Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe

Overview

General Information

Sample name:SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
Analysis ID:1532745
MD5:d9e95ae1bc04e66f7333eaf9079ae849
SHA1:dfaffbd0736b93665e702b24737b64647d70f03f
SHA256:2fc46917a56f67b597fd3e56792a5e3a0a563c8bb9f4410adf209e0670be1f68
Tags:exe
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Detected potential crypto function
Potential time zone aware malware
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.2353903090.0000000000092000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        Process Memory Space: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe PID: 4904JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe.90000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.5% probability
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: XIEnumerator`1Int32KeyValuePair`2Dictionary`2<Module>IsValidUUIDSystem.IOCosturacostura.metadataFromArgbmscorlibSystem.Collections.GenericReadThreadLoadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.colorful.console.dll.compressedcostura.newtonsoft.json.dll.compresseduuidsourceCompressionModeget_MessageExchangenullCacheIDisposableFileColorful.Consoleset_Titleget_NamefullNameGetNamerequestedAssemblyNameIsValidMinecraftUsernameusernameDateTimeReadLinePrintLineget_NewLineCombinecultureDisposeParseValidateWriteCompilerGeneratedAttributeGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeByteget_ValueTryGetValueadd_AssemblyResolveRemoveCrackedLunarAccountTool.exeSetBufferSizeSetWindowSizeSystem.ThreadingSystem.Runtime.VersioningCultureToStringSystem.DrawingAttachIsMatchMathGetFolderPathlunarAcccountsPathget_LargestWindowWidthget_LengthEndsWithnullCacheLockCrackedLunarAccountToolColorfulReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamProgramget_Itemset_ItemSystemTrimJTokenMinMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.Reflectionset_PositionExceptionNewtonsoft.JsonLoadJsonSaveJsonStringComparisonjsonCopyToget_CultureInfoConsoleKeyInfoinfoSleepNewtonsoft.Json.LinqClearAssemblyLoaderSpecialFolderuserFoldersenderAccountManagerResolveEventHandlerEnterverToLowerColorcolorIEnumeratorGetEnumerator.ctor.cctorMonitorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesresourceNamessymbolNamesassemblyNamesget_FlagsAssemblyNameFlagsResolveEventArgsargsEqualsSystem.Text.RegularExpressionsSystem.CollectionsCrackedLunarAccountTool.HelpersConsoleHelpersRemoveCrackedAccountsViewInstalledAccountsRemoveAllAccountsRemovePremiumAccountsExistsConcatJObjectget_LargestWindowHeightop_Implicitop_ExplicitExitToLowerInvariantEnvironmentget_CurrentPrintCreateAccountCreateAccountPromptMoveNextReadAllTextWriteAllTexttextRemoveAccountsMenuPrintMenuget_NowRegexJArrayCrackedLunarAccountTool_ProcessedByFodyget_KeyReadKeyContainsKeyResolveAssemblyReadExistingAssemblyGetExecutingAssemblyop_EqualityIsNullOrEmpty7Cracked Lunar Account Tool INFO)Exiting the program. source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: Binary string: C:\Users\Whatify\Downloads\CrackedLunarAccountTool\src\CrackedLunarAccountTool\obj\Release\CrackedLunarAccountTool.pdb source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: costura.costura.pdb.compressed source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: Binary string: C:\projects\colorful-console\src\Colorful.Console\obj\Debug\net461\Colorful.Console.pdb source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618547656.0000000002430000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.0000000003611000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: C:\projects\colorful-console\src\Colorful.Console\obj\Debug\net461\Colorful.Console.pdbSHA256GtFR source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618547656.0000000002430000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.0000000003611000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6F8FE76A0D5297A4FA7D4F7054093411D51F71B1|2636 source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618289933.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618289933.00000000008E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertA9
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618289933.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

            System Summary

            barindex
            .NET source code contains very large strings
            Source: 0.2.SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe.3615570.3.raw.unpack, DefaultFonts.csLong String: Length: 12223
            Source: 0.2.SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe.363d590.5.raw.unpack, DefaultFonts.csLong String: Length: 12223
            Source: 0.2.SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe.262d53c.1.raw.unpack, DefaultFonts.csLong String: Length: 12223
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeCode function: 0_2_008685910_2_00868591
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618547656.0000000002430000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameColorful.Console.dllB vs SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameColorful.Console.dllB vs SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameColorful.Console.dllB vs SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000000.2353942809.00000000000FC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCrackedLunarAccountTool.exeP vs SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618289933.000000000089E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.0000000003611000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameColorful.Console.dllB vs SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeBinary or memory string: OriginalFilenameCrackedLunarAccountTool.exeP vs SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal56.evad.winEXE@2/1@0/0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2812:120:WilError_03
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe "C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: XIEnumerator`1Int32KeyValuePair`2Dictionary`2<Module>IsValidUUIDSystem.IOCosturacostura.metadataFromArgbmscorlibSystem.Collections.GenericReadThreadLoadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.colorful.console.dll.compressedcostura.newtonsoft.json.dll.compresseduuidsourceCompressionModeget_MessageExchangenullCacheIDisposableFileColorful.Consoleset_Titleget_NamefullNameGetNamerequestedAssemblyNameIsValidMinecraftUsernameusernameDateTimeReadLinePrintLineget_NewLineCombinecultureDisposeParseValidateWriteCompilerGeneratedAttributeGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeByteget_ValueTryGetValueadd_AssemblyResolveRemoveCrackedLunarAccountTool.exeSetBufferSizeSetWindowSizeSystem.ThreadingSystem.Runtime.VersioningCultureToStringSystem.DrawingAttachIsMatchMathGetFolderPathlunarAcccountsPathget_LargestWindowWidthget_LengthEndsWithnullCacheLockCrackedLunarAccountToolColorfulReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamProgramget_Itemset_ItemSystemTrimJTokenMinMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.Reflectionset_PositionExceptionNewtonsoft.JsonLoadJsonSaveJsonStringComparisonjsonCopyToget_CultureInfoConsoleKeyInfoinfoSleepNewtonsoft.Json.LinqClearAssemblyLoaderSpecialFolderuserFoldersenderAccountManagerResolveEventHandlerEnterverToLowerColorcolorIEnumeratorGetEnumerator.ctor.cctorMonitorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesresourceNamessymbolNamesassemblyNamesget_FlagsAssemblyNameFlagsResolveEventArgsargsEqualsSystem.Text.RegularExpressionsSystem.CollectionsCrackedLunarAccountTool.HelpersConsoleHelpersRemoveCrackedAccountsViewInstalledAccountsRemoveAllAccountsRemovePremiumAccountsExistsConcatJObjectget_LargestWindowHeightop_Implicitop_ExplicitExitToLowerInvariantEnvironmentget_CurrentPrintCreateAccountCreateAccountPromptMoveNextReadAllTextWriteAllTexttextRemoveAccountsMenuPrintMenuget_NowRegexJArrayCrackedLunarAccountTool_ProcessedByFodyget_KeyReadKeyContainsKeyResolveAssemblyReadExistingAssemblyGetExecutingAssemblyop_EqualityIsNullOrEmpty7Cracked Lunar Account Tool INFO)Exiting the program. source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: Binary string: C:\Users\Whatify\Downloads\CrackedLunarAccountTool\src\CrackedLunarAccountTool\obj\Release\CrackedLunarAccountTool.pdb source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: costura.costura.pdb.compressed source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
            Source: Binary string: C:\projects\colorful-console\src\Colorful.Console\obj\Debug\net461\Colorful.Console.pdb source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618547656.0000000002430000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.0000000003611000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: C:\projects\colorful-console\src\Colorful.Console\obj\Debug\net461\Colorful.Console.pdbSHA256GtFR source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618547656.0000000002430000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.0000000003611000.00000004.00000800.00020000.00000000.sdmp
            Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6F8FE76A0D5297A4FA7D4F7054093411D51F71B1|2636 source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, AssemblyLoader.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
            Source: 0.2.SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe.4a50000.8.raw.unpack, DynamicUtils.cs.Net Code: CreateSharpArgumentInfoArray
            Source: 0.2.SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe.4a50000.8.raw.unpack, LateBoundReflectionDelegateFactory.cs.Net Code: CreateDefaultConstructor
            Source: 0.2.SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe.38ab830.6.raw.unpack, DynamicUtils.cs.Net Code: CreateSharpArgumentInfoArray
            Source: 0.2.SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe.38ab830.6.raw.unpack, LateBoundReflectionDelegateFactory.cs.Net Code: CreateDefaultConstructor
            Yara detected Costura Assembly Loader
            Source: Yara matchFile source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe.90000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2353903090.0000000000092000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe PID: 4904, type: MEMORYSTR
            Source: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeStatic PE information: section name: .text entropy: 7.973854794324544
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeMemory allocated: 860000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeMemory allocated: 2610000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeMemory allocated: 9D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
            DLL Side-Loading            		1
            Process Injection            		1
            Virtualization/Sandbox Evasion            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            DLL Side-Loading            		1
            Disable or Modify Tools            		LSASS Memory1
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)12
            Software Packing            		Security Account Manager12
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Process Injection            		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe11%ReversingLabsWin32.Hacktool.Generic

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://www.nuget.org/packages/Newtonsoft.Json.Bson0%URL Reputationsafe
            http://james.newtonking.com/projects/json0%URL Reputationsafe
            https://www.newtonsoft.com/jsonschema0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://www.newtonsoft.com/jsonSecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpfalse
              		unknown
              https://www.nuget.org/packages/Newtonsoft.Json.BsonSecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://james.newtonking.com/projects/jsonSecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://www.newtonsoft.com/jsonschemaSecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://github.com/JamesNK/Newtonsoft.JsonSecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.000000000363D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3618819478.00000000038AB000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe, 00000000.00000002.3619383327.0000000004A50000.00000004.08000000.00040000.00000000.sdmpfalse
                		unknown

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1532745
                Start date and time:2024-10-13 21:33:13 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 29s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:5
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
                Detection:MAL
                Classification:mal56.evad.winEXE@2/1@0/0
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 94%
                • Number of executed functions: 3
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • VT rate limit hit for: SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                \Device\ConDrv

                Download File
                Process:C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):288
                Entropy (8bit):5.032507930559015
                Encrypted:false
                SSDEEP:6:prVjE5JQ879cwdEQ87CGUE87XC8WBBFaD87E3hCRyFP6eIuFUfyAe:prVjEs87mG87rv87XC88eD87E3UApt5v
                MD5:7EA9577BB6D4FF925B6E87C4CC607A7F
                SHA1:AE61C50ABA026269FDBB27BAEE9F465808CBF234
                SHA-256:44785E58225C0C019C2EC71CF2B37E6762A501CB18675B58267C3EB0FCFA42B2
                SHA-512:CD3DFB9FE37EB34842903454B831491960EFA01CE749C1A90480F506E33B07CEE2C2CB2E090B44BB73413584FCEF0E3A7706D1CC508E5EBA3775E18D2ABFFD75
                Malicious:false
                Reputation:low
                Preview: [15:34:30] > [QUERY] What would you like to do:.. [15:34:31] > [OPTION] 1. Create Account.. [15:34:31] > [OPTION] 2. Remove Accounts.. [15:34:31] > [OPTION] 3. View Installed Accounts.. [15:34:31] > [OPTION] 4. Exit the program.. [15:34:31] > [INPUT] Please type your option (1-4) here:

                Static File Info

                General

                File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):7.080484692009945
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                • Win32 Executable (generic) a (10002005/4) 49.78%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Generic Win/DOS Executable (2004/3) 0.01%
                • DOS Executable Generic (2002/1) 0.01%
                File name:SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
                File size:507'392 bytes
                MD5:d9e95ae1bc04e66f7333eaf9079ae849
                SHA1:dfaffbd0736b93665e702b24737b64647d70f03f
                SHA256:2fc46917a56f67b597fd3e56792a5e3a0a563c8bb9f4410adf209e0670be1f68
                SHA512:ecba89786f5dccb015395a4246f2606de9a0749bad66e2eab46322baea414c4a312129d22b91ae7bcac3990849f37501d7e939dfe8d217532fb29f350656a3d1
                SSDEEP:6144:Kiw0qvLJXnlUGujCtjno6itQl+REw6FMG/UHQS8PUHIRA8yVYtFm6axHUdi0G/7v:KkqjVnl36ud0zR/6CtQ9PUHIG8DnMj/
                TLSH:02B4BDFCA578FD32F05B50B949328D4058356BA32965CE743FABAD3FC9280A11D2E2D5
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0..0...........M... ........@.. ....................... ............`................................

                File Icon

                Icon Hash:0f33654d5d658107

                Static PE Info

                General

                Entrypoint:0x454dfe
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows cui
                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x66C18E19 [Sun Aug 18 06:00:57 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x54da80x53.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x560000x28824.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x800000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x54cfc0x1c.text
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x52e040x53000476fc22eae3c3990eded23df83b52d10False0.9739269578313253data7.973854794324544IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0x560000x288240x28a00de6c54d34fd8856d64ddaa2597900923False0.28783052884615384data3.895008730132565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x800000xc0x20015210df67fa535534db697c378b65e26False0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_ICON0x561e00x5c4dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9936518684667146
                RT_ICON0x5be400x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.12593162190938129
                RT_ICON0x6c6780x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 2835 x 2835 px/m0.1553762875762035
                RT_ICON0x75b300x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.20978979688238072
                RT_ICON0x79d680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.24896265560165975
                RT_ICON0x7c3200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.3302063789868668
                RT_ICON0x7d3d80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 2835 x 2835 px/m0.3889344262295082
                RT_ICON0x7dd700x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.49113475177304966
                RT_GROUP_ICON0x7e1e80x76data0.7457627118644068
                RT_VERSION0x7e2700x3b4data0.3871308016877637
                RT_MANIFEST0x7e6340x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                No network behavior found

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:15:34:30
                Start date:13/10/2024
                Path:C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.HackTool.Win32.Crack.28815.11045.exe"
                Imagebase:0x90000
                File size:507'392 bytes
                MD5 hash:D9E95AE1BC04E66F7333EAF9079AE849
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.2353903090.0000000000092000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.3618763518.0000000002611000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false

                General

                Target ID:1
                Start time:15:34:30
                Start date:13/10/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff66e660000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:20.2%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:2.8%
                  Total number of Nodes:106
                  Total number of Limit Nodes:3
                  execution_graph 6001 861974 6002 861982 6001->6002 6004 86177d 6001->6004 6003 861951 6004->6003 6006 867b89 6004->6006 6007 867bc7 6006->6007 6021 867d20 6007->6021 6008 867be7 6016 867d20 GetConsoleScreenBufferInfoEx 6008->6016 6009 867c23 6019 867d20 GetConsoleScreenBufferInfoEx 6009->6019 6010 867c5f 6020 867d20 GetConsoleScreenBufferInfoEx 6010->6020 6011 867c9b 6015 867d20 GetConsoleScreenBufferInfoEx 6011->6015 6012 867cd7 6029 8691b0 6012->6029 6035 8691a1 6012->6035 6013 867d13 6013->6004 6015->6012 6016->6009 6019->6010 6020->6011 6022 867d55 6021->6022 6041 867e00 6022->6041 6045 867e10 6022->6045 6023 867db1 6027 867e00 GetConsoleScreenBufferInfoEx 6023->6027 6028 867e10 GetConsoleScreenBufferInfoEx 6023->6028 6024 867dda 6024->6008 6027->6024 6028->6024 6030 8691d5 6029->6030 6031 867e10 GetConsoleScreenBufferInfoEx 6030->6031 6032 869230 6031->6032 6033 867e10 GetConsoleScreenBufferInfoEx 6032->6033 6034 869258 6033->6034 6034->6013 6036 8691d5 6035->6036 6037 867e10 GetConsoleScreenBufferInfoEx 6036->6037 6038 869230 6037->6038 6039 867e10 GetConsoleScreenBufferInfoEx 6038->6039 6040 869258 6039->6040 6040->6013 6042 867e27 6041->6042 6049 867e77 6042->6049 6046 867e27 6045->6046 6048 867e77 GetConsoleScreenBufferInfoEx 6046->6048 6047 867e6e 6047->6023 6048->6047 6051 867e76 6049->6051 6050 867e6e 6050->6023 6051->6049 6051->6050 6054 867f07 6051->6054 6058 867f18 6051->6058 6055 867f3c 6054->6055 6056 867f66 6055->6056 6062 867fe0 6055->6062 6056->6051 6059 867f3c 6058->6059 6060 867f66 6059->6060 6061 867fe0 GetConsoleScreenBufferInfoEx 6059->6061 6060->6051 6061->6060 6063 868014 6062->6063 6064 8680ac 6063->6064 6068 868450 6063->6068 6072 868408 6063->6072 6076 86843f 6063->6076 6064->6056 6069 86846a 6068->6069 6080 868591 6069->6080 6070 8684b5 6070->6064 6073 86841c 6072->6073 6075 868591 GetConsoleScreenBufferInfoEx 6073->6075 6074 8684b5 6074->6064 6075->6074 6077 86846a 6076->6077 6079 868591 GetConsoleScreenBufferInfoEx 6077->6079 6078 8684b5 6078->6064 6079->6078 6081 8685cd 6080->6081 6084 864748 6081->6084 6083 868604 6083->6070 6085 86477b 6084->6085 6088 863794 6085->6088 6087 864876 6087->6083 6089 864950 GetConsoleScreenBufferInfoEx 6088->6089 6091 864a91 6089->6091 6091->6091 6092 863b38 6093 863b5b 6092->6093 6094 863f03 6093->6094 6101 864bc0 6093->6101 6106 8642e0 6093->6106 6098 864bc0 GetConsoleScreenBufferInfoEx 6094->6098 6111 864bf0 6094->6111 6115 864bdf 6094->6115 6095 863f3a 6098->6095 6102 864bd3 6101->6102 6104 864bf7 6101->6104 6102->6094 6103 864d1d 6103->6094 6104->6103 6119 8673d8 6104->6119 6107 86431d 6106->6107 6109 864748 GetConsoleScreenBufferInfoEx 6107->6109 6123 864739 6107->6123 6108 864388 6108->6094 6109->6108 6113 864c04 6111->6113 6112 864d1d 6112->6095 6113->6112 6114 8673d8 GetConsoleScreenBufferInfoEx 6113->6114 6114->6112 6117 864c04 6115->6117 6116 864d1d 6116->6095 6117->6116 6118 8673d8 GetConsoleScreenBufferInfoEx 6117->6118 6118->6116 6120 86741b 6119->6120 6121 864748 GetConsoleScreenBufferInfoEx 6120->6121 6122 86744d 6121->6122 6122->6103 6124 86477b 6123->6124 6125 863794 GetConsoleScreenBufferInfoEx 6124->6125 6126 864876 6125->6126 6126->6108 6127 861758 6128 861776 6127->6128 6129 861951 6128->6129 6130 867b89 GetConsoleScreenBufferInfoEx 6128->6130 6130->6128

                  Executed Functions

                  Function 00868591 Relevance: .3, Instructions: 275COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 556 868591-8685cb 557 8685d2-868620 call 86376c call 864748 556->557 558 8685cd 556->558 563 868622 557->563 564 868629-86862a 557->564 558->557 563->564 565 8687a7-8687d1 563->565 566 868805-86882f 563->566 567 868863-86888d 563->567 568 86862f-868659 563->568 569 86868d-8686b7 563->569 570 8688ea-868914 563->570 571 8686eb-868715 563->571 572 868749-868773 563->572 573 8687d6-868800 563->573 574 868834-86885e 563->574 575 868892-8688bc 563->575 576 86865e-868688 563->576 577 8688be-8688e8 563->577 578 8686bc-8686e6 563->578 579 86871a-868744 563->579 580 868778-8687a2 563->580 581 868916-868969 call 867978 564->581 565->581 566->581 567->581 568->581 569->581 570->581 571->581 572->581 573->581 574->581 575->581 576->581 577->581 578->581 579->581 580->581 590 86896e-868976 581->590
                  Memory Dump Source
                  • Source File: 00000000.00000002.3618254225.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_860000_SecuriteInfo.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 568d9e1a1193a1456c2f68bfb03e1fdeb1d1e87d2e66681f2904550e125a59dd
                  • Instruction ID: 09187798d4299dbd0b435311fe694b0dfca57123b893294d2b334f9f6b436017
                  • Opcode Fuzzy Hash: 568d9e1a1193a1456c2f68bfb03e1fdeb1d1e87d2e66681f2904550e125a59dd
                  • Instruction Fuzzy Hash: 01D1D27990811EDFDF15CF51C840AE9BBB2FF88304F11C1A6E90967265DB319A96EF80
                  Function 00864944 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 179 864944-864a22 183 864a2d-864a8f GetConsoleScreenBufferInfoEx 179->183 184 864a91-864a97 183->184 185 864a98-864b50 183->185 184->185 192 864b86-864b91 185->192 193 864b52-864b7b 185->193 197 864b92 192->197 193->192 197->197
                  APIs
                  • GetConsoleScreenBufferInfoEx.KERNELBASE(?,?), ref: 00864A7C
                  Memory Dump Source
                  • Source File: 00000000.00000002.3618254225.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_860000_SecuriteInfo.jbxd
                  Similarity
                  • API ID: BufferConsoleInfoScreen
                  • String ID:
                  • API String ID: 3437242342-0
                  • Opcode ID: dcba6c062ff1784089304126bf043f6fc743c9cf780345b67758dc9296f41dda
                  • Instruction ID: d10c96924f22c1fb78756d4629bc279f7be7c29b373250c439c48a6f7201b3a2
                  • Opcode Fuzzy Hash: dcba6c062ff1784089304126bf043f6fc743c9cf780345b67758dc9296f41dda
                  • Instruction Fuzzy Hash: 8A51D0B1C002298FDB21CF69C880BDEBBB4BB49310F1091EAD549B7250EB745E85CF94
                  Function 00863794 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 198 863794-864a8f GetConsoleScreenBufferInfoEx 204 864a91-864a97 198->204 205 864a98-864b50 198->205 204->205 212 864b86-864b91 205->212 213 864b52-864b7b 205->213 217 864b92 212->217 213->212 217->217
                  APIs
                  • GetConsoleScreenBufferInfoEx.KERNELBASE(?,?), ref: 00864A7C
                  Memory Dump Source
                  • Source File: 00000000.00000002.3618254225.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00860000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_860000_SecuriteInfo.jbxd
                  Similarity
                  • API ID: BufferConsoleInfoScreen
                  • String ID:
                  • API String ID: 3437242342-0
                  • Opcode ID: e509b78386571bfe2d35a3a462bae2c9b654e7236293da361e590cf7b34f912d
                  • Instruction ID: a7881e5190872b188289a011d17cd890096ae82379ee3dea83c2aa207aaccaeb
                  • Opcode Fuzzy Hash: e509b78386571bfe2d35a3a462bae2c9b654e7236293da361e590cf7b34f912d
                  • Instruction Fuzzy Hash: 3551AEB5C0022D8FDB25CF69C884BDEBBB4BB49300F1095EA9549B7250EB746E84CF94