Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe
Analysis ID:1528324
MD5:038aeec194f57b9b270b4c7163d5a6b3
SHA1:c901cf779694e1d7f5a79f9de088744b17068adb
SHA256:5cb230932976abcbdc63ecb275ff92d00d37f94b31cb482cb60dfb4400f86568
Tags:exe
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found API chain indicative of debugger detection
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe" MD5: 038AEEC194F57B9B270B4C7163D5A6B3)
    • conhost.exe (PID: 7264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7364 cmdline: C:\Windows\system32\WerFault.exe -u -p 7256 -s 208 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeReversingLabs: Detection: 42%
Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7256 -s 208
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeStatic PE information: Number of sections : 15 > 10
Source: classification engineClassification label: mal52.evad.winEXE@3/6@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeCode function: 0_2_00401550 CreateToolhelp32Snapshot,Process32First,printf,CloseHandle,CloseHandle,0_2_00401550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeCode function: 0_2_00401627 OpenSCManagerA,GetLastError,printf,OpenServiceA,GetLastError,printf,CloseHandle,CloseHandle,printf,StartServiceA,GetLastError,printf,CloseHandle,printf,SleepEx,QueryServiceStatusEx,CloseHandle,0_2_00401627
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7264:120:WilError_03
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7256
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\bbd6564c-be9c-45e7-af3b-2b09a0637bbaJump to behavior
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeReversingLabs: Detection: 42%
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7256 -s 208
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeSection loaded: apphelp.dllJump to behavior
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeStatic PE information: section name: .xdata
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeStatic PE information: section name: /4
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeStatic PE information: section name: /19
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeStatic PE information: section name: /31
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeStatic PE information: section name: /45
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeStatic PE information: section name: /57
Source: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeStatic PE information: section name: /70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeCode function: 0_2_00401627 OpenSCManagerA,GetLastError,printf,OpenServiceA,GetLastError,printf,CloseHandle,CloseHandle,printf,StartServiceA,GetLastError,printf,CloseHandle,printf,SleepEx,QueryServiceStatusEx,CloseHandle,0_2_00401627
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: Amcache.hve.4.drBinary or memory string: VMware
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.drBinary or memory string: vmci.sys
Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.drBinary or memory string: VMware20,1
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging

barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_0-761
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeCode function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA,0_2_00401180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeCode function: 0_2_00403361 SetUnhandledExceptionFilter,0_2_00403361
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeCode function: 0_2_00401ED0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,0_2_00401ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeCode function: 0_2_00409380 SetUnhandledExceptionFilter,0_2_00409380
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exeCode function: 0_2_00401DF0 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00401DF0
Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Service Execution		1
Windows Service		1
Windows Service		11
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Process Injection		1
Process Injection		LSASS Memory121
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
DLL Side-Loading		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS2
Process Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets2
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1528324 Sample: SecuriteInfo.com.Win64.Malw... Startdate: 07/10/2024 Architecture: WINDOWS Score: 52 13 Multi AV Scanner detection for submitted file 2->13 6 SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe 1 2->6         started        process3 signatures4 15 Found API chain indicative of debugger detection 6->15 9 WerFault.exe 19 16 6->9         started        11 conhost.exe 6->11         started        process5

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe42%ReversingLabsWin64.PUA.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://upx.sf.net0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://upx.sf.netAmcache.hve.4.drfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1528324
Start date and time:2024-10-07 19:26:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 6s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe
Detection:MAL
Classification:mal52.evad.winEXE@3/6@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 5
  • Number of non-executed functions: 18
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 20.189.173.20
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe

Simulations

Behavior and APIs

TimeTypeDescription
13:27:11API Interceptor1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_a3d5b28f45f55dfcfad94157e0e1426378f45bdc_27ead845_a6f82c43-7a16-4296-8c91-11f0f1e3d529\Report.wer

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):0.7010845932714582
Encrypted:false
SSDEEP:96:yVF4APlXUsvhDi2GjxfUQXIDcQMc6WcENcw38Y+HbHg/opAnhZAX/d5FMT2SlPkh:uFVUOM0iS3ijRzuiFpZ24lO8nn
MD5:9FE3D962C83130AACFF00BA6DC797F5E
SHA1:FCE988598AB073AF7D98D38405703B2C18236C5C
SHA-256:C4705372B104BECA63453121E81DB1360B170ECCBFAF3EA9165FE00EF8D7A29B
SHA-512:66B1A05C000F68D6216C1734C09A785BB3C33312C128CC4B0D649339981AA5984E275C7EA21E93DA5154C50C05D9ABC6D9E9106A04B5A365FE2938C4624D61D8
Malicious:false
Reputation:low
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.7.9.5.6.1.8.7.8.5.2.1.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.7.9.5.6.1.9.0.3.5.2.1.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.f.8.2.c.4.3.-.7.a.1.6.-.4.2.9.6.-.8.c.9.1.-.1.1.f.0.f.1.e.3.d.5.2.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.8.4.9.9.9.a.-.c.a.0.3.-.4.3.6.c.-.b.1.9.9.-.9.5.f.0.1.b.5.5.b.4.6.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...W.i.n.6.4...M.a.l.w.a.r.e.X.-.g.e.n...2.4.6.5.2...4.7.7...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.5.8.-.0.0.0.1.-.0.0.1.4.-.4.c.5.9.-.c.a.1.c.d.e.1.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.3.3.c.2.4.4.1.4.3.9.3.6.3.9.0.b.d.8.a.e.c.0.7.7.2.8.0.0.a.2.2.0.0.0.0.f.f.f.f.!.0.0.0.0.c.9.0.1.c.f.7.7.9.6.9.4.e.1.d.7.f.5.a.7.9.f.9.d.e.0.8.8.7.4.4.b.1.7.0.6.8.a.d.b.!.S.e.c.u.r.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5BB9.tmp.dmp

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:Mini DuMP crash report, 14 streams, Mon Oct 7 17:26:58 2024, 0x1205a4 type
Category:dropped
Size (bytes):49322
Entropy (8bit):1.4893803531684575
Encrypted:false
SSDEEP:96:5X8xyXh32rK3zBYi7n9+3A2YXpnxVvnVYmJTGTeRqZiyWIHsIhh+XYqIcvc:CgPmOn5T1numfqsohcYx
MD5:EAB0B76A35353586EA2EA720882E9536
SHA1:D765F3DA54F49F98C542C89EB21E3D851A7CE1DF
SHA-256:7F748963A1C30A008EAD64506C38C446E239D42AE709D61791EDD1F373453833
SHA-512:F08419A1F8580A18935B484DD3EFEBE70FEC7608CF3943D425FA06E8244DFDFBED71E04475AD7C00103A79782B25527249E6AF86D7D55972A124E1B5F411061D
Malicious:false
Reputation:low
Preview:MDMP..a..... ..........g........................................."..........T.......8...........T...........................l...........X...............................................................................eJ..............Lw......................T.......X......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C08.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8650
Entropy (8bit):3.7020255586272253
Encrypted:false
SSDEEP:192:R6l7wVeJlGE46Y9WL9sgmf/zprO89b3wzsf0B9m:R6lXJEE46YcL9sgmf/J3ksff
MD5:1E8D416B2138E64D35B1E298C2B91597
SHA1:EF066C59F729060F7F4B97ED91C15A99972530CF
SHA-256:A132A6BD2E832D7BF187842AE66EC7BC84D771B2ED57BDBC8F1C012AC32EA0F6
SHA-512:F69EDE56205E25EB1C581A55F3DA08F65CCF91CA17333AB388AEDE461B6F5631EE103CC791453955515FA0B60DB1E8D30B4FD6607EF0B1D4B0F4A3EE83455AC4
Malicious:false
Reputation:low
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C28.tmp.xml

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):4820
Entropy (8bit):4.532573630777288
Encrypted:false
SSDEEP:48:cvIwWl8zsnrJg771I9oTWpW8VYiYm8M4J5nZlFryq85dzzYX959hQd:uIjfnFI7/i7VSJfiYN7hQd
MD5:710EEEE5A008549CE6A69AC11224A0E0
SHA1:BA0448376A8521A86EF0E8D974BF6CBFABBA6332
SHA-256:3A6E53A79EF6CFFCF0D0634B7ADC9C64E9DF3DEF5B69853B8F4862C187220E30
SHA-512:391AB7397603FC7C27E766A256CD4BC107055DC22391B1D3BE9525FE1CED0DB64CBE6C39E56092964DACC636071720221FF1DC0CC19C81E90ED4E94DFBD5BF12
Malicious:false
Reputation:low
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533309" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File
Process:C:\Windows\System32\WerFault.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.465845532028439
Encrypted:false
SSDEEP:6144:lIXfpi67eLPU9skLmb0b4WWSPKaJG8nAgejZMMhA2gX4WABl0uNodwBCswSbu:GXD94WWlLZMM6YFHO+u
MD5:411B81574009EFF2E153674E2FA4749E
SHA1:024E7EFC8F1C8F1140CED915BC2614C54C300722
SHA-256:08111D2FA562F76EBB9424E589330DB2334E2AAB22BEDDC4925F4C2347C7D5A6
SHA-512:A2060530D0F6643565D0019E7288B2482BD0FA975104F139BF10C68671C47D1E48ACF3156D348599286CFEE3CF53EF2AF32B6344FA4052127E31EC054C8E7CF6
Malicious:false
Reputation:low
Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.f..................................................................................................................................................................................................................................................................................................................................................f..)........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File
Process:C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):101
Entropy (8bit):4.923810216147091
Encrypted:false
SSDEEP:3:TsuvdARFSKJKF0CF1JfsEmS/IEbEsbUYGXG:x16FSso0zEQsqXG
MD5:C63453B1FF219B51D3229D2BE73A81CC
SHA1:900AF9F57E158D14BE44244593D8BDEEDD20BC6C
SHA-256:F6ACA7AA753B6F15C363C98820C44CC09A7E1D30721BC95DD475784A49C68E04
SHA-512:5F2EC1CDFF3987B716EB04739E3C3C8ED9CFC332AB4F053B75919BE7A613879EE2141A61970E00CDFC92C2B76FC7CFE03AA451EC2D500D23A5B5151B0B579F52
Malicious:false
Reputation:low
Preview:[GetProcByPID] Process winlogon.exe PID is 552..[ElevateSystem] ImpersonateByPID(SYSTEM) succeeded...

Static File Info

General

File type:PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):4.845965663277242
TrID:
  • Win64 Executable Console (202006/5) 92.64%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • VXD Driver (31/22) 0.01%
File name:SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe
File size:63'351 bytes
MD5:038aeec194f57b9b270b4c7163d5a6b3
SHA1:c901cf779694e1d7f5a79f9de088744b17068adb
SHA256:5cb230932976abcbdc63ecb275ff92d00d37f94b31cb482cb60dfb4400f86568
SHA512:cd96a7655c7336b9ad194efce10cc74b8028acc944ef70b7437e75d559efe39d3a9fd86bb6f652966e784e502874c149189d5e5dd3fe01095a4a01901cb109ee
SSDEEP:768:M1QRyU/GyIfEqTIYv4gKNwFPbJdqPpgawruN4+NPv:HRgEqTIm4gKN2PbJeKh+V
TLSH:FA5383E43AD89C9AEA14423C41EAD332367DB9D0D6534B03663077321F12EE57AD726E
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...7..b.z..c.....'......&...J................@..............................0................ ............................

File Icon

Icon Hash:90cececece8e8eb0

Static PE Info

General

Entrypoint:0x4014e0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:
Time Stamp:0x6297B637 [Wed Jun 1 18:55:51 2022 UTC]
TLS Callbacks:0x402000
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:d258f5cd6c09b26fe17e54bb131b7ea0

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [00004335h]
mov dword ptr [eax], 00000000h
call 00007F8F94AD7FCFh
call 00007F8F94AD735Ah
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax+00h]
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 28h
call 00007F8F94AD93F4h
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F8F94AD76A9h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
dec eax
sub esp, 00000160h
dec eax
lea ebp, dword ptr [esp+00000080h]
dec eax
mov dword ptr [ebp+000000F0h], ecx
mov edx, 00000000h
mov ecx, 00000002h
call 00007F8F94AD9577h
dec eax
mov dword ptr [ebp+000000D0h], eax
mov dword ptr [ebp+000000DCh], 00000000h
mov dword ptr [ebp-60h], 00000130h
dec eax
lea eax, dword ptr [ebp-60h]
dec eax
mov ecx, dword ptr [ebp+000000D0h]
dec eax
mov edx, eax
call 00007F8F94AD94D4h
test eax, eax
je 00007F8F94AD7732h
dec eax
lea eax, dword ptr [ebp+00h]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x90000xa50.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x60000x2b8.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x54200x28.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x92800x230.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x24d80x260032fe1b5010fa7ae288b4946eb5aab14eFalse0.5596217105263158data5.849162727293986IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0x40000xd00x200bb4fd8e54d0b15380388826ea4415dafFalse0.130859375data0.810653616597643IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0x50000x8b00xa005b1c8fc87fb3d1dafce6c78733e40631False0.3421875data4.2158448155129715IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata0x60000x2b80x40054bc10ae674babc24544f1cc1b57b857False0.38671875data2.9729113015295865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata0x70000x2480x400c2a43260b4c6cd59c7b1b529125d0c75False0.2705078125data2.7106468998434363IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0x80000x9a00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x90000xa500xc00bbe01f240ec8910cf34405ede32431baFalse0.3157552083333333data3.775019171787077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0xa0000x680x200a924c32f74a00ed1cb62e7cb9400304fFalse0.0703125data0.25451054171027127IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0xb0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
/40xc0000x500x200c28488e1fbfcfaec28e873e47909854bFalse0.0703125data0.2162069074398449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/190xd0000x1f080x200061355e59550eb26c88c0faafcec45f1fFalse0.4598388671875data5.822881056706139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/310xf0000x1490x2005d291f74219487bffd06356d36f3a0e4False0.375data3.2872917906726884IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/450x100000x2220x4009cb4b5eafa0331c2e36df8ba59308698False0.287109375data3.223789652893945IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/570x110000x480x200175cd841f221fd6ecf31f79982145928False0.119140625data0.6892440741542495IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/700x120000x9b0x200406b70665a5983d1f1682455c669f732False0.259765625data2.320780444544343IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
ADVAPI32.dllCreateProcessWithTokenW, DuplicateTokenEx, ImpersonateLoggedOnUser, OpenProcessToken, OpenSCManagerA, OpenServiceA, QueryServiceStatusEx, StartServiceA
KERNEL32.dllCloseHandle, CreateToolhelp32Snapshot, DeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetStartupInfoA, GetStartupInfoW, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, MultiByteToWideChar, OpenProcess, Process32First, Process32Next, QueryPerformanceCounter, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, SleepEx, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery
msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _initterm, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, memset, printf, signal, strcmp, strlen, strncmp, vfprintf

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:13:26:58
Start date:07/10/2024
Path:C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win64.MalwareX-gen.24652.477.exe"
Imagebase:0x400000
File size:63'351 bytes
MD5 hash:038AEEC194F57B9B270B4C7163D5A6B3
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:13:26:58
Start date:07/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:13:26:58
Start date:07/10/2024
Path:C:\Windows\System32\WerFault.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\WerFault.exe -u -p 7256 -s 208
Imagebase:0x7ff677760000
File size:570'736 bytes
MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:13.6%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:23.2%
    Total number of Nodes:198
    Total number of Limit Nodes:3
    execution_graph 755 4014e0 760 401df0 755->760 757 4014f6 764 401180 757->764 759 4014fb 761 401e30 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 760->761 762 401e19 760->762 763 401e8b 761->763 762->757 763->757 765 401470 GetStartupInfoA 764->765 766 4011b4 764->766 771 401480 765->771 767 4011dc Sleep 766->767 768 4011f1 766->768 767->766 769 401224 768->769 770 40143c _initterm 768->770 768->771 790 4023f0 769->790 770->769 774 401df0 5 API calls 771->774 773 40124c SetUnhandledExceptionFilter 820 402850 773->820 776 4014c6 774->776 777 401180 45 API calls 776->777 778 4014cb 777->778 778->759 779 401268 780 401315 malloc 779->780 781 401387 780->781 782 40133c 780->782 826 401c0b 781->826 783 401350 strlen malloc memcpy 782->783 783->783 784 401382 783->784 784->781 787 4013db 788 4013f0 787->788 789 4013e5 _cexit 787->789 788->759 789->788 791 402423 790->791 812 402412 790->812 792 402490 791->792 795 402563 791->795 791->812 797 402499 792->797 792->812 793 40268a 798 402720 793->798 799 4026bd 793->799 795->793 796 4025aa 795->796 801 4024e7 795->801 795->812 796->795 800 402220 11 API calls 796->800 811 402220 11 API calls 796->811 797->801 838 402220 797->838 804 40272b 798->804 809 4027e0 798->809 802 4026c4 799->802 803 40273f signal 799->803 800->796 807 402512 VirtualProtect 801->807 801->812 806 402764 802->806 808 4026d5 802->808 815 402751 802->815 805 4027c0 signal 803->805 803->815 804->806 810 40272d 804->810 805->815 814 402772 signal 806->814 806->815 807->801 808->815 816 4026eb signal 808->816 813 4027f6 signal 809->813 809->815 810->803 810->815 811->795 812->773 819 402701 813->819 817 402810 signal 814->817 814->819 815->773 818 402830 signal 816->818 816->819 817->819 818->819 819->773 822 40285f 820->822 821 40288c 821->779 822->821 867 402e30 822->867 824 402887 824->821 825 402920 RtlAddFunctionTable 824->825 825->821 827 401c1f 826->827 872 4019d0 827->872 830 401c51 printf printf 833 401c95 830->833 834 401cad 830->834 831 401c42 879 401a16 831->879 886 401a55 833->886 836 401a55 2 API calls 834->836 837 4013c7 836->837 837->771 837->787 839 402242 838->839 842 4022ee 838->842 840 4022ac VirtualQuery 839->840 839->842 852 4023c0 839->852 841 4022da 840->841 840->852 841->842 844 402350 VirtualProtect 841->844 842->797 843 402412 843->797 844->842 845 402380 GetLastError 844->845 845->842 846 40268a 848 402720 846->848 849 4026bd 846->849 847 402490 847->843 859 402512 VirtualProtect 847->859 853 4027e0 848->853 854 40272b 848->854 850 4026c4 849->850 851 40273f signal 849->851 856 402751 850->856 857 402764 850->857 860 4026d5 850->860 855 4027c0 signal 851->855 851->856 852->843 852->846 852->847 853->856 861 4027f6 signal 853->861 854->857 858 40272d 854->858 855->856 856->797 857->856 862 402772 signal 857->862 858->851 858->856 859->847 860->856 863 4026eb signal 860->863 866 402701 861->866 864 402810 signal 862->864 862->866 865 402830 signal 863->865 863->866 864->866 865->866 866->797 869 402e3f 867->869 868 402eb0 868->824 869->868 870 402e8e strncmp 869->870 870->869 871 402ea3 870->871 871->824 892 401550 872->892 874 4019e4 896 4017fd 874->896 877 4019fc printf 878 401a0f strcmp 877->878 878->830 878->831 911 401627 879->911 882 4017fd 5 API calls 883 401a37 882->883 884 401a3b printf 883->884 885 401a4e 883->885 884->885 885->830 887 401a90 886->887 888 401adb printf 887->888 889 401b2f 888->889 890 401bf7 889->890 891 401bd8 printf 889->891 890->837 891->890 894 401576 892->894 893 401605 CloseHandle 893->874 894->893 895 4015ec printf 894->895 895->894 897 401823 896->897 898 40185b 897->898 899 40182e printf 897->899 902 4018c0 898->902 903 401883 printf 898->903 901 4018b6 899->901 901->877 901->878 905 401922 printf 902->905 906 40195c ImpersonateLoggedOnUser 902->906 903->901 905->901 906->901 909 401980 printf 906->909 909->901 912 401651 911->912 913 401685 912->913 914 40165c printf 912->914 917 4016ad printf 913->917 921 4016e6 913->921 916 4016dc 914->916 916->882 917->916 919 401702 printf 919->921 920 401780 printf 920->916 921->916 921->919 921->920 922 401742 printf 921->922 922->916 924 402940 929 402961 924->929 925 4029eb signal 927 402ae0 signal 925->927 930 4029a8 925->930 926 402a90 signal 928 402aa6 signal 926->928 926->930 932 402a06 927->932 928->932 929->925 929->930 929->932 933 402992 signal 929->933 930->925 930->926 931 402a47 signal 930->931 930->932 931->930 934 402b10 signal 931->934 933->930 935 402af9 signal 933->935 934->932 935->932 939 402000 940 402012 939->940 942 402022 940->942 944 402cc0 940->944 943 402067 945 402d60 944->945 948 402cce 944->948 946 402d80 InitializeCriticalSection 945->946 947 402d6a 945->947 946->947 947->943 949 402cd0 948->949 950 402d25 free 948->950 951 402d36 DeleteCriticalSection 948->951 949->943 950->950 950->951 951->949 975 402c20 976 402c40 EnterCriticalSection 975->976 977 402c31 975->977 978 402c73 LeaveCriticalSection 976->978 981 402c59 976->981 979 402c80 978->979 980 402c5f free LeaveCriticalSection 980->979 981->978 981->980 986 403361 SetUnhandledExceptionFilter 990 403329 VirtualQuery 952 401fd0 953 401fd9 952->953 954 402cc0 3 API calls 953->954 955 401fdd 953->955 956 401ff5 954->956 957 401ed0 RtlCaptureContext RtlLookupFunctionEntry 958 401f0a RtlVirtualUnwind 957->958 959 401fad 957->959 960 401f43 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess abort 958->960 959->960 960->959 967 401010 968 401058 967->968 969 40106b __set_app_type 968->969 970 401075 968->970 969->970 991 4020f0 992 40210f 991->992 993 402146 fprintf 992->993 997 403371 RtlLookupFunctionEntry 971 402b95 972 402bc4 971->972 973 402bb9 971->973 972->973 974 402bdb EnterCriticalSection LeaveCriticalSection 972->974

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_00402F40 52 Function_00402DA0 0->52 1 Function_00402CC0 24 Function_004021F0 1->24 2 Function_00402940 2->24 3 Function_004032C0 4 Function_00402EC0 4->52 5 Function_004021C0 37 Function_00403280 5->37 6 Function_00402DC2 7 Function_00401FD0 7->1 8 Function_00401550 9 Function_00402850 27 Function_00402FF0 9->27 35 Function_00402F80 9->35 60 Function_00402E30 9->60 10 Function_004019D0 10->8 29 Function_004017FD 10->29 11 Function_00401ED0 12 Function_004030D0 12->52 13 Function_004032D0 14 Function_004021D0 14->37 15 Function_00401DD2 16 Function_00401A55 36 Function_00403180 16->36 17 Function_00403259 18 Function_004014E0 26 Function_00401DF0 18->26 34 Function_00401180 18->34 19 Function_00401DE0 20 Function_00402DE0 21 Function_00403361 22 Function_00409370 23 Function_004020F0 23->37 25 Function_004023F0 25->0 25->24 25->36 50 Function_00402220 25->50 61 Function_00403430 25->61 27->52 28 Function_00403371 30 Function_00402080 31 Function_00402200 32 Function_00402000 32->1 33 Function_00401D00 34->3 34->9 34->24 34->25 34->26 34->34 40 Function_00401C0B 34->40 66 Function_004032B0 34->66 67 Function_00401DB0 34->67 35->52 38 Function_00409380 39 Function_00405588 40->10 40->16 49 Function_00401A16 40->49 40->67 41 Function_00401510 42 Function_00402210 43 Function_00402090 44 Function_00402190 44->37 45 Function_00401010 45->13 45->19 46 Function_00403411 47 Function_00403391 48 Function_00402B95 49->29 57 Function_00401627 49->57 50->0 50->4 50->24 50->27 50->36 50->50 50->61 51 Function_00402C20 53 Function_004021A0 53->37 54 Function_004032A0 55 Function_00402121 55->37 56 Function_00403421 58 Function_004093A8 59 Function_00403329 60->52 61->37 62 Function_00401130 63 Function_00401530 64 Function_00403030 64->52 65 Function_004093B0 68 Function_004021B0 68->37

    Executed Functions

    Function 00401180 Relevance: 13.7, APIs: 9, Instructions: 198sleepstringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 401180-4011ae 39 401470-401473 GetStartupInfoA 38->39 40 4011b4-4011d1 38->40 44 401480-401499 call 403240 39->44 41 4011e4-4011ef 40->41 42 4011f1-4011ff 41->42 43 4011d3-4011d6 41->43 45 401205-401209 42->45 46 401427-401436 call 403250 42->46 48 401410-401421 43->48 49 4011dc-4011e1 Sleep 43->49 58 40149e-4014d1 call 403220 call 401df0 call 401180 44->58 45->44 51 40120f-40121e 45->51 54 401224-401226 46->54 55 40143c-401457 _initterm 46->55 48->45 48->46 49->41 51->54 51->55 56 40122c-401239 54->56 57 40145d-401462 54->57 55->56 55->57 59 401247-401294 call 4023f0 SetUnhandledExceptionFilter call 402850 call 4032b0 call 4021f0 call 4032c0 56->59 60 40123b-401243 56->60 57->56 77 4012b2-4012b8 59->77 78 401296 59->78 60->59 80 4012a0-4012a2 77->80 81 4012ba-4012c8 77->81 79 4012f7-4012fd 78->79 85 401315-40133a malloc 79->85 86 4012ff-401309 79->86 82 4012d0-4012d2 80->82 83 4012a4-4012a7 80->83 84 4012ae 81->84 92 4012d4 82->92 93 4012e5-4012ee 82->93 83->82 91 4012a9 83->91 84->77 89 401387-4013c2 call 401db0 call 401c0b 85->89 90 40133c-401349 85->90 87 401400-401405 86->87 88 40130f 86->88 87->88 88->85 101 4013c7-4013d5 89->101 94 401350-401380 strlen malloc memcpy 90->94 91->84 96 4012f0 92->96 93->96 97 4012e0-4012e3 93->97 94->94 98 401382 94->98 96->79 97->93 97->96 98->89 101->58 102 4013db-4013e3 101->102 103 4013f0-4013ff 102->103 104 4013e5-4013ea _cexit 102->104 104->103
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled_cexitmemcpystrlen
    • String ID:
    • API String ID: 1640792405-0
    • Opcode ID: af25bd5a341b23bbbd4a03eb9564c2f94bc3995fb2ea9686e82f54a34bdfab10
    • Instruction ID: 1ea07f07e20d3884432368961f83e9db5cc005ef20f8d6dc7ecf36c8179c1a5e
    • Opcode Fuzzy Hash: af25bd5a341b23bbbd4a03eb9564c2f94bc3995fb2ea9686e82f54a34bdfab10
    • Instruction Fuzzy Hash: B8818CB5600B4486EB24AF56E99476A37A5F749B88F84803EDF48773A1DF3DC844DB08
    Function 00401550 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 46COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 112 401550-4015a3 call 403418 call 4033a0 117 401605-401626 CloseHandle 112->117 118 4015a5-4015be call 4031d8 112->118 121 4015c0-4015e7 call 4031e8 118->121 122 4015ee-401603 call 403398 118->122 125 4015ec printf 121->125 122->117 122->118 125->122
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID: GetProcByPID$[%s] Process %s PID is %d
    • API String ID: 2962429428-3610471400
    • Opcode ID: 250efe858d849e9d698f3f0a96d9b5e86feae468b8ecc72ae00e3ad65d910424
    • Instruction ID: 3caf93afe306e98a0743b8bd218e371bfed69c36d63cc8d45421f38b0a6c3d5f
    • Opcode Fuzzy Hash: 250efe858d849e9d698f3f0a96d9b5e86feae468b8ecc72ae00e3ad65d910424
    • Instruction Fuzzy Hash: 6311F671710B869DEB20DFA2D8447DA23A4E748788F40002B9E0DAFB59EB38C604C754
    Function 004017FD Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 108COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    Strings
    • [%s] OpenProcess on PID %d failed. Error: %d, xrefs: 00401845
    • ImpersonateByPID, xrefs: 0040183E, 00401893, 00401932, 00401990
    • [%s] DuplicateTokenEx on PID %d failed. Error: %d, xrefs: 00401939
    • [%s] OpenProcessToken on PID %d failed. Error: %d, xrefs: 0040189A
    • [%s] ImpersonateLoggedOnUser on PID %d failed. Error: %d, xrefs: 00401997
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: printf
    • String ID: ImpersonateByPID$[%s] DuplicateTokenEx on PID %d failed. Error: %d$[%s] ImpersonateLoggedOnUser on PID %d failed. Error: %d$[%s] OpenProcess on PID %d failed. Error: %d$[%s] OpenProcessToken on PID %d failed. Error: %d
    • API String ID: 3524737521-3248095357
    • Opcode ID: 89dfabdf74dc0bf7d1536025d74a0486140407317b87942c9e71e3fb0bc408a2
    • Instruction ID: c6421e58fd3d9f300b3e1ae3b1f73fb1a361ad12f18210b1169846a2c30591e6
    • Opcode Fuzzy Hash: 89dfabdf74dc0bf7d1536025d74a0486140407317b87942c9e71e3fb0bc408a2
    • Instruction Fuzzy Hash: 7041F8B1710A0999EB50DB66EC9039D3760F748B88F40482ADF5CA7BB9EF78CA41C744
    Function 00401C0B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 51stringCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 004019D0: printf.MSVCRT ref: 00401A0A
    • strcmp.MSVCRT ref: 00401C39
    • printf.MSVCRT ref: 00401C69
    • printf.MSVCRT ref: 00401C86
      • Part of subcall function 00401A16: printf.MSVCRT ref: 00401A49
      • Part of subcall function 00401A55: printf.MSVCRT ref: 00401AF2
      • Part of subcall function 00401A55: printf.MSVCRT ref: 00401BF2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: printf$strcmp
    • String ID: [%s] (SYSTEM) Token HANDLE 0x%p.$[%s] (TrustedInstaller) Token HANDLE 0x%p.$cmd.exe$main$trusted
    • API String ID: 2473254817-1572995953
    • Opcode ID: c95ec968544579be38e602612c3a77578951ce79cedc8b70d467533aac6004b0
    • Instruction ID: 4abf04ba551ef6a5530930b3a1be1c9a92d5a05fa5e70211dcb977b7c6ebfd55
    • Opcode Fuzzy Hash: c95ec968544579be38e602612c3a77578951ce79cedc8b70d467533aac6004b0
    • Instruction Fuzzy Hash: 2B21C6B4712B0594EF00AB56E9813553364E744BC8F40502AEF4D7B371EEBCC5498B48
    Function 004019D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 19COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 105 4019d0-4019fa call 401550 call 4017fd 110 4019fc-401a0a printf 105->110 111 401a0f-401a15 105->111 110->111
    APIs
      • Part of subcall function 00401550: CloseHandle.KERNELBASE ref: 00401616
      • Part of subcall function 004017FD: printf.MSVCRT ref: 0040184C
    • printf.MSVCRT ref: 00401A0A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: printf$CloseHandle
    • String ID: ElevateSystem$[%s] ImpersonateByPID(SYSTEM) succeeded.$winlogon.exe
    • API String ID: 3363481148-3921200022
    • Opcode ID: d6c958e14a25ab89d7ae59b266a5f24d4f280486700b3e6716698c7d4b588eda
    • Instruction ID: eeeb1b5e6e3286bf6f034587ddcab2b659d9b79581d5d0875449406a276fc74b
    • Opcode Fuzzy Hash: d6c958e14a25ab89d7ae59b266a5f24d4f280486700b3e6716698c7d4b588eda
    • Instruction Fuzzy Hash: 2FE04875711901E9EB00E735D8413592365A740388FC0442A9B1DBB1B1EE38C605CB08

    Non-executed Functions

    Function 00401627 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 109COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 132 401627-40165a 134 401685-4016ab 132->134 135 40165c-401680 printf 132->135 139 4016e6-4016fd 134->139 140 4016ad-4016e1 printf 134->140 138 4017f7-4017fc 135->138 143 4017b4-4017de 139->143 140->138 146 401702-401721 printf 143->146 147 4017e4-4017f4 143->147 148 401723-401740 146->148 149 401778-40177e 146->149 147->138 148->149 154 401742-401776 printf 148->154 150 401780-40179f printf 149->150 151 4017a1-4017ab 149->151 150->147 151->143 154->138
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: printf
    • String ID: GetTrustedInstallerPID$ServicesActive$TrustedInstaller$[%s] OpenSCManager failed. Error: %d$[%s] OpenService failed. Error: %d$[%s] QueryServiceStatusEx need %d bytes.$[%s] StartService failed. Error: %d$[%s] TrustedInstaller Service PID is %d
    • API String ID: 3524737521-2189383479
    • Opcode ID: ac6976177b7a3ae7270fbd9271f79e44d08aeb5096ad27c6a959dee35ea88250
    • Instruction ID: 1f9dd3d03cacb69b5fcbf0ae898bcead6ce7d576a6b7edeb0f72920630ea2a4b
    • Opcode Fuzzy Hash: ac6976177b7a3ae7270fbd9271f79e44d08aeb5096ad27c6a959dee35ea88250
    • Instruction Fuzzy Hash: D2410CB5710A0499EB00DB69EC9039D33A0F749B98F50062ADF1DA77B4DF39CA41CB88
    Function 00401ED0 Relevance: 12.0, APIs: 8, Instructions: 50COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • RtlCaptureContext.KERNEL32 ref: 00401EE4
    • RtlLookupFunctionEntry.KERNEL32 ref: 00401EFB
    • RtlVirtualUnwind.KERNEL32 ref: 00401F3D
    • SetUnhandledExceptionFilter.KERNEL32 ref: 00401F81
    • UnhandledExceptionFilter.KERNEL32 ref: 00401F8E
    • GetCurrentProcess.KERNEL32 ref: 00401F94
    • TerminateProcess.KERNEL32 ref: 00401FA2
    • abort.MSVCRT ref: 00401FA8
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
    • String ID:
    • API String ID: 4278921479-0
    • Opcode ID: 4231b4b87516edd7bc972636d1406addee211128e9852e5225d1adeb625bd15d
    • Instruction ID: a80238b1ddf95f2c857942a157d5d0b042dd5aca772804be96497641d9b0e5e9
    • Opcode Fuzzy Hash: 4231b4b87516edd7bc972636d1406addee211128e9852e5225d1adeb625bd15d
    • Instruction Fuzzy Hash: 0C21EFB1611F0099EB008B61FC8478933B4BB48B84F44412AEF8E677A5EF38C55AC708
    Function 00401DF0 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetSystemTimeAsFileTime.KERNEL32 ref: 00401E35
    • GetCurrentProcessId.KERNEL32 ref: 00401E40
    • GetCurrentThreadId.KERNEL32 ref: 00401E49
    • GetTickCount.KERNEL32 ref: 00401E51
    • QueryPerformanceCounter.KERNEL32 ref: 00401E5E
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: a1654b1a5e58469e100019fa7964a65d8818cfd36ee138f411d8a42df0ce36b9
    • Instruction ID: da3e2389a881eef3a83eee4f2f6004e1335a159f80a5b73607df26ff39c06210
    • Opcode Fuzzy Hash: a1654b1a5e58469e100019fa7964a65d8818cfd36ee138f411d8a42df0ce36b9
    • Instruction Fuzzy Hash: 26114CA6665B5085FB114B25FC0435A72A0B788BB4F0817359F9C637B4DA3CC885C748
    Function 00409380 Relevance: .0, Instructions: 15COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: abab300716561deb7ad1dbe92d53b3d18e32e794503a7fe55cdbb86683b3c62f
    • Instruction ID: 35fded4b9ecd6c8ca91dde03ccd29809722e1029447f9364c1858d305e6be777
    • Opcode Fuzzy Hash: abab300716561deb7ad1dbe92d53b3d18e32e794503a7fe55cdbb86683b3c62f
    • Instruction Fuzzy Hash: CAD05BC7F9DFD046D322C1A40D7A15A2F91A5F691431D806F4F41633C3B43D5C055715
    Function 00403361 Relevance: .0, Instructions: 4COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e689781d7782fde07e70b67dc4f963534d97e362de84023b617e7754e0a7c37b
    • Instruction ID: 58c44f47819cdcaf11701f01adb9a079ecfb37b396743f9b115418fb6c22748d
    • Opcode Fuzzy Hash: e689781d7782fde07e70b67dc4f963534d97e362de84023b617e7754e0a7c37b
    • Instruction Fuzzy Hash: 1EA00252499D0180E3040B40D9153A65529E74A200F0431209A1461092C53D85158508
    Function 004023F0 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 283memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 157 4023f0-402410 158 402412-402422 157->158 159 402423-40247a call 402f40 call 403180 157->159 159->158 164 40247c-402482 159->164 165 402550-402552 164->165 166 402488-40248a 164->166 167 402490-402493 165->167 168 402558-40255d 165->168 166->167 169 402534-402539 166->169 167->158 171 402499-4024b8 167->171 168->167 172 402563-402569 168->172 169->167 170 40253f-402544 169->170 170->172 173 402546-40254d 170->173 174 4024c4-4024e5 call 402220 171->174 175 40269e-4026bb call 403430 172->175 176 40256f-40258b 172->176 173->165 190 4024c0 174->190 191 4024e7-4024f8 174->191 185 402720-402725 175->185 186 4026bd-4026c2 175->186 177 4025d5-4025ea 176->177 178 40258d 176->178 182 402592 177->182 183 4025ec-40261d call 402220 177->183 178->158 188 402650-402653 182->188 189 402598-40259b 182->189 207 4025c8-4025cf 183->207 197 4027e0-4027f0 call 4031e0 185->197 198 40272b 185->198 192 4026c4-4026c9 186->192 193 40273f-40274f signal 186->193 195 402655-402685 call 402220 188->195 196 40268a-402699 call 403430 188->196 199 402620-40264a call 402220 189->199 200 4025a1-4025a4 189->200 190->174 191->158 201 4024fe 191->201 204 4027d4-4027da 192->204 205 4026cf 192->205 202 4027c0-4027cf signal call 4021f0 193->202 203 402751-402754 193->203 195->207 196->175 197->203 230 4027f6-402807 signal 197->230 211 402764-402769 198->211 212 40272d-402732 198->212 199->207 200->196 213 4025aa-4025c3 call 402220 200->213 214 402500-402510 201->214 202->204 223 402756-402763 203->223 224 4027ae-4027b7 203->224 218 4027a0-4027a5 205->218 219 4026d5-4026da 205->219 207->177 207->191 211->204 225 40276b-402770 211->225 212->204 221 402738-40273d 212->221 213->207 216 402520-40252d 214->216 217 402512-40251d VirtualProtect 214->217 216->214 228 40252f 216->228 217->216 231 402772-402782 signal 218->231 232 4027a7-4027ac 218->232 219->204 229 4026e0-4026e5 219->229 221->193 221->224 225->224 225->231 228->158 229->224 233 4026eb-4026fb signal 229->233 234 402713-402717 230->234 236 402810-402821 signal 231->236 237 402788-40278b 231->237 232->204 232->224 238 402830-402841 signal 233->238 239 402701-402704 233->239 236->234 240 402791-40279e 237->240 241 402846-40284b 237->241 238->234 239->241 242 40270a-402711 239->242 241->234 242->234
    APIs
    • VirtualProtect.KERNEL32(00408630,00007FFE2167ADA0,?,?,?,00000001,0040124C), ref: 0040251D
    Strings
    • Unknown pseudo relocation protocol version %d., xrefs: 0040269E
    • Unknown pseudo relocation bit size %d., xrefs: 0040268A
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
    • API String ID: 544645111-395989641
    • Opcode ID: d324a09b628eecc57f2ab8e3e3ed127caf28eced47f467965402bd7aa393706f
    • Instruction ID: f05aec6a82821f84f7f22e723582678da4342a8ab665db0880c0e4cc5e771229
    • Opcode Fuzzy Hash: d324a09b628eecc57f2ab8e3e3ed127caf28eced47f467965402bd7aa393706f
    • Instruction Fuzzy Hash: 80915671B1055046EB289B66DB4831F6351B7983A8F54893BCF08B77D8DEBEC982870D
    Function 00402940 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 111COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 245 402940-40295b 246 402a20-402a24 245->246 247 402961-402966 245->247 246->247 250 402a2a-402a34 246->250 248 4029d0-4029d5 247->248 249 402968-40296d 247->249 253 402a90-402aa0 signal 248->253 254 4029db 248->254 251 4029eb-4029fb signal 249->251 252 40296f-402974 249->252 255 402ae0-402af4 signal call 4021f0 251->255 256 402a01-402a04 251->256 252->250 258 40297a 252->258 253->256 257 402aa6-402aba signal 253->257 259 402a35-402a3a 254->259 260 4029dd-4029e2 254->260 255->250 261 4029b1-4029bb 256->261 262 402a06-402a0d 256->262 263 402a12-402a17 257->263 264 402980-402985 258->264 265 402a74-402a79 258->265 259->250 267 402a3c-402a41 259->267 260->250 268 4029e4-4029e9 260->268 270 402ad1-402ad3 261->270 271 4029c1-4029c8 261->271 262->263 264->250 269 40298b-402990 264->269 273 402a47-402a57 signal 265->273 274 402a7b-402a80 265->274 267->261 267->273 268->251 268->261 269->261 277 402992-4029a2 signal 269->277 270->263 271->248 278 402b10-402b22 signal 273->278 279 402a5d-402a60 273->279 274->261 275 402a86 274->275 275->250 280 4029a8-4029ab 277->280 281 402af9-402b0b signal 277->281 278->263 279->261 282 402a66-402a72 279->282 280->261 283 402ac0-402acc 280->283 281->263 282->263 283->263
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: signal
    • String ID: CCG
    • API String ID: 1946981877-1584390748
    • Opcode ID: 774f20f82659d80855c8cdbd0601561189d9b216f63062a9b1832aca8661f21d
    • Instruction ID: 82aa244cc5053a65e1fcf8dfbcc735a391ca21efaa4df4f8766fdcb3f0e77ff5
    • Opcode Fuzzy Hash: 774f20f82659d80855c8cdbd0601561189d9b216f63062a9b1832aca8661f21d
    • Instruction Fuzzy Hash: 28315E60B1440045EF79517A476833610419B8D378F298A3BD96EB73E2DDFECDC5161E
    Function 00402220 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 148memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 290 402220-40223c 291 402242-40224f 290->291 292 4023a8 290->292 293 402250-402256 291->293 294 4023af-4023bb 292->294 295 402258-402266 293->295 296 40226c-402275 293->296 299 402318-402322 294->299 295->296 297 4022f5-4022f8 295->297 296->293 298 402277-402285 call 402ec0 296->298 301 402323-402335 297->301 302 4022fa-4022fe 297->302 308 40228b-4022d4 call 402ff0 VirtualQuery 298->308 309 4023dd-402410 call 403430 298->309 301->299 303 402337-40233a 301->303 305 402394-4023a3 302->305 306 402304-402306 302->306 307 40233c-40234c 303->307 305->299 306->299 310 402308-402312 306->310 307->307 311 40234e 307->311 316 4023c0-4023d8 call 403430 308->316 317 4022da-4022e4 308->317 322 402412-402422 309->322 323 402423-40247a call 402f40 call 403180 309->323 310->294 310->299 311->299 316->309 319 4022e6-4022ec 317->319 320 4022ee 317->320 319->320 325 402350-40237a VirtualProtect 319->325 320->297 323->322 331 40247c-402482 323->331 325->320 327 402380-40238f GetLastError call 403430 325->327 327->305 332 402550-402552 331->332 333 402488-40248a 331->333 334 402490-402493 332->334 335 402558-40255d 332->335 333->334 336 402534-402539 333->336 334->322 338 402499-4024b8 334->338 335->334 339 402563-402569 335->339 336->334 337 40253f-402544 336->337 337->339 340 402546-40254d 337->340 341 4024c4-4024e5 call 402220 338->341 342 40269e-4026bb call 403430 339->342 343 40256f-40258b 339->343 340->332 357 4024c0 341->357 358 4024e7-4024f8 341->358 352 402720-402725 342->352 353 4026bd-4026c2 342->353 344 4025d5-4025ea 343->344 345 40258d 343->345 349 402592 344->349 350 4025ec-40261d call 402220 344->350 345->322 355 402650-402653 349->355 356 402598-40259b 349->356 374 4025c8-4025cf 350->374 364 4027e0-4027f0 call 4031e0 352->364 365 40272b 352->365 359 4026c4-4026c9 353->359 360 40273f-40274f signal 353->360 362 402655-402685 call 402220 355->362 363 40268a-402699 call 403430 355->363 366 402620-40264a call 402220 356->366 367 4025a1-4025a4 356->367 357->341 358->322 368 4024fe 358->368 371 4027d4-4027da 359->371 372 4026cf 359->372 369 4027c0-4027cf signal call 4021f0 360->369 370 402751-402754 360->370 362->374 363->342 364->370 397 4027f6-402807 signal 364->397 378 402764-402769 365->378 379 40272d-402732 365->379 366->374 367->363 380 4025aa-4025c3 call 402220 367->380 381 402500-402510 368->381 369->371 390 402756-402763 370->390 391 4027ae-4027b7 370->391 385 4027a0-4027a5 372->385 386 4026d5-4026da 372->386 374->344 374->358 378->371 392 40276b-402770 378->392 379->371 388 402738-40273d 379->388 380->374 383 402520-40252d 381->383 384 402512-40251d VirtualProtect 381->384 383->381 395 40252f 383->395 384->383 398 402772-402782 signal 385->398 399 4027a7-4027ac 385->399 386->371 396 4026e0-4026e5 386->396 388->360 388->391 392->391 392->398 395->322 396->391 400 4026eb-4026fb signal 396->400 401 402713-402717 397->401 403 402810-402821 signal 398->403 404 402788-40278b 398->404 399->371 399->391 405 402830-402841 signal 400->405 406 402701-402704 400->406 403->401 407 402791-40279e 404->407 408 402846-40284b 404->408 405->401 406->408 409 40270a-402711 406->409 408->401 409->401
    APIs
    Strings
    • Address %p has no image-section, xrefs: 004023DD
    • VirtualQuery failed for %d bytes at address %p, xrefs: 004023C7
    • VirtualProtect failed with code 0x%x, xrefs: 00402386
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: Virtual$ErrorLastProtectQuery
    • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
    • API String ID: 637304234-2123141913
    • Opcode ID: 83c3a4063a2dce2d8c2fdcd0331aa95c88aefb514385dbe32ff3f002a6bf446a
    • Instruction ID: 1fe20e60fd26eeb89b7542ddbe1aeb930d5c0f0500852fb2d0d8a4c50414480b
    • Opcode Fuzzy Hash: 83c3a4063a2dce2d8c2fdcd0331aa95c88aefb514385dbe32ff3f002a6bf446a
    • Instruction Fuzzy Hash: 2A5100B3701A5086DB248F26EA0475E7760F789BA8F45813ADF4D673D8DA7CC942C308
    Function 00401A55 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 412 401a55-401bcd call 4031f0 printf call 403180 421 401bf7-401c0a 412->421 422 401bcf-401bf2 printf 412->422 422->421
    APIs
    Strings
    • [%s] CreateProcessWithTokenW with argument '%ls'. Error: %d, xrefs: 00401BEB
    • [%s] MultiByteToWideChar need %d bytes., xrefs: 00401AEB
    • CreateProcessImpersonate, xrefs: 00401AE4, 00401BE4
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: printf
    • String ID: CreateProcessImpersonate$[%s] CreateProcessWithTokenW with argument '%ls'. Error: %d$[%s] MultiByteToWideChar need %d bytes.
    • API String ID: 3524737521-844407695
    • Opcode ID: 30a9b8badebb3cdd2fcfec26055306a3f050e15a21b8245577f28ae12db0b6d3
    • Instruction ID: c9b4777289d548aaa57be8a096d33c9431b7a9c1120feec8c729b949d082f152
    • Opcode Fuzzy Hash: 30a9b8badebb3cdd2fcfec26055306a3f050e15a21b8245577f28ae12db0b6d3
    • Instruction Fuzzy Hash: 80412E72711B8099EB60CF65E8407CA37A0F788798F104236EE5C97BA8EF39C645C744
    Function 004020F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 430 4020f0-402109 431 4021e0-4021e7 430->431 432 40210f-40211c 430->432 433 402128-402187 call 403280 fprintf 431->433 432->433
    APIs
    Strings
    • Unknown error, xrefs: 004021E0
    • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00402159
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-3474627141
    • Opcode ID: cdc4e5d8309f71ca0f236d2a4d481da13db95bddc966c3dafd3745058893965d
    • Instruction ID: 588b6dcd6d2f75b48c5acd068d12107141b74fe583b5f08c83c4a08ec796d532
    • Opcode Fuzzy Hash: cdc4e5d8309f71ca0f236d2a4d481da13db95bddc966c3dafd3745058893965d
    • Instruction Fuzzy Hash: 9901C462504E88D6D6068F1CD8413EA7375FF9E79AF245316EF883A264DB39C643CB04
    Function 004021C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
    Download Yara Rule
    APIs
    Strings
    • Total loss of significance (TLOSS), xrefs: 004021C0
    • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00402159
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-4273532761
    • Opcode ID: 82278db16c3cd151ee3b7d27147a00392a496ad1a837c55066fe36f685c0f110
    • Instruction ID: 5271ffe6d47e18e8f3ed4d28e0bc586e272fb4a166e6af144b4536481be6e8ea
    • Opcode Fuzzy Hash: 82278db16c3cd151ee3b7d27147a00392a496ad1a837c55066fe36f685c0f110
    • Instruction Fuzzy Hash: F9F09662404E8481C202CF1CA8003ABB375FF9D789F28531AEF893A564DB38C6878704
    Function 004021D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
    Download Yara Rule
    APIs
    Strings
    • Partial loss of significance (PLOSS), xrefs: 004021D0
    • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00402159
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-4283191376
    • Opcode ID: 76148788dc030072721f6726ae16d5ee29986ffa8211d805021140ca97095402
    • Instruction ID: 9480cfd0b8d114bcc78c695d6713e12ad9661390a8e6d5e323d6d6c53a177272
    • Opcode Fuzzy Hash: 76148788dc030072721f6726ae16d5ee29986ffa8211d805021140ca97095402
    • Instruction Fuzzy Hash: 74F09662404F8481C242CF1CA8003ABB374FF9D789F68531AEF893A164DB38C6478704
    Function 00402190 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 436 402190-402197 call 403280 fprintf
    APIs
    Strings
    • Argument singularity (SIGN), xrefs: 00402190
    • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00402159
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-2468659920
    • Opcode ID: 0ea5eb44334996e9e35a1c54a2e3f2f81d894c4064eda8a4c732036953195ca5
    • Instruction ID: 1ed8557e754185567a905833511ab7558e4f55812789787a35a7d7e827eac40d
    • Opcode Fuzzy Hash: 0ea5eb44334996e9e35a1c54a2e3f2f81d894c4064eda8a4c732036953195ca5
    • Instruction Fuzzy Hash: 33F09662404E8881C202CF1CA8003EBB375FF9D789F28531AEF893A164DB38C6478704
    Function 004021A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
    Download Yara Rule
    APIs
    Strings
    • Overflow range error (OVERFLOW), xrefs: 004021A0
    • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00402159
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-4064033741
    • Opcode ID: 0bffac0ead21e233ea7a1be4754acab33b3cbe9269826f467bfdf2e2801da7a1
    • Instruction ID: 16ad13870ab6a23e1791564b88711431fd16557278e5a8d1bca3b88684458c9e
    • Opcode Fuzzy Hash: 0bffac0ead21e233ea7a1be4754acab33b3cbe9269826f467bfdf2e2801da7a1
    • Instruction Fuzzy Hash: F6F09662404E8481C242CF1CA8003ABB374FF9D79AF68531AEF893A164DB38C647C704
    Function 004021B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
    Download Yara Rule
    APIs
    Strings
    • The result is too small to be represented (UNDERFLOW), xrefs: 004021B0
    • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00402159
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: fprintf
    • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-2187435201
    • Opcode ID: 95e2b3b61dfb5b19dc598d279b2d6a42aa24cd1eda70faf89e42feb10d02de7f
    • Instruction ID: b28b1d9d70a1293a46effba0f53a61d5e09cf1c1e26a982615f2400fc466c588
    • Opcode Fuzzy Hash: 95e2b3b61dfb5b19dc598d279b2d6a42aa24cd1eda70faf89e42feb10d02de7f
    • Instruction Fuzzy Hash: 41F09662504E8482C202DF1CA8003ABB375FF9D789F68531AEF893A164DB38C6478704
    Function 00402121 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
    Download Yara Rule
    APIs
    Strings
    • Argument domain error (DOMAIN), xrefs: 00402121
    • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00402159
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: fprintf
    • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
    • API String ID: 383729395-2713391170
    • Opcode ID: dbece672a372915fd088550e5c4887a638d3e82fa6e089b8f9803499c992fe41
    • Instruction ID: 9f1ae53cf0fe03b6573d64f7f9e5b5645e5b7b53ec8bd3358f3328e94598df97
    • Opcode Fuzzy Hash: dbece672a372915fd088550e5c4887a638d3e82fa6e089b8f9803499c992fe41
    • Instruction Fuzzy Hash: E7F03656504F8881D201DF1DA80039BB375FF5E799F58531AEF8936524DB28C6478744
    Function 00401A16 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00401627: printf.MSVCRT ref: 00401676
      • Part of subcall function 004017FD: printf.MSVCRT ref: 0040184C
    • printf.MSVCRT ref: 00401A49
    Strings
    • ElevateTrustedInstaller, xrefs: 00401A3B
    • [%s] ImpersonateByPID(TrustedInstaller) succeeded., xrefs: 00401A42
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: printf
    • String ID: ElevateTrustedInstaller$[%s] ImpersonateByPID(TrustedInstaller) succeeded.
    • API String ID: 3524737521-3693187864
    • Opcode ID: aa7c45924d4f545ee310bc27a71cf0236bcbc95bd683abb0b83e23b68fd68775
    • Instruction ID: 915b1ab85329ff8af1f94a6b02118f1ba52f8ea64c5e0a460dc77f7975b4160c
    • Opcode Fuzzy Hash: aa7c45924d4f545ee310bc27a71cf0236bcbc95bd683abb0b83e23b68fd68775
    • Instruction Fuzzy Hash: 82E08C71B10901AAEB00EB71D8063592365A70038CF84807AAA0CAB2A0EE38C606CB08
    Function 00402C20 Relevance: 5.0, APIs: 4, Instructions: 42COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1810031660.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1810018038.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810047264.0000000000405000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810062124.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1810076555.0000000000412000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeavefree
    • String ID:
    • API String ID: 4020351045-0
    • Opcode ID: 8e5da21ee47c9cd316c8d94bfc38455117d56a48760ef7ebcdd5c9b2e9e337f6
    • Instruction ID: c3e2ad1dc6757a636216e945aa5c02576581da33509b3b07302f6a90f117ecd1
    • Opcode Fuzzy Hash: 8e5da21ee47c9cd316c8d94bfc38455117d56a48760ef7ebcdd5c9b2e9e337f6
    • Instruction Fuzzy Hash: 8B011EF1715A0086EA08DB65EAC833A23A0B798B40F54843ADB49A73E0DFBCC9458749