • String ID: error
    • API String ID: 2992861138-1574812785
    • Opcode ID: 705a5dff914bf1a8ee16708b1305199e710293376f0b6d1722e6547cd1671166
    • Instruction ID: a7a5eb8e9180051350eba0e8ddbe24986a269b74039b11390a226e1e7cc6e7f3
    • Opcode Fuzzy Hash: 705a5dff914bf1a8ee16708b1305199e710293376f0b6d1722e6547cd1671166
    • Instruction Fuzzy Hash: FBE0D8F1F42621BFC7319760BC0EB9B36559B04755F400135F844D6250E774A8518B9E
    Function 0041DE90 Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 481 41de90-41deb2 CreateFileA 482 41deb4-41def8 GetFileSize call 41d500 ReadFile CloseHandle 481->482 483 41def9-41defa 481->483 482->483
    APIs
    • CreateFileA.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,00402473,00000001,?,00000000,80000004), ref: 0041DEA5
    • GetFileSize.KERNEL32(00000000,?,00427215,00000268), ref: 0041DEBC
      • Part of subcall function 0041D500: GetProcessHeap.KERNEL32(00420AC8,?,00000000,00000000,00000000,00420A29,00000000,00000000), ref: 0041D509
      • Part of subcall function 0041D500: RtlAllocateHeap.NTDLL(00770000,00000000,00000000,00000000,00420AC8,?,00000000,00000000,00000000,00420A29,00000000,00000000), ref: 0041D51D
      • Part of subcall function 0041D500: MessageBoxA.USER32(00000000,004286B8,error,00000010), ref: 0041D536
    • ReadFile.KERNELBASE(00000000,00000008,00000000,?,00000000), ref: 0041DEE8
    • CloseHandle.KERNELBASE(00000000), ref: 0041DEEF
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
    • String ID:
    • API String ID: 749537981-0
    • Opcode ID: f1e455ca97534189f8e59c1a3db510bf59d79a82e521ff7429a336f747fd733c
    • Instruction ID: f94fe7c6f2684ef5b05a534e8a4beb94f53d910a0c5a3b3d838e0c12281fb6d8
    • Opcode Fuzzy Hash: f1e455ca97534189f8e59c1a3db510bf59d79a82e521ff7429a336f747fd733c
    • Instruction Fuzzy Hash: A5F0C8B67007007BD3219F64EC89FAB77ACEB84B10F104A2EF602971D1E6B4A545C7A4

    Non-executed Functions

    Function 00414175 Relevance: 52.4, APIs: 18, Strings: 11, Instructions: 1602memoryserviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00414268
    • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004142BE
    • GetProcessHeap.KERNEL32 ref: 004142EA
    • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 00414321
    • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00414369
    • RtlMoveMemory.KERNEL32(00000000,?,?,?,?,?,00000000,?,00000000,00000000), ref: 00414624
    • OpenServiceA.ADVAPI32(00000000,?,000F01FF,?,?,?,?,?,?,?,?,?,00000000), ref: 00414895
    • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004148DC
    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00414905
    • HeapAlloc.KERNEL32(00000001,00000008,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0041493C
    • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00414975
    • RtlMoveMemory.KERNEL32(?,00000000,00000024,?,?,?,?,?,?,?,?,?,?), ref: 004149B6
    • GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00415342
    • HeapFree.KERNEL32(00000001,00000001,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00415379
    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 004153A5
    • GetProcessHeap.KERNEL32(?,00000000,?,00000000,00000000), ref: 004153EC
    • HeapFree.KERNEL32(00000001,00000001,00000000,?,00000000,?,00000000,00000000), ref: 00415423
    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,00000000,00000000), ref: 0041544F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Heap$Service$Process$AllocCloseConfigEnumFreeHandleMemoryMoveOpenQueryServicesStatus$Manager
    • String ID: LocalService$LocalSystem$NetworkService$jxB$lsB$lsB$lsB$lsB$lsB$lsB$lsB
    • API String ID: 639198646-1831086797
    • Opcode ID: 6b8d0db7872ed1fd83956b0cca0d11e71b82e72b41197e932c6f8e52fb5f1c37
    • Instruction ID: 98f33e54627f024af630018e09ab1687fede5e3ade57d2750cb8154be3dc087f
    • Opcode Fuzzy Hash: 6b8d0db7872ed1fd83956b0cca0d11e71b82e72b41197e932c6f8e52fb5f1c37
    • Instruction Fuzzy Hash: 5DC265B1E40318ABEB00DFA5DCC2BDD7BB4FF58314F540029E608BA285E7796951CB59
    Function 00415BE0 Relevance: 45.4, APIs: 14, Strings: 11, Instructions: 1609servicememoryCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00415CD3
    • EnumServicesStatusExA.ADVAPI32(00000000,00000000,00000030,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00415D52
    • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00415D93
    • EnumServicesStatusExA.ADVAPI32(00000000,00000000,00000030,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00415E04
    • RtlMoveMemory.KERNEL32(00000000,?,?,?,?,?,00000000,?,00000000,00000000), ref: 004160DF
    • OpenServiceA.ADVAPI32(00000000,00000001,000F01FF), ref: 004163A2
    • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 004163F5
    • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00416429
    • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 00416462
    • RtlMoveMemory.KERNEL32(?,00000000,00000024), ref: 004164A3
    • GlobalFree.KERNEL32(00000000), ref: 00416E2B
    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00416E57
    • GlobalFree.KERNEL32(00000000), ref: 00416E8F
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00416EBB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$Global$AllocCloseConfigEnumFreeHandleMemoryMoveOpenQueryServicesStatus$Manager
    • String ID: LocalService$LocalSystem$NetworkService$jxB$lsB$lsB$lsB$lsB$lsB$lsB$lsB
    • API String ID: 749800324-1831086797
    • Opcode ID: 6fa02d790720f43c01bebd8cbf64691de85f564c0f919bc3d7a60c6ea79ef680
    • Instruction ID: 9ecd4d6c96cd11dc63db353ec3ba48419734f737a6b7490546908938defcf832
    • Opcode Fuzzy Hash: 6fa02d790720f43c01bebd8cbf64691de85f564c0f919bc3d7a60c6ea79ef680
    • Instruction Fuzzy Hash: EDC265F1E40318ABEB00DFA5DCC2B9D7BB4FF18314F540029E605BA386E679A955CB19
    Function 00410A09 Relevance: 30.6, APIs: 13, Strings: 4, Instructions: 886pipesleepprocessCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2435 410a09-410b1b call 41d09b * 3 CreatePipe 2442 410b34-410b3b 2435->2442 2443 410b1d-410b31 call 41d0a1 2435->2443 2445 410b41-410b46 2442->2445 2446 410b4b-410c00 call 41e570 call 41df80 2442->2446 2443->2442 2447 4114ae-4114cc call 41d095 * 2 2445->2447 2457 410c02-410c08 call 41d095 2446->2457 2458 410c0b-410c3d call 403c74 SHGetSpecialFolderPathW 2446->2458 2459 4114d7-4114dc 2447->2459 2460 4114ce-4114d4 call 41d095 2447->2460 2457->2458 2471 410c56-410c6a 2458->2471 2472 410c3f-410c53 call 41d0a1 2458->2472 2464 4114e7-4114f8 call 41d095 2459->2464 2465 4114de-4114e4 call 41d095 2459->2465 2460->2459 2479 411503-411508 2464->2479 2480 4114fa-411500 call 41d095 2464->2480 2465->2464 2476 410c70-410c75 2471->2476 2477 410c7a 2471->2477 2472->2471 2478 410c7f-410c9f call 403ef3 2476->2478 2477->2478 2490 410ca1-410ca7 call 41d095 2478->2490 2491 410caa-410d05 call 403c74 call 41151a call 40120b 2478->2491 2484 411513-411517 2479->2484 2485 41150a-411510 call 41d095 2479->2485 2480->2479 2485->2484 2490->2491 2500 410d07 2491->2500 2501 410d0c-410d24 call 41f700 2491->2501 2500->2501 2504 410d26-410d2c call 41d095 2501->2504 2505 410d2f-410d4f call 403ef3 2501->2505 2504->2505 2510 410d51-410d57 call 41d095 2505->2510 2511 410d5a-410d77 call 4039cb 2505->2511 2510->2511 2516 410d82-410d8b 2511->2516 2517 410d79-410d7f call 41d095 2511->2517 2518 410d96-410da6 2516->2518 2519 410d8d-410d93 call 41d095 2516->2519 2517->2516 2523 410da8 2518->2523 2524 410dad-410e15 call 41df30 call 40120b call 41df80 call 4039cb 2518->2524 2519->2518 2523->2524 2534 410e20-410e29 2524->2534 2535 410e17-410e1d call 41d095 2524->2535 2537 410e34-410f6c call 403c74 call 40388a call 411565 call 41d09b CreateProcessW 2534->2537 2538 410e2b-410e31 call 41d095 2534->2538 2535->2534 2550 410f85-41106c call 41d095 CloseHandle 2537->2550 2551 410f6e-410f82 call 41d0a1 2537->2551 2538->2537 2556 411085-411089 2550->2556 2557 41106e-411082 call 41d0a1 2550->2557 2551->2550 2559 4110c5-4110e3 CloseHandle 2556->2559 2560 41108f-4110a2 CloseHandle 2556->2560 2557->2556 2561 4110e5-4110f9 call 41d0a1 2559->2561 2562 4110fc-41111c WaitForInputIdle 2559->2562 2564 4110a4-4110b8 call 41d0a1 2560->2564 2565 4110bb-4110c0 2560->2565 2561->2562 2567 411135-411139 2562->2567 2568 41111e-411132 call 41d0a1 2562->2568 2564->2565 2565->2447 2572 41138b-4113a6 CloseHandle 2567->2572 2573 41113f-41116a PeekNamedPipe 2567->2573 2568->2567 2575 4113a8-4113bc call 41d0a1 2572->2575 2576 4113bf-4113d2 CloseHandle 2572->2576 2578 411183-411187 2573->2578 2579 41116c-411180 call 41d0a1 2573->2579 2575->2576 2581 4113d4-4113e8 call 41d0a1 2576->2581 2582 4113eb-4113f4 2576->2582 2584 41118d-4111b5 call 41df80 2578->2584 2585 41130e-41132d GetExitCodeProcess 2578->2585 2579->2578 2581->2582 2590 4113f6 2582->2590 2591 4113f9-411405 2582->2591 2601 4111c0-4111d8 2584->2601 2602 4111b7-4111bd call 41d095 2584->2602 2588 411346-41134d 2585->2588 2589 41132f-411343 call 41d0a1 2585->2589 2596 411353 2588->2596 2597 411358-41136d Sleep 2588->2597 2589->2588 2590->2591 2598 411407 2591->2598 2599 41140a-411415 2591->2599 2596->2572 2604 411386 2597->2604 2605 41136f-411383 call 41d0a1 2597->2605 2598->2599 2606 411421-411426 2599->2606 2607 411417-41141a 2599->2607 2611 4111da 2601->2611 2612 4111dd-4111ee ReadFile 2601->2612 2602->2601 2604->2567 2605->2604 2609 411436-41143a 2606->2609 2610 41142c-411431 2606->2610 2607->2606 2614 41141c call 4032df 2607->2614 2617 411440-411455 call 403fd9 2609->2617 2618 41145f-411480 call 4039cb 2609->2618 2610->2447 2611->2612 2619 4111f0-411204 call 41d0a1 2612->2619 2620 411207-411226 call 4039cb 2612->2620 2614->2606 2617->2447 2630 411482-411488 call 41d095 2618->2630 2631 41148b-411494 2618->2631 2619->2620 2632 411231-411248 2620->2632 2633 411228-41122e call 41d095 2620->2633 2630->2631 2641 411496-4114a7 call 41d09b 2631->2641 2642 4114a9 2631->2642 2634 411309 2632->2634 2635 41124e-411252 2632->2635 2633->2632 2634->2597 2639 411287-4112a8 call 4039cb 2635->2639 2640 411258-411273 call 403fd9 2635->2640 2653 4112b3-4112b4 2639->2653 2654 4112aa-4112b0 call 41d095 2639->2654 2651 411275-41127b call 41d095 2640->2651 2652 41127e-411282 2640->2652 2641->2642 2642->2447 2651->2652 2656 4112b7-4112fe call 40388a call 411581 2652->2656 2653->2656 2654->2653 2656->2634 2664 411304 2656->2664 2664->2572
    APIs
    • CreatePipe.KERNEL32(00000000,00000000,00000000,00000000), ref: 00410B10
    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000000,00000000), ref: 00410C32
    • CreateProcessW.KERNEL32(00000000,00000000,?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00410F61
    • CloseHandle.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000001), ref: 00411061
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000001), ref: 00411097
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000001), ref: 004110D8
    • WaitForInputIdle.USER32(00000000,000003E8), ref: 00411111
    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,00000000,000000FF,00000000), ref: 0041115F
    • ReadFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 004111E3
    • GetExitCodeProcess.KERNEL32(00000000,?), ref: 00411322
      • Part of subcall function 00403FD9: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 004040B5
    • Sleep.KERNEL32(00000001,?,?,?,?,?,?,?,?,?,?,00000001,00000001), ref: 00411362
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000001), ref: 0041139B
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000001,00000001), ref: 004113C7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseHandle$CreatePipeProcess$ByteCharCodeExitFileFolderIdleInputMultiNamedPathPeekReadSleepSpecialWaitWide
    • String ID: /c $[A$\cmd.exe$\command.com
    • API String ID: 4223885641-1881789782
    • Opcode ID: 09426194bcebca9c65a55874e4f6ac6c4ad04b093cf7b347c963c368def8f260
    • Instruction ID: cdfa67f950413d8aba35a529d406481f4311bdcad35f854d5f16005b5db9d459
    • Opcode Fuzzy Hash: 09426194bcebca9c65a55874e4f6ac6c4ad04b093cf7b347c963c368def8f260
    • Instruction Fuzzy Hash: C66209B1E40309ABEF10DFA5ECC5B9EBBB4AF18314F140026E605BB381E779A591CB55
    Function 0040C39B Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 143clipboardmemoryCOMMON
    Download Yara Rule
    APIs
    • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0040C41C
    • GlobalLock.KERNEL32(00000000), ref: 0040C44B
    • RtlMoveMemory.KERNEL32(00000000,00000002,00000000), ref: 0040C482
    • GlobalUnlock.KERNEL32(00000000), ref: 0040C4AE
    • OpenClipboard.USER32(00000000), ref: 0040C4E2
    • EmptyClipboard.USER32 ref: 0040C50B
    • SetClipboardData.USER32(00000001,00000000), ref: 0040C53C
    • CloseClipboard.USER32 ref: 0040C565
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Clipboard$Global$AllocCloseDataEmptyLockMemoryMoveOpenUnlock
    • String ID: lsB
    • API String ID: 2903773834-575463903
    • Opcode ID: 04f946a2c85cca730725b16f39b3320f5d47223364587b8be726b73d1e467f87
    • Instruction ID: 3d2fca06fadcd5da2c6968f07cbc19a4199a8a93edfa2883944f9547740e88bc
    • Opcode Fuzzy Hash: 04f946a2c85cca730725b16f39b3320f5d47223364587b8be726b73d1e467f87
    • Instruction Fuzzy Hash: 944131B4E40308FBEB10AFA0DD87BAEBFB1AB09715F504565F5047A180D77A4690CBDA
    Function 0040C6B5 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 433processCOMMON
    Download Yara Rule
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?,?,0040C5E9), ref: 0040C720
    • Process32First.KERNEL32(000000FF,00000000), ref: 0040C7FD
    • CloseHandle.KERNEL32(000000FF), ref: 0040C979
    • Process32Next.KERNEL32(000000FF,00000000), ref: 0040CA43
    • CloseHandle.KERNEL32(000000FF,?,?,?,?,?,?,?,0040C5E9), ref: 0040CB2D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
    • String ID: lsB$lsB
    • API String ID: 1789362936-2359463181
    • Opcode ID: 5bfea29c0391b9bf33e31ee1042cf2f080800d5184bcd658dc431e4d1efa4047
    • Instruction ID: 936ea92a57d697f22349cd11dd2fd27080672a001d8c158f425babb76bf45983
    • Opcode Fuzzy Hash: 5bfea29c0391b9bf33e31ee1042cf2f080800d5184bcd658dc431e4d1efa4047
    • Instruction Fuzzy Hash: F3E14DF1A402569BFB00DFA8DCC1B9A77A0EF59324F280435E50AAF340D379B961DB56
    Function 00415536 Relevance: 9.1, APIs: 6, Instructions: 127servicememoryCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 004155A1
    • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004155F7
    • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00415628
    • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00415670
    • GlobalFree.KERNEL32(00000000), ref: 0041569F
    • CloseServiceHandle.ADVAPI32(00000000), ref: 004156CB
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: EnumGlobalServicesStatus$AllocCloseFreeHandleManagerOpenService
    • String ID:
    • API String ID: 2081471158-0
    • Opcode ID: d75f427d4269b4074a095e20b6992aee8a9c50a44a8838642211eed12f7f1006
    • Instruction ID: d966f5431f58b1e8e8a1040ed51d6d36c6386fa4cb8a5a6d1a691bcd37b23b80
    • Opcode Fuzzy Hash: d75f427d4269b4074a095e20b6992aee8a9c50a44a8838642211eed12f7f1006
    • Instruction Fuzzy Hash: FD412BB4E40309FBEB109FA1DD06BEEBBB5EB09714F504026F1187A180D27A5691CFDA
    Function 0041ED60 Relevance: 9.1, APIs: 6, Instructions: 123fileCOMMON
    Download Yara Rule
    APIs
    • FindClose.KERNEL32(00427215,00000000), ref: 0041ED98
    • FindFirstFileA.KERNEL32(?,?,00000000), ref: 0041EDA4
    • FindNextFileA.KERNEL32(00427215,00000000,00000000,00427215,?,00000000), ref: 0041EE04
    • FindNextFileA.KERNEL32(00427215,?,?,00000000), ref: 0041EE1C
    • FindNextFileA.KERNEL32(00427215,00000000,00000000,00427215,?,00000000), ref: 0041EE2F
    • FindNextFileA.KERNEL32(00427215,?,?,00000000), ref: 0041EE48
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Find$File$Next$CloseFirst
    • String ID:
    • API String ID: 1884811643-0
    • Opcode ID: 917ded024f04a1d20b2547bcf4210bdae42c3ad749adaede7467fe65e373c450
    • Instruction ID: ad96e4fcb63cd82dd3558789ff3d09b27a196235f5bed2761d9ebd65c8ca7190
    • Opcode Fuzzy Hash: 917ded024f04a1d20b2547bcf4210bdae42c3ad749adaede7467fe65e373c450
    • Instruction Fuzzy Hash: 7031D9367007164BD730DA2AEC44BFB7394BFC4720F450A2AED6587380EB39DC898699
    Function 0041F0F0 Relevance: 7.7, APIs: 5, Instructions: 213fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileA.KERNEL32(?,?,00000238), ref: 0041F1CA
    • DeleteFileA.KERNEL32(?), ref: 0041F2EF
    • FindNextFileA.KERNEL32(00000000,?), ref: 0041F304
    • FindClose.KERNEL32(00000000), ref: 0041F313
      • Part of subcall function 0041F0F0: RemoveDirectoryA.KERNEL32(?), ref: 0041F2E6
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FileFind$CloseDeleteDirectoryFirstNextRemove
    • String ID:
    • API String ID: 196174304-0
    • Opcode ID: 711391d98003b812d42eed3d0e1ddec31a6dd5ad9813caf543f561d3a930b72e
    • Instruction ID: 1acee1032b002fdb52bbb03fad87674d77a744dbe4151ab61f8aa1ae480c758c
    • Opcode Fuzzy Hash: 711391d98003b812d42eed3d0e1ddec31a6dd5ad9813caf543f561d3a930b72e
    • Instruction Fuzzy Hash: 4D51D5366046480BC7288A7898615EB77C6ABD4330F594B3EE96BC73D0EE79DD0EC244
    Function 00413144 Relevance: 7.7, APIs: 5, Instructions: 184serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00413176
    • OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 004131B9
    • ChangeServiceConfigA.ADVAPI32(00000000,FFFFFFFF,?,FFFFFFFF,?,?,00000000,?,?,?,?), ref: 004132DC
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00413371
    • CloseServiceHandle.ADVAPI32(00000000), ref: 0041339D
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$CloseHandleOpen$ChangeConfigManager
    • String ID:
    • API String ID: 3054356760-0
    • Opcode ID: db644377e79abdd9be9e918e927d7efc3ff182ec465c3c1f43d80fd5a47fe5d8
    • Instruction ID: 5d138ccca7dc5e2fed9accbefca25afb24964360a2f3747d37cd2f52cb43fc07
    • Opcode Fuzzy Hash: db644377e79abdd9be9e918e927d7efc3ff182ec465c3c1f43d80fd5a47fe5d8
    • Instruction Fuzzy Hash: C55113B1F40308BBEB109FE1DC47BEE7A71AB08715F140429FB147E2C1E6BA56908B59
    Function 0041293F Relevance: 7.6, APIs: 5, Instructions: 102serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00412971
    • OpenServiceA.ADVAPI32(00000000,00000000,?), ref: 004129EB
    • DeleteService.ADVAPI32(00000000), ref: 00412A24
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00412A53
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00412A7F
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$CloseHandleOpen$DeleteManager
    • String ID:
    • API String ID: 204194956-0
    • Opcode ID: 3ea295d18d61a2ae5ee8447a247e97d4fee846a86e5c2c975e898092f5b9e91a
    • Instruction ID: 039d98c5e845ccd5e404b0e5009faa0377f095f6505ee90f409a7febca9b08d5
    • Opcode Fuzzy Hash: 3ea295d18d61a2ae5ee8447a247e97d4fee846a86e5c2c975e898092f5b9e91a
    • Instruction Fuzzy Hash: 793164B0E50318BBEB10AFA0DD07BAEBA70AF09755F504525F1087A1C0D7F65690CB9A
    Function 00412AB1 Relevance: 7.6, APIs: 5, Instructions: 90serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00412AE3
    • OpenServiceA.ADVAPI32(00000000,00000000,00000010), ref: 00412B26
    • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00412B69
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00412B98
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00412BC4
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$CloseHandleOpen$ManagerStart
    • String ID:
    • API String ID: 1485051382-0
    • Opcode ID: 164bce5bd3f2ab7e2ab7344646ea41feef0e83033111e0f51b5f123f3b186197
    • Instruction ID: c419527cc32dc670f81d4b3eabbe502063bcccf4ab688d524b2e5d9bc5a81641
    • Opcode Fuzzy Hash: 164bce5bd3f2ab7e2ab7344646ea41feef0e83033111e0f51b5f123f3b186197
    • Instruction Fuzzy Hash: A23154B0E44318FBDB10AFA0DE06BAEBB70BB15711F404565F1087A180D3F55690DB8A
    Function 0041273E Relevance: 6.1, APIs: 4, Instructions: 144serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 004127B1
    • CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,?,?,00000001,?,?,00000000,?,?,?), ref: 00412876
    • CloseServiceHandle.ADVAPI32(00000000), ref: 004128D8
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00412904
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$CloseHandle$CreateManagerOpen
    • String ID:
    • API String ID: 2424488607-0
    • Opcode ID: c868a48e8b212fb6cb22ebf6af8e257dae8eae602bff4664bf60759b469feb62
    • Instruction ID: d37e1ec0abe70d318c0b3283ed2463257440cc5871af0e23dfa59697d30af1d2
    • Opcode Fuzzy Hash: c868a48e8b212fb6cb22ebf6af8e257dae8eae602bff4664bf60759b469feb62
    • Instruction Fuzzy Hash: 87515E74A40308FBEF01AFA0CD46BDD7BB0EB08314F004165FA04AA291D3B996A0DF5A
    Function 0040C4BD Relevance: 6.1, APIs: 4, Instructions: 63clipboardCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0040C58F: GetForegroundWindow.USER32(?,0040C4D7), ref: 0040C59D
    • OpenClipboard.USER32(00000000), ref: 0040C4E2
    • EmptyClipboard.USER32 ref: 0040C50B
    • SetClipboardData.USER32(00000001,00000000), ref: 0040C53C
    • CloseClipboard.USER32 ref: 0040C565
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Clipboard$CloseDataEmptyForegroundOpenWindow
    • String ID:
    • API String ID: 966817184-0
    • Opcode ID: 400ae1d6691e17c590632a2f7301a88ddc79b70a7320605893bfa61937bf2811
    • Instruction ID: 04ae6674d39151ea3cf62d6cc84d2764affccc56d5f6ef855ccad9c4cbf4885e
    • Opcode Fuzzy Hash: 400ae1d6691e17c590632a2f7301a88ddc79b70a7320605893bfa61937bf2811
    • Instruction Fuzzy Hash: 221160B4F44305FBD710AFB09D877AEBB709B0A711F140566F1047A1C0E67A4691CAEB
    Function 00407847 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON
    Download Yara Rule
    APIs
    • GetLogicalDriveStringsA.KERNEL32(000000FF,00000000), ref: 004078D5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: DriveLogicalStrings
    • String ID: Tu@$lsB
    • API String ID: 2022863570-3149387333
    • Opcode ID: f3db82a1468e89b369cd0fbac6f4ab6015ff97eee58a91c44ae64b94107eefba
    • Instruction ID: 3657416d358bebbe956b90e73c44ddc075ec5669e343080fac8f69a10030e6b8
    • Opcode Fuzzy Hash: f3db82a1468e89b369cd0fbac6f4ab6015ff97eee58a91c44ae64b94107eefba
    • Instruction Fuzzy Hash: A3B177F1F442059BFB10DAA5DCC2BAF77A4AB18314F14007AFA05FB381E679B9418766
    Function 0040CC61 Relevance: 4.6, APIs: 3, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • UnhookWindowsHookEx.USER32(00000001), ref: 0040CC82
    • GetModuleHandleA.KERNEL32(00000000,00000001,00428369,00000000,00000001,?,?,?,?,?,?,?,004074F2), ref: 0040CCB8
    • SetWindowsHookExA.USER32(0000000D,0040D0C3,?,00000000), ref: 0040CCF6
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: HookWindows$HandleModuleUnhook
    • String ID:
    • API String ID: 2342532310-0
    • Opcode ID: 34bef85b858209d2df508877841a6b0ca48c12d33b7d6e47fa45a94c2fe87ce8
    • Instruction ID: 6b9dcc124f61c24f57be2f8160a3bf868d36f1be011d844814069cf48eaf98a5
    • Opcode Fuzzy Hash: 34bef85b858209d2df508877841a6b0ca48c12d33b7d6e47fa45a94c2fe87ce8
    • Instruction Fuzzy Hash: 77113070F41304FBDB20AFA1DD47B5D7F60AB05752F408076B5087A2C0E67556558B5E
    Function 0041D770 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
    Download Yara Rule
    APIs
    • GetVersionExA.KERNEL32(?), ref: 0041D794
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Version
    • String ID:
    • API String ID: 1889659487-0
    • Opcode ID: 1e853dcc142a15417ed2cd3a366cffb36dc4392bc6ff73f515553900f4d36c4c
    • Instruction ID: b7a4a6691a933674b88ca7f1c71783d1db5be2b6e7a82cfd0e8015f97230eea8
    • Opcode Fuzzy Hash: 1e853dcc142a15417ed2cd3a366cffb36dc4392bc6ff73f515553900f4d36c4c
    • Instruction Fuzzy Hash: 4CF09A72B0021513E730962CEC44BEBF6D8AB84764F840477E668C63A1E4BCC98B41C9
    Function 004022EE Relevance: 1.5, APIs: 1, Instructions: 29COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0041DDB0: atoi.MSVCRT(00000000,?,?,?,?,?,?,?,?,0040129B), ref: 0041DE0E
    • SetUnhandledExceptionFilter.KERNEL32(0040129B,?,?,?,?,?,0040129B), ref: 00402320
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandledatoi
    • String ID:
    • API String ID: 933777754-0
    • Opcode ID: 230f3f92d9c43d47110aa254d022de2ea088d1a7619c68ccd226d4e073199041
    • Instruction ID: 04ae530a847475eff96767bc9a1e2dd5d8b20e6ef1a8c8163a74b9ab1aa2a258
    • Opcode Fuzzy Hash: 230f3f92d9c43d47110aa254d022de2ea088d1a7619c68ccd226d4e073199041
    • Instruction Fuzzy Hash: 2CE0D170F4030877E7207BB05D0775D7570D709704F5040B6FD08761C2F5BA15705686
    Function 0040234C Relevance: 1.5, APIs: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040237A
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: f677855d1097d3613b21265ecf61b2c28aedaee6bcc8536797688086a6588716
    • Instruction ID: df066e8cd697ec556d6108b01e61d2e1ff00c8a05c6ea3c05dcc0923910c508d
    • Opcode Fuzzy Hash: f677855d1097d3613b21265ecf61b2c28aedaee6bcc8536797688086a6588716
    • Instruction Fuzzy Hash: 57F0A730E00308EBC700DF64C54AB5DBBB0AB09314F5081B5E9083B2D1D7755A549B46
    Function 0041F4D1 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ??3@
    • String ID:
    • API String ID: 613200358-0
    • Opcode ID: 303f045bfc0c2ae6b86ad52fbbb755a0cd18b7bfbd1532dd55bc2328e09c1aa0
    • Instruction ID: 2b6d51ac89fbd29d0fc9763b6739cc7864ae4cdb6912552dceabd16ac0ac9e90
    • Opcode Fuzzy Hash: 303f045bfc0c2ae6b86ad52fbbb755a0cd18b7bfbd1532dd55bc2328e09c1aa0
    • Instruction Fuzzy Hash: A4D095F2A4013111D2141D187C062D791F44F53314F04C12FFC4593303D6BCCC8641AE
    Function 004216A0 Relevance: .9, Instructions: 903COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7588268db9ad160e2392b48f534035be178d540a008719f74208fe9ed0531eb1
    • Instruction ID: 54362848167c92106cd00076080ec324b07bc3959eb0f6e1c4a065c9153a5406
    • Opcode Fuzzy Hash: 7588268db9ad160e2392b48f534035be178d540a008719f74208fe9ed0531eb1
    • Instruction Fuzzy Hash: 9E52BA767447095BD308CE9ACC9195AF3D3ABC8304F488A3CE955C3346EEB8ED0AC655
    Function 00423D60 Relevance: .4, Instructions: 379COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
    • Instruction ID: 4b568d269aab9b0e76e9530bc0a1acc43a46e1789187a42d234e6212c70c24db
    • Opcode Fuzzy Hash: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
    • Instruction Fuzzy Hash: 0DF1AD7260C2508FC3098F18E5989E27BE2FFA8754B1F42FAD4499B363D7369841CB95
    Function 004242E0 Relevance: .3, Instructions: 295COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 87f601182351ec405340d45de598d1bcb3d2e6f5ef99c7e9ad81858a078b48d8
    • Instruction ID: 8fcc366b03b2536323ed915c9daf8bb1b8b96d6c955aad2d3cef2826cc15a6a5
    • Opcode Fuzzy Hash: 87f601182351ec405340d45de598d1bcb3d2e6f5ef99c7e9ad81858a078b48d8
    • Instruction Fuzzy Hash: 7CD189752082518FC319CF18E5D88E67BE1FFA8740B4E42F9C98A9B323D7369841CB55
    Function 00422F90 Relevance: .1, Instructions: 127COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
    • Instruction ID: d39377a01c0441ebbdc4ce8508775ee24cbcf2fc997e1980600f0b2fd97afc4c
    • Opcode Fuzzy Hash: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
    • Instruction Fuzzy Hash: 2B314D3374559203F71DCE2F9CA12BAEAD34FC522872ED57E99C58731AECBA84164144
    Function 00420290 Relevance: .0, Instructions: 23COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 38ad12cb99c612f196e1196b4ea8d84d44f96c79e3dc8fddb13796f1c251f6a1
    • Instruction ID: 12a374f1bc605c3aed030f542aaab06e71a69c542a5848dcb82fe218c4589d0c
    • Opcode Fuzzy Hash: 38ad12cb99c612f196e1196b4ea8d84d44f96c79e3dc8fddb13796f1c251f6a1
    • Instruction Fuzzy Hash: 5DE04F71B052089BD730CF49FA41755B7E8EB08304F9081A9FC0CD3B50E77A9D20D659
    Function 0041F960 Relevance: 37.2, APIs: 18, Strings: 3, Instructions: 426windowstringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1948 41f960-41f973 1949 41fd52-41fd5b 1948->1949 1950 41f979 1948->1950 1951 41fd61 1949->1951 1952 41fe48-41fe6a wsprintfA MessageBoxA 1949->1952 1953 41fc9b-41fca7 1950->1953 1954 41f97f-41f984 1950->1954 1951->1952 1955 41fe70 1951->1955 1956 41fd85-41fda1 call 41d5c0 1951->1956 1957 41fda4-41fdc6 call 41d550 1951->1957 1958 41fe17-41fe33 call 41d390 1951->1958 1959 41fe36-41fe45 1951->1959 1960 41fdc9-41fe14 wsprintfA MessageBoxA call 41d390 1951->1960 1961 41fd68-41fd82 call 41d4b0 1951->1961 1952->1955 1964 41fd02-41fd07 1953->1964 1965 41fca9 1953->1965 1962 41fb94-41fb9c 1954->1962 1963 41f98a 1954->1963 1969 41fe72-41fe7c 1955->1969 1966 41fba2-41fba3 1962->1966 1967 41fc5d-41fc71 GetModuleFileNameA 1962->1967 1970 41f990-41f995 1963->1970 1971 41fb54-41fb62 GetCommandLineA 1963->1971 1973 41fd09 1964->1973 1974 41fd28-41fd2d 1964->1974 1977 41fd33-41fd4f call 41d5c0 1965->1977 1978 41fcaf-41fcb4 1965->1978 1980 41fc23-41fc37 GetModuleFileNameA 1966->1980 1981 41fba5-41fba8 1966->1981 1967->1955 1987 41fc77-41fc98 strrchr 1967->1987 1983 41faf5-41fafa 1970->1983 1984 41f99b 1970->1984 1993 41fb64 1971->1993 1994 41fb66-41fb6b 1971->1994 1973->1977 1992 41fd0b-41fd10 1973->1992 1974->1955 1974->1977 1989 41fcb6 1978->1989 1990 41fcec-41fcf1 1978->1990 1980->1955 1999 41fc3d-41fc5a strrchr 1980->1999 1981->1952 1996 41fbae-41fbc5 PeekMessageA 1981->1996 1983->1952 2001 41fb00-41fb12 1983->2001 1997 41f9d2-41f9e6 GetModuleFileNameA 1984->1997 1998 41f99d-41f9a5 1984->1998 1989->1977 2000 41fcb8-41fcc0 1989->2000 1990->1977 2002 41fcf3-41fcff 1990->2002 1992->1977 2003 41fd12-41fd17 1992->2003 1993->1994 2004 41fb74-41fb77 1994->2004 2005 41fb6d-41fb72 1994->2005 1996->1955 2007 41fbcb-41fbd7 1996->2007 2010 41fa20-41fa27 1997->2010 2011 41f9e8-41fa1e strrchr 1997->2011 2008 41f9c0-41f9cf 1998->2008 2009 41f9a7-41f9a8 1998->2009 2000->1955 2012 41fcc6 2000->2012 2001->1969 2013 41fb18-41fb1e 2001->2013 2003->1977 2014 41fd19-41fd25 2003->2014 2004->1969 2015 41fb7d-41fb80 2004->2015 2005->2004 2005->2005 2016 41fbdd-41fbe2 2007->2016 2009->1952 2017 41f9ae-41f9bd 2009->2017 2018 41fa2e-41fa36 2010->2018 2011->2018 2012->1952 2012->1955 2012->1956 2012->1957 2012->1958 2012->1959 2012->1960 2012->1961 2012->1977 2019 41fccd-41fce9 call 420f70 2012->2019 2020 41fb40-41fb51 _ftol 2013->2020 2021 41fb20-41fb26 2013->2021 2015->1969 2022 41fb86-41fb91 2015->2022 2016->1955 2023 41fbe8-41fc14 GetMessageA TranslateMessage DispatchMessageA PeekMessageA 2016->2023 2024 41fabc-41faf2 2018->2024 2025 41fa3c-41fa41 2018->2025 2021->1969 2027 41fb2c-41fb3d _ftol 2021->2027 2023->2016 2028 41fc16-41fc20 2023->2028 2029 41fa83-41fab9 2025->2029 2030 41fa43-41fa44 2025->2030 2030->1955 2032 41fa4a-41fa80 2030->2032
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,0042A7A8,00000104), ref: 0041F9DE
    • strrchr.MSVCRT ref: 0041F9EF
    • _ftol.MSVCRT ref: 0041FB2E
    • GetCommandLineA.KERNEL32 ref: 0041FB54
    • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041FBC1
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041FBF3
    • TranslateMessage.USER32(?), ref: 0041FBFA
    • DispatchMessageA.USER32(?), ref: 0041FC01
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041FC10
    • wsprintfA.USER32 ref: 0041FE53
    • MessageBoxA.USER32(00000000,?,__DECRAGE,00000010), ref: 0041FE6A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message$Peek$CommandDispatchFileLineModuleNameTranslate_ftolstrrchrwsprintf
    • String ID: ERROR$__DECRAGE$__DECRAGE RunTime Error:%s
    • API String ID: 3335176381-317446693
    • Opcode ID: cbe8d85ad00e6cf5e0541d13967d598fff44645ca9c62754c845d3fd3f8db211
    • Instruction ID: b9a0292a464c7728a53c27a18fc02aacd0e3cc7baf5afde0424a36f5e687e662
    • Opcode Fuzzy Hash: cbe8d85ad00e6cf5e0541d13967d598fff44645ca9c62754c845d3fd3f8db211
    • Instruction Fuzzy Hash: 78C1087778060457D3349268FC45BFBB780D7D0332F54013BEA05CA2E1D96F959E8AAA
    Function 00413C55 Relevance: 35.4, APIs: 9, Strings: 11, Instructions: 396servicememoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2033 413c55-413ccb call 41d09b OpenSCManagerA 2036 413ce4-413ceb 2033->2036 2037 413ccd-413ce1 call 41d0a1 2033->2037 2039 413cf1-413d0e OpenServiceA 2036->2039 2040 414120-414125 2036->2040 2037->2036 2044 413d10-413d24 call 41d0a1 2039->2044 2045 413d27-413d2e 2039->2045 2041 414127-41413a call 4010a7 call 41d09b 2040->2041 2042 41413c-414153 call 41d095 2040->2042 2041->2042 2069 414155-41415b call 41d095 2042->2069 2070 41415e-414163 2042->2070 2044->2045 2049 4140f4-414107 CloseServiceHandle 2045->2049 2050 413d34-413d55 QueryServiceConfigA 2045->2050 2049->2040 2054 414109-41411d call 41d0a1 2049->2054 2055 413d57-413d6b call 41d0a1 2050->2055 2056 413d6e-413d86 GlobalAlloc 2050->2056 2054->2040 2055->2056 2057 413d88-413d9c call 41d0a1 2056->2057 2058 413d9f-413dbf QueryServiceConfigA 2056->2058 2057->2058 2066 413dc1-413dd5 call 41d0a1 2058->2066 2067 413dd8-413ddf 2058->2067 2066->2067 2073 413de5-413e00 RtlMoveMemory 2067->2073 2074 41409c-4140af GlobalFree 2067->2074 2069->2070 2076 414165-41416b call 41d095 2070->2076 2077 41416e-414172 2070->2077 2082 413e02-413e16 call 41d0a1 2073->2082 2083 413e19-413e4f call 41f850 2073->2083 2079 4140b1-4140c5 call 41d0a1 2074->2079 2080 4140c8-4140db CloseServiceHandle 2074->2080 2076->2077 2079->2080 2080->2049 2087 4140dd-4140f1 call 41d0a1 2080->2087 2082->2083 2094 413e51 2083->2094 2095 413e56-413e71 call 41f410 2083->2095 2087->2049 2094->2095 2099 413e73-413e79 call 41d095 2095->2099 2100 413e7c-413e85 2095->2100 2099->2100 2102 413e90-413ed3 call 41f410 2100->2102 2103 413e87-413e8d call 41d095 2100->2103 2109 413ed5 2102->2109 2110 413eda-413ee7 2102->2110 2103->2102 2109->2110 2111 413ee9 2110->2111 2112 413eee-413f09 call 41e8c0 2110->2112 2111->2112 2115 413f14-413f18 2112->2115 2116 413f0b-413f11 call 41d095 2112->2116 2118 413f3d-413f7c call 41f410 2115->2118 2119 413f1e-413f29 2115->2119 2116->2115 2127 413f83-413f90 2118->2127 2128 413f7e 2118->2128 2121 413f34-413f38 2119->2121 2122 413f2b-413f31 call 41d095 2119->2122 2126 41408a-414099 call 41eec0 2121->2126 2122->2121 2126->2074 2131 413f92 2127->2131 2132 413f97-413fb2 call 41e8c0 2127->2132 2128->2127 2131->2132 2136 413fb4-413fba call 41d095 2132->2136 2137 413fbd-413fc1 2132->2137 2136->2137 2139 413fc7-413fd2 2137->2139 2140 413fe6-414025 call 41f410 2137->2140 2143 413fd4-413fda call 41d095 2139->2143 2144 413fdd-413fe1 2139->2144 2147 414027 2140->2147 2148 41402c-414039 2140->2148 2143->2144 2144->2126 2147->2148 2150 414040-41405b call 41e8c0 2148->2150 2151 41403b 2148->2151 2154 414066-41406a 2150->2154 2155 41405d-414063 call 41d095 2150->2155 2151->2150 2154->2126 2157 414070-41407b 2154->2157 2155->2154 2159 414086-414087 2157->2159 2160 41407d-414083 call 41d095 2157->2160 2159->2126 2160->2159
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00413CC0
    • OpenServiceA.ADVAPI32(00000000,00000000,00000001), ref: 00413D03
    • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 00413D4A
    • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00413D7B
    • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 00413DB4
    • RtlMoveMemory.KERNEL32(?,00000000,00000024), ref: 00413DF5
    • GlobalFree.KERNEL32(00000000), ref: 004140A4
    • CloseServiceHandle.ADVAPI32(00000000), ref: 004140D0
    • CloseServiceHandle.ADVAPI32(00000000), ref: 004140FC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$CloseConfigGlobalHandleOpenQuery$AllocFreeManagerMemoryMove
    • String ID: Networkservice$jxB$localservice$localsystem$lsB$lsB$lsB$lsB$lsB$lsB$lsB
    • API String ID: 4257998133-2882072413
    • Opcode ID: 33f328f9c2c589488ef73c572b1a7f40f5a5743660b9a337727a65d3d12e68e4
    • Instruction ID: 45e3e4d6d669a4013059d0d1e65790fbf0c8567184e8898e449864238793c891
    • Opcode Fuzzy Hash: 33f328f9c2c589488ef73c572b1a7f40f5a5743660b9a337727a65d3d12e68e4
    • Instruction Fuzzy Hash: 96D167F0F40304ABEB10DFA59D46BEE7AB4AB1C715F14003AF704BA281E67A5991C76D
    Function 0040E413 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 287registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3501 40e413-40e46b 3502 40e472-40e4b8 call 41e8c0 call 40120b 3501->3502 3503 40e46d 3501->3503 3508 40e4ba 3502->3508 3509 40e4bf-40e4de call 41e810 3502->3509 3503->3502 3508->3509 3512 40e4e0-40e4e6 call 41d095 3509->3512 3513 40e4e9-40e4f9 3509->3513 3512->3513 3515 40e500-40e51f call 41f410 3513->3515 3516 40e4fb 3513->3516 3520 40e521-40e527 call 41d095 3515->3520 3521 40e52a-40e541 call 40116e 3515->3521 3516->3515 3520->3521 3526 40e553-40e566 call 40116e 3521->3526 3527 40e547-40e54e 3521->3527 3535 40e578-40e58b call 40116e 3526->3535 3536 40e56c-40e573 3526->3536 3528 40e623-40e627 3527->3528 3531 40e6f9-40e707 3528->3531 3532 40e62d-40e63b 3528->3532 3533 40e709 3531->3533 3534 40e70e-40e757 call 41df70 call 40120b 3531->3534 3537 40e642-40e68b call 41df70 call 40120b 3532->3537 3538 40e63d 3532->3538 3533->3534 3555 40e759 3534->3555 3556 40e75e-40e78e call 41e860 RegOpenKeyA 3534->3556 3547 40e591-40e598 3535->3547 3548 40e59d-40e5b0 call 40116e 3535->3548 3536->3528 3553 40e692-40e6c2 call 41e860 RegCreateKeyA 3537->3553 3554 40e68d 3537->3554 3538->3537 3547->3528 3557 40e5c2-40e5e6 3548->3557 3558 40e5b6-40e5bd 3548->3558 3566 40e6c4-40e6d8 call 41d0a1 3553->3566 3567 40e6db-40e6e3 3553->3567 3554->3553 3555->3556 3568 40e790-40e7a4 call 41d0a1 3556->3568 3569 40e7a7-40e7af 3556->3569 3561 40e5e8 3557->3561 3562 40e5ed-40e607 call 41f470 3557->3562 3558->3528 3561->3562 3578 40e619-40e61e 3562->3578 3579 40e60d-40e614 3562->3579 3566->3567 3572 40e6e5-40e6eb call 41d095 3567->3572 3573 40e6ee-40e6f4 3567->3573 3568->3569 3575 40e7b1-40e7b7 call 41d095 3569->3575 3576 40e7ba-40e7bd 3569->3576 3572->3573 3577 40e7c0-40e7c4 3573->3577 3575->3576 3576->3577 3585 40e7d2-40e7d7 3577->3585 3586 40e7ca-40e7cd 3577->3586 3587 40e7dc-40e7e2 3578->3587 3579->3528 3585->3587 3586->3587 3589 40e7e4-40e7ea call 41d095 3587->3589 3590 40e7ed-40e7f1 3587->3590 3589->3590
    APIs
    • RegCreateKeyA.ADVAPI32(80000005,?,00000000), ref: 0040E6B7
    • RegOpenKeyA.ADVAPI32(80000005,?,00000000), ref: 0040E783
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateOpen
    • String ID: HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$lsB$lsB$lsB$lsB$lsB$lsB$lsB$lsB
    • API String ID: 436179556-2860883009
    • Opcode ID: fc43cd86f5aede989fb7e793da94cd99c752d4e05d626225fd8241ccf6ce965d
    • Instruction ID: 710e141eb6f700b791122f7aeb0678feab987eb516f0bd57223bebcb1a15418d
    • Opcode Fuzzy Hash: fc43cd86f5aede989fb7e793da94cd99c752d4e05d626225fd8241ccf6ce965d
    • Instruction Fuzzy Hash: E3A165B0E00208FBEB109F96EC85B9E7B74EB18304F54487AFA05BA2C1D7795A60C759
    Function 00413715 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 218servicememoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3715 413715-413784 call 41d09b OpenSCManagerA 3718 413786-41379a call 41d0a1 3715->3718 3719 41379d-4137a4 3715->3719 3718->3719 3721 413998-41399c 3719->3721 3722 4137aa-4137c7 OpenServiceA 3719->3722 3723 4139c3 3721->3723 3724 4139a2-4139a7 3721->3724 3726 4137e0-4137e7 3722->3726 3727 4137c9-4137dd call 41d0a1 3722->3727 3728 4139c8-4139e5 call 41d095 3723->3728 3732 4139a9-4139bc call 4010a7 call 41d09b 3724->3732 3733 4139be 3724->3733 3730 4137ed-41380e QueryServiceConfigA 3726->3730 3731 41396c-41397f CloseServiceHandle 3726->3731 3727->3726 3755 4139f0-4139f4 3728->3755 3756 4139e7-4139ed call 41d095 3728->3756 3736 413810-413824 call 41d0a1 3730->3736 3737 413827-41383f GlobalAlloc 3730->3737 3731->3721 3738 413981-413995 call 41d0a1 3731->3738 3732->3733 3733->3728 3736->3737 3743 413841-413855 call 41d0a1 3737->3743 3744 413858-413878 QueryServiceConfigA 3737->3744 3738->3721 3743->3744 3750 413891-413898 3744->3750 3751 41387a-41388e call 41d0a1 3744->3751 3753 413914-413927 GlobalFree 3750->3753 3754 41389e-4138b9 RtlMoveMemory 3750->3754 3751->3750 3763 413940-413953 CloseServiceHandle 3753->3763 3764 413929-41393d call 41d0a1 3753->3764 3760 4138d2-413905 call 41f850 3754->3760 3761 4138bb-4138cf call 41d0a1 3754->3761 3756->3755 3776 413910-413911 3760->3776 3777 413907-41390d call 41d095 3760->3777 3761->3760 3763->3731 3766 413955-413969 call 41d0a1 3763->3766 3764->3763 3766->3731 3776->3753 3777->3776
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00413779
    • OpenServiceA.ADVAPI32(00000000,00000000,00000001), ref: 004137BC
    • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 00413803
    • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00413834
    • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 0041386D
    • RtlMoveMemory.KERNEL32(?,00000000,00000024), ref: 004138AE
    • GlobalFree.KERNEL32(00000000), ref: 0041391C
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00413948
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00413974
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$CloseConfigGlobalHandleOpenQuery$AllocFreeManagerMemoryMove
    • String ID: lsB
    • API String ID: 4257998133-575463903
    • Opcode ID: baa9a81697714a33ee472185fa78fb6e8f4b42d193b51c4d5ac6a7a52bdb40d5
    • Instruction ID: 9cd4fc2219f058a6807319d604df2ad7e8c37ebc0782109f5b0907d093eb507f
    • Opcode Fuzzy Hash: baa9a81697714a33ee472185fa78fb6e8f4b42d193b51c4d5ac6a7a52bdb40d5
    • Instruction Fuzzy Hash: 3C7157F0E50318ABEF10AFA1DC46BDEBBB4BB0D715F044125F108BA281E77A5650CB59
    Function 0041FEF0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 136librarywindowstringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3780 41fef0-41ff14 GetModuleHandleA 3781 41ff16-41ff21 LoadLibraryA 3780->3781 3782 41ff8e-41ff99 3780->3782 3785 41ff23-41ff3e wsprintfA 3781->3785 3786 41ff6e-41ff7c 3781->3786 3783 41ffab-41ffe3 strchr 3782->3783 3784 41ff9b-41ffa9 atoi 3782->3784 3788 41ffe5-41ffe9 3783->3788 3789 41ffee 3783->3789 3787 41fff5-420001 GetProcAddress 3784->3787 3790 41ff50-41ff5e MessageBoxA 3785->3790 3791 41ff40-41ff4e 3785->3791 3792 41ff88-41ff89 3786->3792 3793 41ff7e 3786->3793 3795 420003-42001f wsprintfA 3787->3795 3796 42006b-420080 3787->3796 3788->3789 3794 41ffeb 3788->3794 3789->3787 3797 41ff64-41ff6b call 41d390 3790->3797 3791->3790 3791->3797 3792->3782 3793->3792 3794->3789 3798 420021-420029 3795->3798 3799 42002d-420033 3795->3799 3797->3786 3798->3799 3802 420035-420043 MessageBoxA 3799->3802 3803 420049-420068 call 41d390 3799->3803 3802->3803
    APIs
    • GetModuleHandleA.KERNEL32(?), ref: 0041FF02
    • LoadLibraryA.KERNEL32(?), ref: 0041FF17
    • wsprintfA.USER32 ref: 0041FF2E
    • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 0041FF5E
    • atoi.MSVCRT(?), ref: 0041FF9F
    • strchr.MSVCRT ref: 0041FFD9
    • GetProcAddress.KERNEL32(00000000,?), ref: 0041FFF7
    • wsprintfA.USER32 ref: 0042000F
    • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 00420043
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Messagewsprintf$AddressHandleLibraryLoadModuleProcatoistrchr
    • String ID: DLL ERROR
    • API String ID: 4054768979-4092134112
    • Opcode ID: 45cb0141e4792c6b2a5f9bfb8f7f53b538d3cb579e5bca1d447e80fbf86dd5d3
    • Instruction ID: 7e09291dcee4e6feee0f2c124e430f23e8709d101480c73ccbf591e3d81e24e4
    • Opcode Fuzzy Hash: 45cb0141e4792c6b2a5f9bfb8f7f53b538d3cb579e5bca1d447e80fbf86dd5d3
    • Instruction Fuzzy Hash: 5241C3B17043055BD320DF64AC45B9B77D8AB99710F40053AFA05C7291EBB8D94AC7AA
    Function 00411F9B Relevance: 16.7, APIs: 11, Instructions: 249memoryserviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00411FF3
    • OpenServiceA.ADVAPI32(00000000,00000000,00000001), ref: 00412036
    • QueryServiceConfig2A.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00412082
    • GetProcessHeap.KERNEL32 ref: 004120AB
    • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 004120E2
    • QueryServiceConfig2A.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00412120
    • RtlMoveMemory.KERNEL32(?,00000000,00000004), ref: 0041215C
    • CloseServiceHandle.ADVAPI32(00000000), ref: 004121C1
    • GetProcessHeap.KERNEL32 ref: 004121EA
    • HeapFree.KERNEL32(?,00000001,00000000), ref: 00412221
    • CloseServiceHandle.ADVAPI32(00000000), ref: 0041224D
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$Heap$CloseConfig2HandleOpenProcessQuery$AllocFreeManagerMemoryMove
    • String ID:
    • API String ID: 4186248289-0
    • Opcode ID: d930be343fc1d2352145f4088b378296fa1fd3da912b024d67c00fd58ccc063f
    • Instruction ID: 8fea60fde15ca56f9dfd3a87eed5b99bdd4a033c0173b8d67cb42fad26520502
    • Opcode Fuzzy Hash: d930be343fc1d2352145f4088b378296fa1fd3da912b024d67c00fd58ccc063f
    • Instruction Fuzzy Hash: FF8189B0E40305ABEB109FB1DD47BEE7BB4AF1D715F144026F508BA180E6B94691CF99
    Function 0040503F Relevance: 15.5, APIs: 10, Instructions: 474COMMON
    Download Yara Rule
    APIs
    • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 004050A0
    • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 0040510B
    • CloseHandle.KERNEL32(00000000), ref: 00405144
    • CloseHandle.KERNEL32(00000000), ref: 00405199
    • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00427215,00000000,00000000), ref: 004051E0
    • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00405262
    • CloseHandle.KERNEL32(00000000), ref: 00405342
    • LookupAccountSidA.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?), ref: 00405421
    • CloseHandle.KERNEL32(00000000), ref: 00405487
    • LookupAccountSidA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00405588
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseHandle$Token$AccountInformationLookupOpenProcess
    • String ID:
    • API String ID: 3246857531-0
    • Opcode ID: 4826e97bec8ee2add6e74a2c8d568950118bc7a2ec02ae84824c336c32dcfa5e
    • Instruction ID: 70bd23ef6376a538e876860c57da62c3c1691bb19944a3be35e0a10edf687bc0
    • Opcode Fuzzy Hash: 4826e97bec8ee2add6e74a2c8d568950118bc7a2ec02ae84824c336c32dcfa5e
    • Instruction Fuzzy Hash: D3F154B1E40304BBEB109FB5DC46BEE7BB5EB08704F54442AFA04BA2C1E6BA55508F59
    Function 004133CF Relevance: 13.7, APIs: 9, Instructions: 229servicememoryCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00413433
    • OpenServiceA.ADVAPI32(00000000,00000000,00000001), ref: 00413476
    • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 004134BD
    • GlobalAlloc.KERNEL32(00000040,00000000), ref: 004134EE
    • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 00413527
    • RtlMoveMemory.KERNEL32(?,00000000,00000024), ref: 00413568
    • CloseServiceHandle.ADVAPI32(00000000), ref: 0041367D
    • CloseServiceHandle.ADVAPI32(00000000), ref: 004136A9
    • GlobalFree.KERNEL32(00000000), ref: 004136D5
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$CloseConfigGlobalHandleOpenQuery$AllocFreeManagerMemoryMove
    • String ID:
    • API String ID: 4257998133-0
    • Opcode ID: 5c46755abc53f0f6937ef81c5c0f8b88f575be1504e6d1a9e5816f1dc84591b6
    • Instruction ID: 57253c06b1829d0cac89d406ba40070f8e8db2bb950447ab4f3a6dbdefaa1626
    • Opcode Fuzzy Hash: 5c46755abc53f0f6937ef81c5c0f8b88f575be1504e6d1a9e5816f1dc84591b6
    • Instruction Fuzzy Hash: B88122B0E40318EBEF109FA1DC46BEEBBB1FB0D715F500126E6057A281D3795691CB9A
    Function 0041009D Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 297registryCOMMON
    Download Yara Rule
    APIs
    • RegDeleteKeyA.ADVAPI32(00000000,?), ref: 00410368
    • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 004103AD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseDelete
    • String ID: lsB$lsB$lsB$lsB$lsB
    • API String ID: 453069226-3033684243
    • Opcode ID: 4cd1792f3af635ae6688ab1c27d5f07e59483d94f83c667ef2f2a2109d21c44b
    • Instruction ID: f53bd7fd5e91dcafea311144008862dcbeb99aa26837f20a0542f41e6fb9ea31
    • Opcode Fuzzy Hash: 4cd1792f3af635ae6688ab1c27d5f07e59483d94f83c667ef2f2a2109d21c44b
    • Instruction Fuzzy Hash: 4CA156B5E00204AFEB10DFA5DCC6BDE77B4EB08314F14406AFA05BB391D6799990CB59
    Function 00411CB1 Relevance: 12.2, APIs: 8, Instructions: 210servicememoryCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00411CF8
    • OpenServiceA.ADVAPI32(00000000,00000000,80000000), ref: 00411D3B
    • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 00411D82
    • GlobalAlloc.KERNEL32(00000040,00000000), ref: 00411DB3
    • QueryServiceConfigA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 00411DEC
    • GlobalFree.KERNEL32(00000000), ref: 00411F11
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00411F3D
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00411F69
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$CloseConfigGlobalHandleOpenQuery$AllocFreeManager
    • String ID:
    • API String ID: 1798664345-0
    • Opcode ID: 006de4605fcc4d9958f663af474fcaabec066cc3d20e923478c7da387a876653
    • Instruction ID: da7bc4fa81ba3ec4ae31789ca146e3a96fe79c0fb158ba368fb455aa88b753f5
    • Opcode Fuzzy Hash: 006de4605fcc4d9958f663af474fcaabec066cc3d20e923478c7da387a876653
    • Instruction Fuzzy Hash: DF7178B0E40309EBEB109FA1DD46BFEBAB5AF08714F10442AF6047A2D1D3795691CF99
    Function 004087C5 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 406stringCOMMON
    Download Yara Rule
    APIs
    • lstrcpyn.KERNEL32(00000000,00000000,00000000), ref: 00408A7D
    • lstrcpyn.KERNEL32(00000000,00000000,00000000), ref: 00408AB4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: lstrcpyn
    • String ID: tB$*.*$lsB$lsB$lsB
    • API String ID: 97706510-3314701417
    • Opcode ID: b1e8de21e48bba5f0c2dd57b9478aa0ee3292e5c3db20aca176f212171ffdc1d
    • Instruction ID: 5a754f420145a6fd81577788ae37f5b11e9646b2a0a27a507e9b19c6d2e9a950
    • Opcode Fuzzy Hash: b1e8de21e48bba5f0c2dd57b9478aa0ee3292e5c3db20aca176f212171ffdc1d
    • Instruction Fuzzy Hash: 6CE18BB1E00305ABEF10EFA5DD82B9F7B74AB18304F14043AFA05BA3C1D6795A54CB69
    Function 0041DCC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65processsynchronizationCOMMON
    Download Yara Rule
    APIs
    • GetStartupInfoA.KERNEL32 ref: 0041DCD2
    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 0041DD51
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0041DD6A
    • CloseHandle.KERNEL32(?), ref: 0041DD7B
    • CloseHandle.KERNEL32(?), ref: 0041DD82
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseHandle$CreateInfoObjectProcessSingleStartupWait
    • String ID: D
    • API String ID: 2246201701-2746444292
    • Opcode ID: 15a13d45cebc142761f0b679e0b458df93087cfe8cf199ad142d7cc45c3d1aa2
    • Instruction ID: f39a994570697b277b2dea15f6fbd69238444c1e3cb0c6dd0bfa36cd58dbff02
    • Opcode Fuzzy Hash: 15a13d45cebc142761f0b679e0b458df93087cfe8cf199ad142d7cc45c3d1aa2
    • Instruction Fuzzy Hash: 692133B4908340AAC320DB19D9549ABFBF9EFC5754F60491EF15583220D779C886CB5B
    Function 004122C7 Relevance: 9.1, APIs: 6, Instructions: 110servicestringCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,20000000), ref: 00412300
    • OpenServiceA.ADVAPI32(00000000,00000000,00000002), ref: 00412343
    • lstrcpyn.KERNEL32(00000000,00000000,00000000), ref: 00412388
    • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,00000000), ref: 004123C0
    • CloseServiceHandle.ADVAPI32(00000000), ref: 004123EF
    • CloseServiceHandle.ADVAPI32(00000000), ref: 0041241B
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$CloseHandleOpen$ChangeConfig2Managerlstrcpyn
    • String ID:
    • API String ID: 409095021-0
    • Opcode ID: 9d777e54dd795d3b7530e5156c1baa2e9c6d4d66a69eec6834f9b2e48088fca7
    • Instruction ID: 31be62ef89ee705e37e74a1117f2f166fd7b635fb67674cc0a5839d16a7d0cbb
    • Opcode Fuzzy Hash: 9d777e54dd795d3b7530e5156c1baa2e9c6d4d66a69eec6834f9b2e48088fca7
    • Instruction Fuzzy Hash: FE4133B0E41308EBEB10DFA0DE46BAEBBB0EB09715F500065F108BA180D3B64794CBD6
    Function 0040B217 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 342COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: \Temp$lsB$~tB
    • API String ID: 0-1779499026
    • Opcode ID: 17a7e1158442f09d146097b1562e7287125354a7e0e16c91df715735c4751d1a
    • Instruction ID: ec8e8d675d910d9056c75b11e381e8839bc71006d1dd7cdfbbee301beabad261
    • Opcode Fuzzy Hash: 17a7e1158442f09d146097b1562e7287125354a7e0e16c91df715735c4751d1a
    • Instruction Fuzzy Hash: 32C199F1E00305ABEB10DFA5DC81B9F77B4EB18314F14407AEA05BB381E779AA458B59
    Function 0040D8F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142memoryCOMMON
    Download Yara Rule
    APIs
    • LocalAlloc.KERNEL32(00000040,00000000,00000000), ref: 0040D995
    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,-00000002,0000005C,00000000,00000000,?,00000000), ref: 0040DA2E
    • LocalFree.KERNEL32(00000000,00000000,?,00000000), ref: 0040DAC9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Local$AllocCreateDirectoryFree
    • String ID: \
    • API String ID: 1918405509-2967466578
    • Opcode ID: f7eb94f50969822adbabbab712764a50521d0615248f04d9a39c33e83302fcfd
    • Instruction ID: f2d04f8f8c0e0eef29889bec3387c98b97d36490cf334a12081d5e47f910ac4d
    • Opcode Fuzzy Hash: f7eb94f50969822adbabbab712764a50521d0615248f04d9a39c33e83302fcfd
    • Instruction Fuzzy Hash: CF512870E04618EBEF10AFE1D94ABEEBB74FF08715F10406AE50079181DB790669CF9A
    Function 004125AB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 124serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 004125E4
    • GetServiceKeyNameA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 00412629
    • GetServiceKeyNameA.ADVAPI32(00000000,00000000,00000000,00000000), ref: 00412698
    • CloseServiceHandle.ADVAPI32(00000000), ref: 004126C7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$Name$CloseHandleManagerOpen
    • String ID: lsB
    • API String ID: 36220719-575463903
    • Opcode ID: ba0b665d0cf7ecba8be424d9aeee8334188d356285aecd4c130a9be1de58b9db
    • Instruction ID: 2f04bd873d50febb61cade8d8ae62cf1554ff60371fca872734000af08fb662b
    • Opcode Fuzzy Hash: ba0b665d0cf7ecba8be424d9aeee8334188d356285aecd4c130a9be1de58b9db
    • Instruction Fuzzy Hash: 704125B1E00305ABDB10DFA0DD46BEFBBB4AB08314F14446AF504BA281E7755B50DB9A
    Function 00410738 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105librarystringloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00410767
    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 0041079B
    • lstrcpyn.KERNEL32(00000000,00000000,00000000), ref: 0041081F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressHandleModuleProclstrcpyn
    • String ID: GetSystemWow64DirectoryA$kernel32.dll
    • API String ID: 2801827026-4063490227
    • Opcode ID: 704d4a3f04d5bdef38290923aa2c52c3d797fbd242dbf732e803af96c823ba51
    • Instruction ID: 96ff23f04b955fbd5adda1bc60871f7e21eb93e494b727395a1fd0730f0cde7b
    • Opcode Fuzzy Hash: 704d4a3f04d5bdef38290923aa2c52c3d797fbd242dbf732e803af96c823ba51
    • Instruction Fuzzy Hash: BC313570E41309BBEB109FE1DD46BEEBAB1AB08704F204465F5047A2C1D7FA56948B9A
    Function 0041D3D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70windowCOMMON
    Download Yara Rule
    APIs
    • wsprintfA.USER32 ref: 0041D436
    • wsprintfA.USER32 ref: 0041D44D
    • MessageBoxA.USER32(00000000,?,error,00000010), ref: 0041D497
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: wsprintf$Message
    • String ID: error$program internal error number is %d. %s
    • API String ID: 386942524-1911117719
    • Opcode ID: 6b485466e68c1c31431fc4e11c01e33484ec8790351a1080e336b74f933842a7
    • Instruction ID: 648a536df43ba85aacb80ca773a8a97b315871d8974c80b8de164206995dd208
    • Opcode Fuzzy Hash: 6b485466e68c1c31431fc4e11c01e33484ec8790351a1080e336b74f933842a7
    • Instruction Fuzzy Hash: 8021C6B1B052109FE7349B14DC41FEB33A8EB84700F84452AF88597280D778E9848BAB
    Function 0041D550 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35memorywindowCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32 ref: 0041D559
    • HeapReAlloc.KERNEL32(00770000,00000000,?,?), ref: 0041D576
    • HeapAlloc.KERNEL32(00770000,00000008,?), ref: 0041D586
    • MessageBoxA.USER32(00000000,004286B8,error,00000010), ref: 0041D59F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Heap$Alloc$MessageProcess
    • String ID: error
    • API String ID: 2690588855-1574812785
    • Opcode ID: 29edad864b118e7195ea524e5629a0942666dd6500d41d7aecc4227fabd524db
    • Instruction ID: ed0e98808165461b65e589532a98cc97f462e965a62b402a8d59d838da79495c
    • Opcode Fuzzy Hash: 29edad864b118e7195ea524e5629a0942666dd6500d41d7aecc4227fabd524db
    • Instruction Fuzzy Hash: C7F0F0F0B42311BFD6249B60AC09F6B336AAB40711F404029B84597250D674D8418BAE
    Function 004186FB Relevance: 7.8, APIs: 5, Instructions: 282serviceCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0041EEC0: PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041EEDA
      • Part of subcall function 0041EEC0: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041EF04
      • Part of subcall function 0041EEC0: TranslateMessage.USER32(?), ref: 0041EF0B
      • Part of subcall function 0041EEC0: DispatchMessageA.USER32(?), ref: 0041EF12
      • Part of subcall function 0041EEC0: PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041EF21
    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041876B
      • Part of subcall function 0041F920: Sleep.KERNEL32(00000000,004186AF,00000001,?,00000000,80000301), ref: 0041F929
    • QueryServiceStatus.ADVAPI32(00000000,?), ref: 004186BD
    • GlobalFree.KERNEL32(00000000), ref: 004187A3
    • CloseServiceHandle.ADVAPI32(00000000), ref: 004187CF
    • CloseServiceHandle.ADVAPI32(00000000), ref: 004187FB
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message$Service$CloseHandle$Peek$DispatchFreeGlobalQuerySleepStatusTranslate
    • String ID:
    • API String ID: 1939688605-0
    • Opcode ID: 6caaa84808d0a506d022e437a584a38f6d52c0294502b1d7a7bda84248c55ecd
    • Instruction ID: ca73dfe2c1b538866e0074e7452d12f25170d98dbad63869116b3933d2186997
    • Opcode Fuzzy Hash: 6caaa84808d0a506d022e437a584a38f6d52c0294502b1d7a7bda84248c55ecd
    • Instruction Fuzzy Hash: D3A1EAB1E80345ABEF00DF95ECC1B9DBBB5EF19324F280065F505AB341E679A8A1CB15
    Function 0041D860 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 193COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID: %I64d$%lf
    • API String ID: 0-1545097854
    • Opcode ID: 3a971a702a77d6bc6ef28fb87aa63a09f46f117dda7049957c25f616c23c1f91
    • Instruction ID: 81e10eea4b6367879a1e497e77f4de6d87d8c1eddd76e1889a297438783ab35c
    • Opcode Fuzzy Hash: 3a971a702a77d6bc6ef28fb87aa63a09f46f117dda7049957c25f616c23c1f91
    • Instruction Fuzzy Hash: 6A51C4F1B082108BD738D7A89886AFF73959F80350F64492FFA56C2291D97DD8C6C25B
    Function 004139F7 Relevance: 7.7, APIs: 5, Instructions: 171serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00413A29
    • OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 00413A6C
    • ChangeServiceConfigA.ADVAPI32(00000000,FFFFFFFF,FFFFFFFF,FFFFFFFF,?,?,00000000,?,?,?,?), ref: 00413B72
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00413BF7
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00413C23
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$CloseHandleOpen$ChangeConfigManager
    • String ID:
    • API String ID: 3054356760-0
    • Opcode ID: ae2a958d911fb6910f8d66621cd5c19757aa819501e416f4406b3cd034f864a3
    • Instruction ID: 0d73acb18939f419d0de7bca10a6c753efef182e5d4f1cb2188558e5a5f4bf33
    • Opcode Fuzzy Hash: ae2a958d911fb6910f8d66621cd5c19757aa819501e416f4406b3cd034f864a3
    • Instruction Fuzzy Hash: 485158B1E40305BBEB109FA1CC47FEE7A70AB08715F140529F6147E2C2E7BA56908B99
    Function 0040F8CA Relevance: 7.6, APIs: 5, Instructions: 147registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExA.ADVAPI32(?,0042736C,00000000,?,?), ref: 0040F940
    • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,?,?), ref: 0040F9D2
    • RegSetValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040FA53
    • RegCloseKey.ADVAPI32(?), ref: 0040FA93
    • RegCloseKey.ADVAPI32(?), ref: 0040FABF
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Close$CreateOpenValue
    • String ID:
    • API String ID: 678895439-0
    • Opcode ID: 1bf095a2b83bb2f696e4b096cd46df36e1c8eeeead08ae1b19105774df87ebb6
    • Instruction ID: d0eb9f4e2faffdfab12440a585a56125f7fa7f28a1db1523c5fcfc38c919904a
    • Opcode Fuzzy Hash: 1bf095a2b83bb2f696e4b096cd46df36e1c8eeeead08ae1b19105774df87ebb6
    • Instruction Fuzzy Hash: C0512171F40319BBEF109FA0DD47BAEBA75EB09704F500036F604BA2C1D7B956548BAA
    Function 0040F8D4 Relevance: 7.6, APIs: 5, Instructions: 147registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExA.ADVAPI32(?,0042736C,00000000,?,?), ref: 0040F940
    • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,?,?), ref: 0040F9D2
    • RegSetValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040FA53
    • RegCloseKey.ADVAPI32(?), ref: 0040FA93
    • RegCloseKey.ADVAPI32(?), ref: 0040FABF
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Close$CreateOpenValue
    • String ID:
    • API String ID: 678895439-0
    • Opcode ID: 269fbc8aec5621ebb150b3df707e714dbce7c46f05eb1b571180c86849d7a24b
    • Instruction ID: 646324d4934c2635100bec865a6a3881a35f850cb5ddb1700e14bfaedbacd4ed
    • Opcode Fuzzy Hash: 269fbc8aec5621ebb150b3df707e714dbce7c46f05eb1b571180c86849d7a24b
    • Instruction Fuzzy Hash: 36513070F40319BBEB109FA0DD47BAEBA70AB09704F100036F604BA2C1D2B956548BAA
    Function 0040F8DE Relevance: 7.6, APIs: 5, Instructions: 147registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExA.ADVAPI32(?,0042736C,00000000,?,?), ref: 0040F940
    • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,?,?), ref: 0040F9D2
    • RegSetValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040FA53
    • RegCloseKey.ADVAPI32(?), ref: 0040FA93
    • RegCloseKey.ADVAPI32(?), ref: 0040FABF
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Close$CreateOpenValue
    • String ID:
    • API String ID: 678895439-0
    • Opcode ID: 6e557a926a73413502710d3031efd9e18c7d179b8dd052c2c3acae7e85e2f8e6
    • Instruction ID: 3f5158941ffe5f2423f0eaa4896d357b26fd118d3d0f80c1c892e855e7877ee2
    • Opcode Fuzzy Hash: 6e557a926a73413502710d3031efd9e18c7d179b8dd052c2c3acae7e85e2f8e6
    • Instruction Fuzzy Hash: 6E512171F40319BBEF109FA0DD47BAEBA75EB09704F500036F604BA2C1D7B956548BAA
    Function 0040F8E8 Relevance: 7.6, APIs: 5, Instructions: 147registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExA.ADVAPI32(?,0042736C,00000000,?,?), ref: 0040F940
    • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,?,?), ref: 0040F9D2
    • RegSetValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040FA53
    • RegCloseKey.ADVAPI32(?), ref: 0040FA93
    • RegCloseKey.ADVAPI32(?), ref: 0040FABF
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Close$CreateOpenValue
    • String ID:
    • API String ID: 678895439-0
    • Opcode ID: c9db2a3babedca06af5062497221a706c99fa6a7cfea411e848110fc344560c0
    • Instruction ID: 8f78e268fb974d5321c9cbb9e13ae0207ee5f58913c34f6029326ec3ff0cbf3d
    • Opcode Fuzzy Hash: c9db2a3babedca06af5062497221a706c99fa6a7cfea411e848110fc344560c0
    • Instruction Fuzzy Hash: E6512171F40319BBEF109FA0DD47BAEBA75EB09704F500036F604BA2C1D7B956548BAA
    Function 0040F8F2 Relevance: 7.6, APIs: 5, Instructions: 146registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExA.ADVAPI32(?,0042736C,00000000,?,?), ref: 0040F940
    • RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,?,?), ref: 0040F9D2
    • RegSetValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0040FA53
    • RegCloseKey.ADVAPI32(?), ref: 0040FA93
    • RegCloseKey.ADVAPI32(?), ref: 0040FABF
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Close$CreateOpenValue
    • String ID:
    • API String ID: 678895439-0
    • Opcode ID: 057f20f6d6c201fc2d89a57894e58dd9152a98078a69896bfcddce6f90137d26
    • Instruction ID: 53353d584d65fb0f1a6353128fb28f5b7868167c468068f77fed1fe345181964
    • Opcode Fuzzy Hash: 057f20f6d6c201fc2d89a57894e58dd9152a98078a69896bfcddce6f90137d26
    • Instruction Fuzzy Hash: A4510071F40319BBEF109FA0DD47BAEBA75EB09704F500036F604BA2C1D6B95A548BA9
    Function 00411B32 Relevance: 7.6, APIs: 5, Instructions: 111serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00411B81
    • OpenServiceA.ADVAPI32(00000000,?,80000000), ref: 00411BC4
    • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00411C00
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00411C45
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00411C71
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$CloseHandleOpen$ManagerQueryStatus
    • String ID:
    • API String ID: 2623946379-0
    • Opcode ID: 5ef4fd2ca5d7921638ad9d1d0ec238af2e254111a1832d1aa53e1090cee47b51
    • Instruction ID: fa3e4b6cf9f418752d8c85b436096e59abe3a2af06749a719dbbb70c62cd1f81
    • Opcode Fuzzy Hash: 5ef4fd2ca5d7921638ad9d1d0ec238af2e254111a1832d1aa53e1090cee47b51
    • Instruction Fuzzy Hash: 00316AB0E40308EBDB10EFA1DE46BEEBBB0AB09315F500065F1087A290E3755750CB96
    Function 00412D64 Relevance: 7.6, APIs: 5, Instructions: 105serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00412DB3
    • OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 00412DF6
    • ControlService.ADVAPI32(00000000,00000002,?), ref: 00412E37
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00412E66
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00412E92
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$CloseHandleOpen$ControlManager
    • String ID:
    • API String ID: 2705437689-0
    • Opcode ID: 6e992b1ff6c578b9849eb012ed72067ff3faa0a46adf6b86f0aa85abb9a80a2b
    • Instruction ID: 3e5cf29cc7b7ffc56edb174b2bb782768967ad5f38be94f3ef437054126918eb
    • Opcode Fuzzy Hash: 6e992b1ff6c578b9849eb012ed72067ff3faa0a46adf6b86f0aa85abb9a80a2b
    • Instruction Fuzzy Hash: B23158B0E40308EBDB10DFA1DD06BEEBBB0AB09715F544025F104BA281E6B65754CB9A
    Function 00412ED2 Relevance: 7.6, APIs: 5, Instructions: 105serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00412F21
    • OpenServiceA.ADVAPI32(00000000,00000000,000F01FF), ref: 00412F64
    • ControlService.ADVAPI32(00000000,00000003,?), ref: 00412FA5
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00412FD4
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00413000
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$CloseHandleOpen$ControlManager
    • String ID:
    • API String ID: 2705437689-0
    • Opcode ID: f8d55d3b780a3b6239360acbaf44f4e5782805e430ea95a91016e4b79906b6c5
    • Instruction ID: 230e3ebe1dec3a3712defd8f6d79e14248aa23317c2b83da941c068c596bc69a
    • Opcode Fuzzy Hash: f8d55d3b780a3b6239360acbaf44f4e5782805e430ea95a91016e4b79906b6c5
    • Instruction Fuzzy Hash: EF3156B0E40308EBDF10EFB1DD46BAEBBB1AB0D715F540025F108BA280E6B64755DB96
    Function 00412BF6 Relevance: 7.6, APIs: 5, Instructions: 105serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000001), ref: 00412C45
    • OpenServiceA.ADVAPI32(00000000,00000000,00000020), ref: 00412C88
    • ControlService.ADVAPI32(00000000,00000001,?), ref: 00412CC9
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00412CF8
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00412D24
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$CloseHandleOpen$ControlManager
    • String ID:
    • API String ID: 2705437689-0
    • Opcode ID: f31fb0f5c9d6e38541cf473a3a199fc1bb1fd37cf5b33103085c8e7895104e08
    • Instruction ID: c804d830310df2eb7525c10f65053febca7c7e56bd80e3585a7881df419b08eb
    • Opcode Fuzzy Hash: f31fb0f5c9d6e38541cf473a3a199fc1bb1fd37cf5b33103085c8e7895104e08
    • Instruction Fuzzy Hash: 7A3158B0E41304FBEB10EFB0DE06BEEBAB0AB09715F544025F108BA180E6B55755CB96
    Function 0041EEC0 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON
    Download Yara Rule
    APIs
    • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0041EEDA
    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041EF04
    • TranslateMessage.USER32(?), ref: 0041EF0B
    • DispatchMessageA.USER32(?), ref: 0041EF12
    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041EF21
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Message$Peek$DispatchTranslate
    • String ID:
    • API String ID: 1795658109-0
    • Opcode ID: 2e60e13271cb28fb52f4422e45d2fbf32f24b92e8ec2961e527cb2d4e681aad0
    • Instruction ID: df9e9a7742128004fe1217001b003d9dd65b5148cdc7da8e54c9383c6b48d807
    • Opcode Fuzzy Hash: 2e60e13271cb28fb52f4422e45d2fbf32f24b92e8ec2961e527cb2d4e681aad0
    • Instruction Fuzzy Hash: 12018176340305B6E230DB55AC42FA77758EB84B50F940859FB00AA1D0D7B4F949CB7E
    Function 00404590 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 411libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32 ref: 004045BF
    • GetProcAddress.KERNEL32(?), ref: 004045F4
      • Part of subcall function 00405004: GetCurrentProcessId.KERNEL32(?,004049A4,?,?,00000000,00000000), ref: 00405012
      • Part of subcall function 0040503F: OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 004050A0
      • Part of subcall function 0040266C: OpenEventA.KERNEL32(001F0003,00000000,004012C3,?,004012C3), ref: 00402690
      • Part of subcall function 00405AB1: CloseHandle.KERNEL32(?,00000000), ref: 00405AC2
      • Part of subcall function 0041DB10: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 0041DB22
      • Part of subcall function 0041DBA0: GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,00000000,00427215), ref: 0041DBB8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FileModuleNameOpenProcess$AddressCloseCurrentEventHandleLibraryLoadProc
    • String ID: /_$_DECRAGE
    • API String ID: 207943232-886320553
    • Opcode ID: 68a85c76b623431e2eb920f985d00bebbcacad90e5c6ae0139dfd9bc019b5cbf
    • Instruction ID: fbda0af1fb73edac255e97afbd74dfd3a109a528f02437e51a89ac438be340f2
    • Opcode Fuzzy Hash: 68a85c76b623431e2eb920f985d00bebbcacad90e5c6ae0139dfd9bc019b5cbf
    • Instruction Fuzzy Hash: 4BE157F1E40205ABEF10DFE5DC86B9E76B4AB48304F14003AF605BA2D1E77E9A54CB59
    Function 0041244D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 0041247F
    • GetServiceDisplayNameA.ADVAPI32(00000000,00000000,00000000,?), ref: 00412505
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00412534
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$CloseDisplayHandleManagerNameOpen
    • String ID: lsB
    • API String ID: 2066901978-575463903
    • Opcode ID: e2d2f0e3330092bce66ec5e53fd09d1382f175141e7713ed22fe1d2d21b21ee4
    • Instruction ID: 6eb7a9b0a31ed17860fbbbbe8981b14f03aa2c6c69103397c6523548cc881aaf
    • Opcode Fuzzy Hash: e2d2f0e3330092bce66ec5e53fd09d1382f175141e7713ed22fe1d2d21b21ee4
    • Instruction Fuzzy Hash: 893187B0E40305BBEB10DFA5DD86BEE7BB5AB08304F14442AB504FA281E7B956909B95
    Function 00407D9F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106COMMON
    Download Yara Rule
    APIs
    • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00407D27,00000000), ref: 00407E20
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: FileNameTemp
    • String ID: lsB$lsB
    • API String ID: 745986568-2359463181
    • Opcode ID: 840abbd33ab442680bd9a5ffa0eaf8b5fbe51ce441632e1bbc48a26e5dbcdb70
    • Instruction ID: 3e6ac1e7b1449a20cb5b1353218be54249fd34c2b3bda9f25f32ec11d1e4b275
    • Opcode Fuzzy Hash: 840abbd33ab442680bd9a5ffa0eaf8b5fbe51ce441632e1bbc48a26e5dbcdb70
    • Instruction Fuzzy Hash: 8B318971E05304BBDB10EBB5DC82B9E7AB4AB08704F1044B7F604BA2C1E7796E51979B
    Function 0041D4B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25memorywindowCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.KERNEL32(0041DF96,00000009,00427380,00402849,00000001,00000001,00000000,80000301), ref: 0041D4B9
    • HeapAlloc.KERNEL32(00770000,00000008,80000301,00000001,0041DF96,00000009,00427380,00402849,00000001,00000001,00000000,80000301), ref: 0041D4CD
    • MessageBoxA.USER32(00000000,004286B8,error,00000010), ref: 0041D4E6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Heap$AllocMessageProcess
    • String ID: error
    • API String ID: 445856604-1574812785
    • Opcode ID: 737695422d5f27857d6fbbd75782ed6959f042faddec39610d2186c9edb7dfbb
    • Instruction ID: 40104aaf607790664e3319b82313945d75a267dfa5a28ba82e2e6397f323c779
    • Opcode Fuzzy Hash: 737695422d5f27857d6fbbd75782ed6959f042faddec39610d2186c9edb7dfbb
    • Instruction Fuzzy Hash: D8E0D8F1F42621BBC7319B64BC0EB8B36549B14751F400125FC48D6290EA74B8518B9E
    Function 0040EA0C Relevance: 6.5, APIs: 4, Instructions: 497registryCOMMON
    Download Yara Rule
    APIs
    • RegQueryInfoKeyA.ADVAPI32(00000000,00000000,?,00000000,?,?,?,00000000,?,?,?,?), ref: 0040EBFD
    • RegEnumValueA.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 0040ECF2
    • RegEnumValueA.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 0040ED97
    • RegCloseKey.ADVAPI32(00000000), ref: 0040EF63
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: EnumValue$CloseInfoQuery
    • String ID:
    • API String ID: 224134890-0
    • Opcode ID: b83207134ca14e74ff92c32bca48c519340684260298d857a002d84f023e7483
    • Instruction ID: 491efff5f5bc72e0bc503df9bfc9940f632accf3de78d68c4fd59f9487483a2f
    • Opcode Fuzzy Hash: b83207134ca14e74ff92c32bca48c519340684260298d857a002d84f023e7483
    • Instruction Fuzzy Hash: EB021CB1E00209ABEB10DFA5DC81BDEBBB4EF1C314F14442AF905FB381E67999518B65
    Function 0040638C Relevance: 6.4, APIs: 4, Instructions: 418processCOMMON
    Download Yara Rule
    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004063FE
    • Process32Next.KERNEL32(000000FF,00000000), ref: 004064D1
    • Process32Next.KERNEL32(000000FF,00000000), ref: 004066A9
    • CloseHandle.KERNEL32(000000FF), ref: 00406793
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: NextProcess32$CloseCreateHandleSnapshotToolhelp32
    • String ID:
    • API String ID: 1175704045-0
    • Opcode ID: f9d755127ff500c180dee6e73056acb34731a3536204ff9d8cd9dbbf11dd24f1
    • Instruction ID: 422f10df47fcb628e5dfd326baa38512c8b29815af5738e5010f05facaa8e461
    • Opcode Fuzzy Hash: f9d755127ff500c180dee6e73056acb34731a3536204ff9d8cd9dbbf11dd24f1
    • Instruction Fuzzy Hash: 8BD130F1A412429BEB00CFA8DCC179977E1EF59328F290475E50AAB344D379B961CB62
    Function 0041BC7C Relevance: 6.3, APIs: 4, Instructions: 308COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32 ref: 0041BFFB
    • ReadProcessMemory.KERNEL32(?,0041A65D,00000000,00000000), ref: 0041C09D
    • GetCurrentProcess.KERNEL32(?,00000000), ref: 0041C1FD
    • ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000), ref: 0041C29F
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Process$CurrentMemoryRead
    • String ID:
    • API String ID: 267060218-0
    • Opcode ID: 05cfc3698fe057f348d9ef71ba50c8a66f0e7524ab12dd3d990a348de33ae3dd
    • Instruction ID: ad37ff29608794651f4f61ea742610cc2a33874278e38a75aa1e7cecb4d3956e
    • Opcode Fuzzy Hash: 05cfc3698fe057f348d9ef71ba50c8a66f0e7524ab12dd3d990a348de33ae3dd
    • Instruction Fuzzy Hash: 25B14EF1A802569BEF00CFA9DCC1B99B7B0EF19324F280475E509AB341D378B951DB66
    Function 0041BD59 Relevance: 6.3, APIs: 4, Instructions: 308COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32 ref: 0041BFFB
    • ReadProcessMemory.KERNEL32(?,0041A65D,00000000,00000000), ref: 0041C09D
    • GetCurrentProcess.KERNEL32(?,00000000), ref: 0041C1FD
    • ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000), ref: 0041C29F
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Process$CurrentMemoryRead
    • String ID:
    • API String ID: 267060218-0
    • Opcode ID: 265d04004f5d25bdf573eb173e32726ecf7da5b77d6b630963886ceb210896a8
    • Instruction ID: ad37ff29608794651f4f61ea742610cc2a33874278e38a75aa1e7cecb4d3956e
    • Opcode Fuzzy Hash: 265d04004f5d25bdf573eb173e32726ecf7da5b77d6b630963886ceb210896a8
    • Instruction Fuzzy Hash: 25B14EF1A802569BEF00CFA9DCC1B99B7B0EF19324F280475E509AB341D378B951DB66
    Function 0041BE36 Relevance: 6.3, APIs: 4, Instructions: 308COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32 ref: 0041BFFB
    • ReadProcessMemory.KERNEL32(?,0041A65D,00000000,00000000), ref: 0041C09D
    • GetCurrentProcess.KERNEL32(?,00000000), ref: 0041C1FD
    • ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000), ref: 0041C29F
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Process$CurrentMemoryRead
    • String ID:
    • API String ID: 267060218-0
    • Opcode ID: 315a26820c56f28bf4b2268d0a630baad76602b963ff17a5bd4afb9885dae097
    • Instruction ID: ad37ff29608794651f4f61ea742610cc2a33874278e38a75aa1e7cecb4d3956e
    • Opcode Fuzzy Hash: 315a26820c56f28bf4b2268d0a630baad76602b963ff17a5bd4afb9885dae097
    • Instruction Fuzzy Hash: 25B14EF1A802569BEF00CFA9DCC1B99B7B0EF19324F280475E509AB341D378B951DB66
    Function 0041BF16 Relevance: 6.3, APIs: 4, Instructions: 308COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32 ref: 0041BFFB
    • ReadProcessMemory.KERNEL32(?,0041A65D,00000000,00000000), ref: 0041C09D
    • GetCurrentProcess.KERNEL32(?,00000000), ref: 0041C1FD
    • ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000), ref: 0041C29F
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Process$CurrentMemoryRead
    • String ID:
    • API String ID: 267060218-0
    • Opcode ID: 28078a498a47341dd9318380c77145f92fd3c335cb5db8b0f0b6f99762003c72
    • Instruction ID: ad37ff29608794651f4f61ea742610cc2a33874278e38a75aa1e7cecb4d3956e
    • Opcode Fuzzy Hash: 28078a498a47341dd9318380c77145f92fd3c335cb5db8b0f0b6f99762003c72
    • Instruction Fuzzy Hash: 25B14EF1A802569BEF00CFA9DCC1B99B7B0EF19324F280475E509AB341D378B951DB66
    Function 0041BB9F Relevance: 6.3, APIs: 4, Instructions: 308COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32 ref: 0041BFFB
    • ReadProcessMemory.KERNEL32(?,0041A65D,00000000,00000000), ref: 0041C09D
    • GetCurrentProcess.KERNEL32(?,00000000), ref: 0041C1FD
    • ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000), ref: 0041C29F
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Process$CurrentMemoryRead
    • String ID:
    • API String ID: 267060218-0
    • Opcode ID: e20760fa600bc6fb462b48d55136f0bf98047d50d0540a0f2df811f4ef6de151
    • Instruction ID: ad37ff29608794651f4f61ea742610cc2a33874278e38a75aa1e7cecb4d3956e
    • Opcode Fuzzy Hash: e20760fa600bc6fb462b48d55136f0bf98047d50d0540a0f2df811f4ef6de151
    • Instruction Fuzzy Hash: 25B14EF1A802569BEF00CFA9DCC1B99B7B0EF19324F280475E509AB341D378B951DB66
    Function 0040D646 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryA.KERNEL32 ref: 0040D65F
    • GetProcAddress.KERNEL32(?), ref: 0040D694
    • LoadLibraryA.KERNEL32(?,00000013,00000001,00000001,00000001,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D773
    • GetProcAddress.KERNEL32(?), ref: 0040D7A8
      • Part of subcall function 00404B1B: IsBadCodePtr.KERNEL32(00000000), ref: 00404B2C
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc$Code
    • String ID:
    • API String ID: 3251064535-0
    • Opcode ID: 584a99becaa769af7753d35085d7f8927d921500dfa81f3fa53440b0cab8bfaf
    • Instruction ID: 23022ddeeb7f54d09aab1668498806af0ab9741bd49eef725d6af1dd8eef1c5c
    • Opcode Fuzzy Hash: 584a99becaa769af7753d35085d7f8927d921500dfa81f3fa53440b0cab8bfaf
    • Instruction Fuzzy Hash: F95194B4E41308BBEF219F90DD46BDDBEB1BB08B14F604059F6043A2E0C3BA25559F59
    Function 00404392 Relevance: 6.1, APIs: 4, Instructions: 145registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000), ref: 0040442C
    • RegCreateKeyExW.ADVAPI32(00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00404492
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CreateOpen
    • String ID:
    • API String ID: 436179556-0
    • Opcode ID: 99dc5a138dbeb3e56d316a0118553b8359c471d4353ee3e014bc5f71151856e1
    • Instruction ID: a820d938e3ceb1813da909b43a739ef35b03fc955e93d9588feafc7ac8b2f1cc
    • Opcode Fuzzy Hash: 99dc5a138dbeb3e56d316a0118553b8359c471d4353ee3e014bc5f71151856e1
    • Instruction Fuzzy Hash: 315165B4E40308FBEF109F90DC46BAE7BB4EB45715F144466FA04BA2C1D3B99A50CB95
    Function 004072DC Relevance: 6.1, APIs: 4, Instructions: 82COMMON
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32 ref: 004072F1
    • CreateIoCompletionPort.KERNEL32(?,00000000,00000000,00000000), ref: 0040732F
    • GetQueuedCompletionStatus.KERNEL32(00000000,?,?,?,?), ref: 0040738F
    • CloseHandle.KERNEL32(00000000), ref: 004073BB
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Completion$CloseCreateCurrentHandlePortProcessQueuedStatus
    • String ID:
    • API String ID: 345563290-0
    • Opcode ID: 06a3baee19f52e27edd5011469fefa0f183d07c4b307431e84b0c1855a847ce0
    • Instruction ID: dcd28198e68ad4238ffcf64221127fecb3f101b567b2f3aad2bbbdbce24bb8e3
    • Opcode Fuzzy Hash: 06a3baee19f52e27edd5011469fefa0f183d07c4b307431e84b0c1855a847ce0
    • Instruction Fuzzy Hash: CF213070E44308ABEB10AFA4DD067AEBB75EB09710F104476B904BA2C0E7795650DF9A
    Function 00420970 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: free$Stringmalloc
    • String ID:
    • API String ID: 3576809655-0
    • Opcode ID: 7349006d07cb3dcae48f1f3ce1cc57c630e216b3cd826b13ca2648b0de6d3310
    • Instruction ID: 0cad1afd77b23511b22d69e86288af611add931931e56c7f5532adab5a02c5d7
    • Opcode Fuzzy Hash: 7349006d07cb3dcae48f1f3ce1cc57c630e216b3cd826b13ca2648b0de6d3310
    • Instruction Fuzzy Hash: 211102F23023242FD2149B65AC42E7B72DCDBD8604F90452EF60292202DE78E94587AE
    Function 00413040 Relevance: 6.1, APIs: 4, Instructions: 73serviceCOMMON
    Download Yara Rule
    APIs
    • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 0041306B
    • OpenServiceA.ADVAPI32(00000000,?,80000000), ref: 004130AE
    • CloseServiceHandle.ADVAPI32(00000000), ref: 004130DD
    • CloseServiceHandle.ADVAPI32(00000000), ref: 00413109
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Service$CloseHandleOpen$Manager
    • String ID:
    • API String ID: 4196757001-0
    • Opcode ID: 1affe47ea5f99f24aff9d34ebd1f2a07e6b8da3d37af71b740a03b2035711547
    • Instruction ID: 88196c9a1115e9ce17f529d00f6a557e972ccb59d6d057f70dc0d653b8b6ecd5
    • Opcode Fuzzy Hash: 1affe47ea5f99f24aff9d34ebd1f2a07e6b8da3d37af71b740a03b2035711547
    • Instruction Fuzzy Hash: C32175B0E40308FBDB10AFA2DD07B9DBBB1EB09715F508066F5047A180D67A4794DF9A
    Function 0040EFCA Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 257registryCOMMON
    Download Yara Rule
    APIs
    • RegEnumValueA.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0040F087
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: EnumValue
    • String ID: lsB
    • API String ID: 2814608202-575463903
    • Opcode ID: 8185f3e648eeda7f3077b383fbee750bd06f755cb76c290e49a95d14f1982ffd
    • Instruction ID: c9e2782bbae2b25368c71bf82a72d0867452c9fa26ab8eccf89328121d26640c
    • Opcode Fuzzy Hash: 8185f3e648eeda7f3077b383fbee750bd06f755cb76c290e49a95d14f1982ffd
    • Instruction Fuzzy Hash: 089184B1E00219DBEF10DFE1CC82BAFB674AB18304F14043AEA157A2C2E77E59558B59
    Function 00411581 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
    Download Yara Rule
    APIs
    • CallWindowProcA.USER32(00000000,00000000,00000000,00000000,?), ref: 00411601
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2033139735.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2033118194.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033178996.0000000000425000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033211388.0000000000427000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033226885.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033242238.0000000000429000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033289665.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2033309325.000000000043A000.00000008.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CallProcWindow
    • String ID: :xB$[A
    • API String ID: 2714655100-3416101520
    • Opcode ID: a0b2edfdb1dddd2a88cb0bdcf1334f6df203742a8fdbd2cb3d9656bbf97b34a8
    • Instruction ID: 96d206800348fdd84272337406c6bfbf5d73ae028419c0739b8d27b0c6cc631a
    • Opcode Fuzzy Hash: a0b2edfdb1dddd2a88cb0bdcf1334f6df203742a8fdbd2cb3d9656bbf97b34a8
    • Instruction Fuzzy Hash: 7811B9B1E00208BFDB10EFE59C45BDF7BB9DB08314F04446BFA08A6151E67A96509B59