Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
shootthemessenger.exe

Overview

General Information

Sample name:shootthemessenger.exe
Analysis ID:1431785
MD5:35c422bdf2a2f35cec6235c751cfe466
SHA1:e8a5cb5c798c3caf754d75711b25d6c39c36609b
SHA256:3c8d01d842fc4969a74ff0fcfbc29e5f2fc572bb1ef5f00f5b3dbc3082efa65a
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality to call native functions
Contains functionality to shutdown / reboot the system
Uses 32bit PE files

Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

  • System is w10x64
  • shootthemessenger.exe (PID: 6448 cmdline: "C:\Users\user\Desktop\shootthemessenger.exe" MD5: 35C422BDF2A2F35CEC6235C751CFE466)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: shootthemessenger.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: shootthemessenger.exe, shootthemessenger.exe, 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://grc.com
Source: shootthemessenger.exe, 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://grc.com/mail.htm
Source: shootthemessenger.exe, 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://grc.com/mail.htmhttp://grc.com/stm/ShootTheMessenger.htmYou
Source: shootthemessenger.exe, shootthemessenger.exe, 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://grc.com/stm/ShootTheMessenger.htm
Source: shootthemessenger.exeString found in binary or memory: http://grc.comD
Source: C:\Users\user\Desktop\shootthemessenger.exeCode function: 0_2_00401931 KiUserCallbackDispatcher,GetSystemMenu,DeleteMenu,DeleteMenu,BeginPaint,SetTextColor,SetBkMode,SelectObject,lstrlen,TextOutA,lstrlen,TextOutA,lstrlen,TextOutA,SelectObject,MoveToEx,LineTo,LineTo,SelectObject,LineTo,LineTo,LineTo,SelectObject,MoveToEx,LineTo,LineTo,LineTo,SelectObject,LineTo,LineTo,SelectObject,MoveToEx,LineTo,LineTo,LineTo,SelectObject,LineTo,LineTo,SelectObject,MoveToEx,LineTo,LineTo,LineTo,SelectObject,LineTo,LineTo,DrawEdge,SelectObject,MoveToEx,LineTo,SelectObject,LineTo,LineTo,SelectObject,SetTextColor,lstrlen,TextOutA,GetTextExtentPointA,lstrlen,TextOutA,SelectObject,GetTextExtentPointA,SetTextColor,SetBkMode,SelectObject,lstrlen,TextOutA,lstrlen,TextOutA,EndPaint,GetCursor,SetFocus,SetCursor,GetWindowLongA,GetCursorPos,ScreenToClient,SendMessageA,SendMessageA,RtlFillMemory,SendMessageA,SendMessageA,SetCursor,PtInRect,SetCursor,GetCursor,PostQuitMessage,PostQuitMessage,SetCursor,LoadCursorA,SetCursor,NtdllDefWindowProc_A,0_2_00401931
Source: C:\Users\user\Desktop\shootthemessenger.exeCode function: 0_2_00402073 BeginPaint,GetClientRect,GetWindowLongA,DrawEdge,MoveToEx,SelectObject,LineTo,LineTo,SelectObject,LineTo,LineTo,EndPaint,NtdllDefWindowProc_A,0_2_00402073
Source: C:\Users\user\Desktop\shootthemessenger.exeCode function: 0_2_004023DE ExitWindowsEx,0_2_004023DE
Source: shootthemessenger.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engineClassification label: clean1.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\shootthemessenger.exeCode function: 0_2_004012D5 GetStockObject,GetStockObject,GetStockObject,CreatePen,CreatePen,GetStockObject,GetStockObject,GetStockObject,GetStockObject,GetStockObject,LoadLibraryA,LoadLibraryA,FindResourceA,LoadResource,LockResource,LoadCursorA,LoadCursorA,LoadBitmapA,LoadAcceleratorsA,LoadCursorA,0_2_004012D5
Source: C:\Users\user\Desktop\shootthemessenger.exeCode function: 0_2_00402532 OpenSCManagerA,OpenServiceA,ChangeServiceConfigA,StartServiceA,ControlService,Sleep,CloseServiceHandle,CloseServiceHandle,0_2_00402532
Source: C:\Users\user\Desktop\shootthemessenger.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeFile read: C:\Users\user\Desktop\shootthemessenger.exeJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: riched32.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: winmmbase.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: devobj.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: ksuser.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: avrt.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: audioses.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeSection loaded: midimap.dllJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeWindow found: window name: RICHEDITJump to behavior
Source: C:\Users\user\Desktop\shootthemessenger.exeFile opened: C:\Windows\SysWOW64\riched32.DllJump to behavior
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1
Source: C:\Users\user\Desktop\shootthemessenger.exeCode function: 0_2_00402532 OpenSCManagerA,OpenServiceA,ChangeServiceConfigA,StartServiceA,ControlService,Sleep,CloseServiceHandle,CloseServiceHandle,0_2_00402532
Source: C:\Users\user\Desktop\shootthemessenger.exeAPI call chain: ExitProcess graph end nodegraph_0-380
Source: C:\Users\user\Desktop\shootthemessenger.exeAPI call chain: ExitProcess graph end nodegraph_0-401
Source: C:\Users\user\Desktop\shootthemessenger.exeCode function: 0_2_00401000 GetModuleHandleA,GetVersion,ShowWindow,UpdateWindow,KiUserCallbackDispatcher,GetMessageA,KiUserCallbackDispatcher,TranslateAccelerator,TranslateMessage,DispatchMessageA,ExitProcess,GetModuleFileNameA,CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CloseHandle,FindCloseChangeNotification,GlobalFree,MessageBoxA,ExitProcess,0_2_00401000

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Service Execution		1
Windows Service		1
Windows Service		1
Software Packing		OS Credential Dumping1
File and Directory Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
DLL Side-Loading		LSASS Memory2
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Obfuscated Files or Information		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
shootthemessenger.exe4%VirustotalBrowse
shootthemessenger.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://grc.comD0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://grc.com/mail.htmshootthemessenger.exe, 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmpfalse
    		high
    http://grc.com/mail.htmhttp://grc.com/stm/ShootTheMessenger.htmYoushootthemessenger.exe, 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmpfalse
      		high
      http://grc.comDshootthemessenger.exefalse
      • Avira URL Cloud: safe
      		unknown
      http://grc.comshootthemessenger.exe, shootthemessenger.exe, 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmpfalse
        		high
        http://grc.com/stm/ShootTheMessenger.htmshootthemessenger.exe, shootthemessenger.exe, 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmpfalse
          		high

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1431785
          Start date and time:2024-04-25 19:22:13 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 3m 50s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:6
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:shootthemessenger.exe
          Detection:CLEAN
          Classification:clean1.winEXE@1/0@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 15
          • Number of non-executed functions: 11
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          No created / dropped files found

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
          Entropy (8bit):7.018811499467943
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:shootthemessenger.exe
          File size:22'016 bytes
          MD5:35c422bdf2a2f35cec6235c751cfe466
          SHA1:e8a5cb5c798c3caf754d75711b25d6c39c36609b
          SHA256:3c8d01d842fc4969a74ff0fcfbc29e5f2fc572bb1ef5f00f5b3dbc3082efa65a
          SHA512:7fb006b7193d9177eea4c11f14ba143d466c1c4e1107034be195eae58813aa004cdf553aec4ed97837fc55c7c52f1b5e8a88171fb0ea8eff8ad4e1bc6d5536cf
          SSDEEP:384:1qRcOTQRcJuU1pKxOcDiFxUz0nov4VEBMZXz:ARPQlU1pKNiFTngdBQX
          TLSH:90A28D142EC60255F4EF2634073276816576B810AFF95BBF6164612B6C682C96E32B3F
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....A!.w.r...!...!...!.5.!...!...!...!...!...!.4.!...!...!...!Rich...!................PE..L......>.................@... .............

          File Icon

          Icon Hash:9192a11b1bc6ceb3

          Static PE Info

          General

          Entrypoint:0x40dc00
          Entrypoint Section:UPX1
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          DLL Characteristics:
          Time Stamp:0x3EAA9D15 [Sat Apr 26 14:52:05 2003 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f39c39373531806ec9ccd5997efd0ce5

          Entrypoint Preview

          Instruction
          pushad
          mov esi, 0040A000h
          lea edi, dword ptr [esi-00009000h]
          push edi
          or ebp, FFFFFFFFh
          jmp 00007F2B10C61462h
          nop
          nop
          nop
          nop
          nop
          nop
          mov al, byte ptr [esi]
          inc esi
          mov byte ptr [edi], al
          inc edi
          add ebx, ebx
          jne 00007F2B10C61459h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          jc 00007F2B10C6143Fh
          mov eax, 00000001h
          add ebx, ebx
          jne 00007F2B10C61459h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          adc eax, eax
          add ebx, ebx
          jnc 00007F2B10C61441h
          jne 00007F2B10C6145Bh
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          jnc 00007F2B10C61436h
          xor ecx, ecx
          sub eax, 03h
          jc 00007F2B10C6145Fh
          shl eax, 08h
          mov al, byte ptr [esi]
          inc esi
          xor eax, FFFFFFFFh
          je 00007F2B10C614C6h
          mov ebp, eax
          add ebx, ebx
          jne 00007F2B10C61459h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          adc ecx, ecx
          add ebx, ebx
          jne 00007F2B10C61459h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          adc ecx, ecx
          jne 00007F2B10C61472h
          inc ecx
          add ebx, ebx
          jne 00007F2B10C61459h
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          adc ecx, ecx
          add ebx, ebx
          jnc 00007F2B10C61441h
          jne 00007F2B10C6145Bh
          mov ebx, dword ptr [esi]
          sub esi, FFFFFFFCh
          adc ebx, ebx
          jnc 00007F2B10C61436h
          add ecx, 02h
          cmp ebp, FFFFF300h
          adc ecx, 01h
          lea edx, dword ptr [edi+ebp]
          cmp ebp, FFFFFFFCh
          jbe 00007F2B10C61461h
          mov al, byte ptr [edx]
          inc edx
          mov byte ptr [edi], al
          inc edi
          dec ecx
          jne 00007F2B10C61449h
          jmp 00007F2B10C613B8h
          nop
          mov eax, dword ptr [edx]
          add edx, 04h
          mov dword ptr [edi], eax
          add edi, 04h
          sub ecx, 00000000h

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xf0b80x19c.rsrc
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x10b8.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          UPX00x10000x90000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          UPX10xa0000x40000x3e00167c3c2440e74a48556f1839475a1695False0.9711441532258065data7.810912762894194IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xe0000x20000x1400cf9de2cbf68ba6494a93c9f7ad1ec2d2False0.3064453125data3.516703537280388IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          WAVE0x73380x37ecemptyEnglishUnited States0
          RT_CURSOR0x5b540x134emptyEnglishUnited States0
          RT_BITMAP0x5c9c0xce8emptyEnglishUnited States0
          RT_ICON0xe3080x568Device independent bitmap graphic, 16 x 32 x 8, image size 320EnglishUnited States0.2702312138728324
          RT_ICON0xe8740x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.24193548387096775
          RT_ACCELERATOR0xab240xa0dataEnglishUnited States0.9
          RT_RCDATA0x69840x9b1emptyEnglishUnited States0
          RT_GROUP_CURSOR0x5c880x14emptyEnglishUnited States0
          RT_GROUP_ICON0xeb600x22dataEnglishUnited States1.0588235294117647
          RT_VERSION0xeb880x530dataEnglishUnited States0.3983433734939759

          Imports

          DLLImport
          KERNEL32.DLLLoadLibraryA, GetProcAddress, ExitProcess
          ADVAPI32.dllOpenServiceA
          COMCTL32.dll
          GDI32.dllBitBlt
          SHELL32.dllShellExecuteA
          USER32.dllGetDC
          WINMM.dllPlaySoundA

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishUnited States

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:19:23:02
          Start date:25/04/2024
          Path:C:\Users\user\Desktop\shootthemessenger.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\shootthemessenger.exe"
          Imagebase:0x400000
          File size:22'016 bytes
          MD5 hash:35C422BDF2A2F35CEC6235C751CFE466
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:false

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:51.8%
            Dynamic/Decrypted Code Coverage:0%
            Signature Coverage:50.7%
            Total number of Nodes:217
            Total number of Limit Nodes:11
            execution_graph 371 401000 397 4010e1 6 API calls 371->397 376 4010d1 439 40175d 10 API calls 376->439 380 4010d6 ExitProcess 382 40102c 382->376 416 40155c GetSystemMetrics CreateWindowExA 382->416 386 401042 GetVersion 387 40105a 386->387 388 40104e 386->388 421 4024c2 OpenSCManagerA 387->421 428 40246d GetCommandLineA 388->428 394 40108d GetMessageA 394->376 395 4010a1 TranslateAccelerator 394->395 395->394 396 4010bb TranslateMessage DispatchMessageA 395->396 396->394 398 40115c 397->398 398->398 399 401161 GlobalFree 398->399 400 401005 GetModuleHandleA 399->400 401 40116c MessageBoxA ExitProcess 399->401 402 40118f FindWindowA 400->402 403 401016 402->403 404 40119f ShowWindow SetWindowPos 402->404 403->376 405 4011bd RtlFillMemory LoadIconA RegisterClassA 403->405 404->403 406 401021 405->406 407 40120e RegisterClassA 405->407 406->376 408 4012d5 10 API calls 406->408 407->406 440 401448 73A1A570 408->440 410 401361 LoadLibraryA 411 401383 FindResourceA LoadResource LockResource 410->411 412 40136f LoadLibraryA 410->412 413 4013b7 411->413 412->411 456 40124c 73A1A570 413->456 415 4013c8 LoadCursorA LoadCursorA LoadBitmapA LoadAcceleratorsA LoadCursorA 415->382 417 4015a0 416->417 418 401037 416->418 464 40219c 417->464 418->376 420 40173a 74A6E3D0 SetWindowLongA 418->420 420->386 422 4024e6 OpenServiceA 421->422 423 40252e 421->423 424 402502 QueryServiceStatus 422->424 425 402528 CloseServiceHandle 422->425 423->388 426 402522 CloseServiceHandle 424->426 427 40251a 424->427 425->423 426->425 427->426 430 402484 428->430 429 401064 429->376 432 402390 429->432 430->429 468 4023f0 lstrcmpiA 430->468 433 40239a 432->433 434 401075 ShowWindow UpdateWindow 432->434 600 4021f3 433->600 434->394 437 4023c7 PlaySound 437->434 438 4023ba SetWindowTextA 438->437 439->380 441 40145a 440->441 442 40145f lstrcpy 441->442 443 40146e 441->443 442->443 458 40142c MulDiv 443->458 445 401487 CreateFontIndirectA 459 40142c MulDiv 445->459 447 40149d CreateFontIndirectA CreateFontIndirectA 460 40142c MulDiv 447->460 449 4014da CreateFontIndirectA 461 40142c MulDiv 449->461 451 4014f0 CreateFontIndirectA 462 40142c MulDiv 451->462 453 401506 lstrcpy CreateFontIndirectA 463 40142c MulDiv 453->463 455 40152b lstrcpy CreateFontIndirectA 455->410 457 401262 456->457 457->415 458->445 459->447 460->449 461->451 462->453 463->455 465 4021a7 464->465 466 4021be CreateWindowExA 465->466 467 4021f0 465->467 466->465 466->467 467->418 469 402404 468->469 470 40242e lstrcmpiA 468->470 469->470 475 401931 469->475 471 402469 470->471 472 40243f 470->472 471->429 472->471 474 401931 156 API calls 472->474 474->471 476 401945 475->476 477 401978 475->477 551 402146 GetWindowRect GetSystemMetrics GetSystemMetrics MoveWindow 476->551 479 401d70 477->479 480 401981 BeginPaint 477->480 483 401d79 GetCursor 479->483 484 401e5f 479->484 552 4018c4 480->552 481 40194d GetSystemMenu DeleteMenu DeleteMenu 499 401ea9 481->499 485 401d90 SetFocus 483->485 486 401d86 483->486 488 401e66 PtInRect 484->488 489 401eb8 484->489 492 401db4 GetWindowLongA 485->492 493 401da4 SetCursor 485->493 490 4015b0 5 API calls 486->490 487 401995 48 API calls 558 40185b 8 API calls 487->558 495 401e88 SetCursor 488->495 496 401eae 488->496 491 401ec6 GetCursor 489->491 497 401ee6 489->497 490->485 498 401ed7 491->498 491->499 500 402051 NtdllDefWindowProc_A 492->500 501 401dca 7 API calls 492->501 493->499 495->499 503 401e9f 495->503 563 40183d SetCursor 496->563 508 401efd 497->508 509 401eed 497->509 567 40161c SetCursor 498->567 499->470 500->499 506 401e4a 501->506 507 401e4f SetCursor 501->507 502 401c1d 559 40185b 8 API calls 502->559 511 4015b0 5 API calls 503->511 506->507 507->499 515 401f14 508->515 516 401f04 508->516 574 4017cc GetWindowLongA 509->574 511->499 514 401c2c 8 API calls 560 4015b0 514->560 517 401f2b 515->517 518 401f1b 515->518 520 4017cc 3 API calls 516->520 522 401f30 PostQuitMessage 517->522 523 401f3c 517->523 521 4017cc 3 API calls 518->521 520->499 521->499 522->499 523->500 525 401f58 PostQuitMessage 523->525 535 401f64 523->535 524 401cdb 9 API calls 524->499 525->499 526 401f6f SetCursor 527 401f88 526->527 528 401f8f 526->528 577 4023de ExitWindowsEx 527->577 531 401fa0 528->531 532 401f94 528->532 529 402008 529->526 533 401fa5 531->533 534 401fba 531->534 537 40161c 9 API calls 532->537 578 402532 OpenSCManagerA 533->578 540 401fd0 534->540 541 401fbf 534->541 535->526 535->529 542 40204d 535->542 536 401f8d 543 401fdf LoadCursorA SetCursor 536->543 538 401f9e 537->538 538->543 540->543 546 401fd5 540->546 589 4025c5 OpenSCManagerA 541->589 542->500 543->499 549 40161c 9 API calls 546->549 547 402390 14 API calls 547->538 549->543 550 402390 14 API calls 550->538 551->481 553 4027e8 552->553 554 4018d4 SelectObject 553->554 555 4018ea 554->555 556 4018ec 73A24D40 555->556 557 40191c SelectObject DeleteDC 555->557 556->555 556->556 557->487 558->502 559->514 561 4015c0 73A1A570 SetBkMode SelectObject SetTextColor TextOutA 560->561 562 401610 560->562 561->562 562->524 564 401850 563->564 565 40185a 563->565 566 4015b0 5 API calls 564->566 565->499 566->565 568 4015b0 5 API calls 567->568 569 401634 ShellExecuteA 568->569 570 40166a 569->570 571 40164e 569->571 570->499 572 40183d 6 API calls 571->572 573 401653 MessageBoxA 572->573 573->570 576 4017e0 SelectObject SetBkMode 574->576 576->499 577->536 579 4025ba 578->579 580 40254c OpenServiceA 578->580 583 4024c2 5 API calls 579->583 581 402560 ChangeServiceConfigA 580->581 582 4025b4 CloseServiceHandle 580->582 584 402581 581->584 585 4025ae CloseServiceHandle 581->585 582->579 586 401fb3 583->586 584->585 587 402587 StartServiceA 584->587 585->582 586->547 587->585 588 402595 ControlService Sleep 587->588 588->585 588->588 590 402656 Sleep 589->590 591 4025df OpenServiceA 589->591 594 4024c2 5 API calls 590->594 592 402650 CloseServiceHandle 591->592 593 4025f3 ControlService 591->593 592->590 595 402630 ChangeServiceConfigA CloseServiceHandle 593->595 596 402605 593->596 597 401fc9 594->597 595->592 596->595 598 40260b ControlService 596->598 597->550 599 402617 ControlService Sleep 598->599 599->595 599->599 601 402354 600->601 602 40220b 600->602 601->437 601->438 602->601 603 402213 602->603 605 402251 lstrcmp 602->605 604 4022cd 6 API calls 603->604 604->601 606 40234e GlobalFree 604->606 605->602 607 402262 605->607 606->601 607->601 608 402279 GlobalAlloc RtlMoveMemory RtlMoveMemory RtlMoveMemory 607->608 608->604 621 402073 622 402087 BeginPaint GetClientRect GetWindowLongA 621->622 623 40212f NtdllDefWindowProc_A 621->623 625 4020c4 622->625 626 4020b4 DrawEdge 622->626 624 402140 623->624 627 402121 EndPaint 625->627 628 4020ca 7 API calls 625->628 626->627 627->624 628->627 620 4023e8 PostQuitMessage 629 40235b 630 402372 629->630 631 402374 RtlMoveMemory 629->631 630->631 609 40166e 610 40169c 609->610 611 40167f SelectObject 609->611 613 401711 610->613 614 4016a3 CallWindowProcA RtlFillMemory CallWindowProcA 610->614 612 401718 611->612 613->612 615 40171c CallWindowProcA 613->615 616 4016f0 614->616 617 4016fc SendMessageA 614->617 615->612 618 40161c 9 API calls 616->618 617->612 619 4016fa 618->619 619->612

            Callgraph

            Executed Functions

            Function 00401931 Relevance: 180.8, APIs: 90, Strings: 13, Instructions: 512stringwindowCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 0 401931-401943 1 401945-401948 call 402146 0->1 2 401978-40197b 0->2 6 40194d-401973 GetSystemMenu DeleteMenu * 2 1->6 4 401d70-401d73 2->4 5 401981-401c18 BeginPaint call 4018c4 SetTextColor SetBkMode SelectObject lstrlen TextOutA lstrlen TextOutA lstrlen TextOutA SelectObject MoveToEx LineTo * 2 SelectObject LineTo * 3 SelectObject MoveToEx LineTo * 3 SelectObject LineTo * 2 SelectObject MoveToEx LineTo * 3 SelectObject LineTo * 2 SelectObject MoveToEx LineTo * 3 SelectObject LineTo * 2 DrawEdge SelectObject MoveToEx LineTo SelectObject LineTo * 2 call 40185b 2->5 8 401d79-401d84 GetCursor 4->8 9 401e5f-401e64 4->9 30 401c1d-401d6b call 40185b SelectObject SetTextColor lstrlen TextOutA GetTextExtentPointA lstrlen TextOutA SelectObject call 4015b0 GetTextExtentPointA SetTextColor SetBkMode SelectObject lstrlen TextOutA lstrlen TextOutA EndPaint 5->30 12 402064-402066 6->12 10 401d90-401da2 SetFocus 8->10 11 401d86-401d8b call 4015b0 8->11 14 401e66-401e86 PtInRect 9->14 15 401eb8-401ebd 9->15 19 401db4-401dc4 GetWindowLongA 10->19 20 401da4-401daf SetCursor 10->20 11->10 21 40206c-402070 12->21 23 401e88-401e99 SetCursor 14->23 24 401eae-401eb3 call 40183d 14->24 17 401ec6-401ed1 GetCursor 15->17 18 401ebf-401ec4 15->18 17->12 26 401ed7-401ee1 call 40161c 17->26 18->17 25 401ee6-401eeb 18->25 28 402051-402062 NtdllDefWindowProc_A 19->28 29 401dca-401e48 GetCursorPos ScreenToClient SendMessageA * 2 RtlFillMemory SendMessageA * 2 19->29 27 402068-40206a 20->27 23->12 31 401e9f-401ea9 call 4015b0 23->31 24->12 37 401efd-401f02 25->37 38 401eed-401ef8 call 4017cc 25->38 26->12 27->21 28->12 28->21 35 401e4a 29->35 36 401e4f-401e55 SetCursor 29->36 30->12 31->12 35->36 36->27 44 401f14-401f19 37->44 45 401f04-401f0f call 4017cc 37->45 38->12 47 401f2b-401f2e 44->47 48 401f1b-401f26 call 4017cc 44->48 45->12 53 401f30-401f37 PostQuitMessage 47->53 54 401f3c-401f41 47->54 48->12 53->12 54->28 58 401f47-401f56 54->58 59 401f64-401f69 58->59 60 401f58-401f5f PostQuitMessage 58->60 61 401ffd-402002 59->61 62 401f6f-401f86 SetCursor 59->62 60->12 63 402004-402006 61->63 64 40200f-402014 61->64 65 401f88-401f8d call 4023de 62->65 66 401f8f-401f92 62->66 63->64 67 402008 63->67 68 402016-402019 64->68 69 402027-40202c 64->69 88 401fdf-401ffb LoadCursorA SetCursor 65->88 71 401fa0-401fa3 66->71 72 401f94-401f9e call 40161c 66->72 67->62 75 402020 68->75 76 40201b-40201e 68->76 77 40203a-40203f 69->77 78 40202e-402031 69->78 73 401fa5-401fb8 call 402532 call 402390 71->73 74 401fba-401fbd 71->74 72->88 73->88 83 401fd0-401fd3 74->83 84 401fbf-401fce call 4025c5 call 402390 74->84 75->62 76->69 76->75 86 402041-402044 77->86 87 40204d 77->87 78->77 85 402033 78->85 83->88 92 401fd5-401fda call 40161c 83->92 84->88 85->62 86->87 91 402046 86->91 87->28 88->12 91->62 92->88
            APIs
            • GetSystemMenu.USER32(?,00000000,?), ref: 00401952
            • DeleteMenu.USER32(00000000,0000F030,00000000,?,00000000,?), ref: 00401961
            • DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,?,00000000,?), ref: 0040196E
            • BeginPaint.USER32(?,?), ref: 00401988
            • SetTextColor.GDI32(00000000,00660000), ref: 0040199B
            • SetBkMode.GDI32(00000000,00000001), ref: 004019A3
            • SelectObject.GDI32(00000000,00000000), ref: 004019AF
            • lstrlen.KERNEL32(Easily enable and disable Windows',00000000,00000000,00000001,00000000,00660000,?,?), ref: 004019B9
            • TextOutA.GDI32(00000000,000000AC,00000010,Easily enable and disable Windows',00000000), ref: 004019CC
            • lstrlen.KERNEL32(built-in, Spam-receiving, Messenger,00000000,000000AC,00000010,Easily enable and disable Windows',00000000,Easily enable and disable Windows',00000000,00000000,00000001,00000000,00660000,?,?), ref: 004019D6
            • TextOutA.GDI32(00000000,000000AC,00000020,built-in, Spam-receiving, Messenger,00000000), ref: 004019E9
            • lstrlen.KERNEL32(Service. Freeware by Steve Gibson.,00000000,000000AC,00000020,built-in, Spam-receiving, Messenger,00000000,built-in, Spam-receiving, Messenger,00000000,000000AC,00000010,Easily enable and disable Windows',00000000,Easily enable and disable Windows',00000000,00000000,00000001), ref: 004019F3
            • TextOutA.GDI32(00000000,000000AC,00000030,Service. Freeware by Steve Gibson.,00000000), ref: 00401A06
            • SelectObject.GDI32(00000000,00000000), ref: 00401A12
            • MoveToEx.GDI32(00000000,0000018B,0000002E,00000000), ref: 00401A21
            • LineTo.GDI32(00000000,00000198,0000002E), ref: 00401A2E
            • LineTo.GDI32(00000000,00000198,00000011), ref: 00401A3B
            • SelectObject.GDI32(00000000,00000000), ref: 00401A47
            • LineTo.GDI32(00000000,00000196,00000011), ref: 00401A54
            • LineTo.GDI32(00000000,0000018A,0000001D), ref: 00401A61
            • LineTo.GDI32(00000000,0000018A,0000002F), ref: 00401A6E
            • SelectObject.GDI32(00000000,00000000), ref: 00401A7A
            • MoveToEx.GDI32(00000000,0000019C,0000001F,00000000), ref: 00401A89
            • LineTo.GDI32(00000000,000001B8,0000001F), ref: 00401A96
            • LineTo.GDI32(00000000,000001B8,0000001D), ref: 00401AA3
            • LineTo.GDI32(00000000,000001AC,00000011), ref: 00401AB0
            • SelectObject.GDI32(00000000,00000000), ref: 00401ABC
            • LineTo.GDI32(00000000,0000019B,00000011), ref: 00401AC9
              • Part of subcall function 00402146: GetWindowRect.USER32(?,?), ref: 00402154
              • Part of subcall function 00402146: GetSystemMetrics.USER32(00000000), ref: 0040215B
              • Part of subcall function 00402146: GetSystemMetrics.USER32(00000001), ref: 0040216B
              • Part of subcall function 00402146: MoveWindow.USER32(?,00000001,?,?,?,00000001,?), ref: 00402192
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: Line$ObjectSelect$Text$MenuMoveSystemlstrlen$DeleteMetricsWindow$BeginColorModePaintRect
            • String ID: <$Copyright (c) 2003 by$Easily enable and disable Windows'$Gibson Research Corp.$Messenger$Service. Freeware by Steve Gibson.$Shoot The$You may join our eMail Notification System at http://grc.com/mail.htm to$built-in, Spam-receiving, Messenger$http://grc.com/mail.htm$http://grc.com/stm/ShootTheMessenger.htm$messenger$receive a short note when updates to this, or any new freeware, are ready.
            • API String ID: 2930996812-4129589145
            • Opcode ID: 4247e0dcedd79be6ff90d29f39140002510745d4b07643bbc2bf5add5507702d
            • Instruction ID: c054607349d30658604c37caaa9b6e8e3146c15029ac05b41034e358a0b1341e
            • Opcode Fuzzy Hash: 4247e0dcedd79be6ff90d29f39140002510745d4b07643bbc2bf5add5507702d
            • Instruction Fuzzy Hash: A7F1A47568030575EA227BA19E8BFBE21699B96F08F10453FF700790E3CBFD4441A66E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004012D5 Relevance: 42.1, APIs: 20, Strings: 4, Instructions: 83librarywindowCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetStockObject.GDI32(00000008), ref: 004012D8
            • GetStockObject.GDI32(00000007), ref: 004012E4
            • GetStockObject.GDI32(00000006), ref: 004012F0
            • CreatePen.GDI32(00000000,00000001,00C0C0C0), ref: 00401303
            • CreatePen.GDI32(00000000,00000001,00808080), ref: 00401316
            • GetStockObject.GDI32(00000005), ref: 00401322
            • GetStockObject.GDI32(00000000), ref: 0040132E
            • GetStockObject.GDI32(00000001), ref: 0040133A
            • GetStockObject.GDI32(00000003), ref: 00401346
            • GetStockObject.GDI32(00000004), ref: 00401352
              • Part of subcall function 00401448: 73A1A570.USER32(00000000,?,00401361,00000004,00000003,00000001,00000000,00000005,00000000,00000001,00808080,00000006,00000007,?,0040102C,00000000), ref: 0040144B
              • Part of subcall function 00401448: lstrcpy.KERNEL32(Courier New,Arial), ref: 00401469
              • Part of subcall function 00401448: CreateFontIndirectA.GDI32(00404502), ref: 0040148C
              • Part of subcall function 00401448: CreateFontIndirectA.GDI32(00404502), ref: 004014A2
              • Part of subcall function 00401448: CreateFontIndirectA.GDI32(00404502), ref: 004014B8
              • Part of subcall function 00401448: CreateFontIndirectA.GDI32(00404502), ref: 004014DF
              • Part of subcall function 00401448: CreateFontIndirectA.GDI32(00404502), ref: 004014F5
              • Part of subcall function 00401448: lstrcpy.KERNEL32(Courier New,Arial), ref: 00401510
              • Part of subcall function 00401448: CreateFontIndirectA.GDI32(00404502), ref: 0040151A
              • Part of subcall function 00401448: lstrcpy.KERNEL32(Courier New,Courier New), ref: 00401546
              • Part of subcall function 00401448: CreateFontIndirectA.GDI32(00404502), ref: 00401550
            • LoadLibraryA.KERNEL32(riched32.Dll,00000004,00000003,00000001,00000000,00000005,00000000,00000001,00808080,00000006,00000007,?,0040102C,00000000), ref: 00401366
            • LoadLibraryA.KERNEL32(riched20.Dll,riched32.Dll,00000004,00000003,00000001,00000000,00000005,00000000,00000001,00808080,00000006,00000007,?,0040102C,00000000), ref: 00401374
            • FindResourceA.KERNEL32(STM,0000000A,riched32.Dll), ref: 00401395
            • LoadResource.KERNEL32(00000000,00000004,00000003,00000001,00000000,00000005,00000000,00000001,00808080,00000006,00000007,?,0040102C,00000000), ref: 004013A1
            • LockResource.KERNEL32(00000000,00000000,00000004,00000003,00000001,00000000,00000005,00000000,00000001,00808080,00000006,00000007,?,0040102C,00000000), ref: 004013A7
            • LoadCursorA.USER32(00000000,00007F00), ref: 004013CF
            • LoadCursorA.USER32(00000000,00007F8A), ref: 004013E0
            • LoadBitmapA.USER32(STM,00000000), ref: 004013F5
            • LoadAcceleratorsA.USER32(STM,00007F8A), ref: 0040140A
            • LoadCursorA.USER32(STM,00000000), ref: 0040141F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: Create$LoadObjectStock$FontIndirect$CursorResourcelstrcpy$Library$A570AcceleratorsBitmapFindLock
            • String ID: RichEdit20A$STM$riched20.Dll$riched32.Dll
            • API String ID: 2963029138-2009737460
            • Opcode ID: c0e1f4f67e12aeee957b489f039037bb96005311bd8df2e4a5aa2a1e7e5cc536
            • Instruction ID: 0edc84b525815655b00f55094a25112ff3b36155175af2182c7188a4fe6b7749
            • Opcode Fuzzy Hash: c0e1f4f67e12aeee957b489f039037bb96005311bd8df2e4a5aa2a1e7e5cc536
            • Instruction Fuzzy Hash: 6D3178F4945340AEE7407FA2AF47B253654E791709F104A3BF704BA1E1EAFE14509B2D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401000 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 114windowCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 004010E1: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004010FB
              • Part of subcall function 004010E1: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,08000080,00000000,00000000,?,00000104), ref: 00401119
              • Part of subcall function 004010E1: GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000003,00000000,00000003,08000080,00000000,00000000,?,00000104), ref: 00401123
              • Part of subcall function 004010E1: GlobalAlloc.KERNEL32(00000040,-00000003,00000000,00000000,?,80000000,00000003,00000000,00000003,08000080,00000000,00000000,?,00000104), ref: 00401133
              • Part of subcall function 004010E1: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000040,-00000003,00000000,00000000,?,80000000,00000003,00000000,00000003,08000080), ref: 00401147
              • Part of subcall function 004010E1: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,-00000003,00000000,00000000,?,80000000,00000003,00000000,00000003), ref: 0040114D
              • Part of subcall function 004010E1: GlobalFree.KERNEL32(00000000), ref: 00401163
              • Part of subcall function 004010E1: MessageBoxA.USER32(Something (perhaps evil) has modified this file's original contents.Since this should NEVER HAPPEN there was either as error duringtransmission, or a virus has deliberately altered this file's contents!In either case you need to get a fresh copy from Steve',This Program File is Damaged!,00000000,00000000), ref: 0040117E
              • Part of subcall function 004010E1: ExitProcess.KERNEL32(000000FF,00000000,00000000,?,00000000,00000000,00000040,-00000003,00000000,00000000,?,80000000,00000003,00000000,00000003,08000080), ref: 00401185
            • GetModuleHandleA.KERNEL32(00000000), ref: 00401007
              • Part of subcall function 0040118F: FindWindowA.USER32(00000000, STM - Manage the built-in Messenger Service), ref: 00401196
              • Part of subcall function 0040118F: ShowWindow.USER32(00000000,00000001,00000000,00401016,00000000), ref: 004011A3
              • Part of subcall function 0040118F: SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000003,00000001,00000000,00401016,00000000), ref: 004011B6
            • ExitProcess.KERNEL32(00000000), ref: 004010DC
              • Part of subcall function 004011BD: RtlFillMemory.KERNEL32(?,00000028,00000000), ref: 004011CB
              • Part of subcall function 004011BD: LoadIconA.USER32(STM), ref: 004011F1
              • Part of subcall function 004011BD: RegisterClassA.USER32(?), ref: 00401204
              • Part of subcall function 004011BD: RegisterClassA.USER32(?), ref: 00401220
              • Part of subcall function 004012D5: GetStockObject.GDI32(00000008), ref: 004012D8
              • Part of subcall function 004012D5: GetStockObject.GDI32(00000007), ref: 004012E4
              • Part of subcall function 004012D5: GetStockObject.GDI32(00000006), ref: 004012F0
              • Part of subcall function 004012D5: CreatePen.GDI32(00000000,00000001,00C0C0C0), ref: 00401303
              • Part of subcall function 004012D5: CreatePen.GDI32(00000000,00000001,00808080), ref: 00401316
              • Part of subcall function 004012D5: GetStockObject.GDI32(00000005), ref: 00401322
              • Part of subcall function 004012D5: GetStockObject.GDI32(00000000), ref: 0040132E
              • Part of subcall function 004012D5: GetStockObject.GDI32(00000001), ref: 0040133A
              • Part of subcall function 004012D5: GetStockObject.GDI32(00000003), ref: 00401346
              • Part of subcall function 004012D5: GetStockObject.GDI32(00000004), ref: 00401352
              • Part of subcall function 004012D5: LoadLibraryA.KERNEL32(riched32.Dll,00000004,00000003,00000001,00000000,00000005,00000000,00000001,00808080,00000006,00000007,?,0040102C,00000000), ref: 00401366
              • Part of subcall function 004012D5: LoadLibraryA.KERNEL32(riched20.Dll,riched32.Dll,00000004,00000003,00000001,00000000,00000005,00000000,00000001,00808080,00000006,00000007,?,0040102C,00000000), ref: 00401374
              • Part of subcall function 004012D5: FindResourceA.KERNEL32(STM,0000000A,riched32.Dll), ref: 00401395
              • Part of subcall function 004012D5: LoadResource.KERNEL32(00000000,00000004,00000003,00000001,00000000,00000005,00000000,00000001,00808080,00000006,00000007,?,0040102C,00000000), ref: 004013A1
              • Part of subcall function 004012D5: LockResource.KERNEL32(00000000,00000000,00000004,00000003,00000001,00000000,00000005,00000000,00000001,00808080,00000006,00000007,?,0040102C,00000000), ref: 004013A7
              • Part of subcall function 004012D5: LoadCursorA.USER32(00000000,00007F00), ref: 004013CF
              • Part of subcall function 004012D5: LoadCursorA.USER32(00000000,00007F8A), ref: 004013E0
              • Part of subcall function 004012D5: LoadBitmapA.USER32(STM,00000000), ref: 004013F5
              • Part of subcall function 004012D5: LoadAcceleratorsA.USER32(STM,00007F8A), ref: 0040140A
              • Part of subcall function 004012D5: LoadCursorA.USER32(STM,00000000), ref: 0040141F
              • Part of subcall function 0040155C: GetSystemMetrics.USER32(00000004), ref: 0040155E
              • Part of subcall function 0040155C: CreateWindowExA.USER32(00040001,STM, STM - Manage the built-in Messenger Service,80CA0100,00000000,00000000,000001D3,-00000151,00000000,00000000,00000000,00000004), ref: 00401592
              • Part of subcall function 0040173A: 74A6E3D0.COMCTL32(?,?,?,00401042,00000000), ref: 0040173D
              • Part of subcall function 0040173A: SetWindowLongA.USER32(000000FC,Function_0000166E), ref: 0040174F
            • GetVersion.KERNEL32(00000000), ref: 00401042
            • ShowWindow.USER32(00000001,00000000), ref: 0040107D
            • UpdateWindow.USER32(00000001), ref: 00401088
            • GetMessageA.USER32(00404688,00000000,00000000,00000000), ref: 00401098
            • TranslateAccelerator.USER32(00404688,00000000), ref: 004010B2
            • TranslateMessage.USER32(00404688), ref: 004010C0
            • DispatchMessageA.USER32(00404688), ref: 004010CA
            Strings
            • Something (perhaps evil) has modified this file's original contents.Since this should NEVER HAPPEN there was either as error duringtransmission, or a virus has deliberately altered this file's contents!In either case you need to get a fresh copy from Steve', xrefs: 00401173
            • This Program File is Damaged!, xrefs: 0040116E
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: Load$ObjectStock$Window$CreateFileMessage$CursorResource$ClassExitFindGlobalHandleLibraryModuleProcessRegisterShowTranslate$AcceleratorAcceleratorsAllocBitmapCloseDispatchFillFreeIconLockLongMemoryMetricsNameReadSizeSystemUpdateVersion
            • String ID: Something (perhaps evil) has modified this file's original contents.Since this should NEVER HAPPEN there was either as error duringtransmission, or a virus has deliberately altered this file's contents!In either case you need to get a fresh copy from Steve'$This Program File is Damaged!
            • API String ID: 1475158858-390588867
            • Opcode ID: de319af89e4527f3553a3e6d7d6cbf5f24d819e7ad2a80d558edef1ce089c11a
            • Instruction ID: 540fe1babc8022052a61591b92d795929aa93b2726e4547824be29a834ec8e1e
            • Opcode Fuzzy Hash: de319af89e4527f3553a3e6d7d6cbf5f24d819e7ad2a80d558edef1ce089c11a
            • Instruction Fuzzy Hash: 9D3192B02402417AE62037B39F4BF5A214C9B92728F11063FBB55B60F2DEFD4580452D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401448 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 62stringCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • 73A1A570.USER32(00000000,?,00401361,00000004,00000003,00000001,00000000,00000005,00000000,00000001,00808080,00000006,00000007,?,0040102C,00000000), ref: 0040144B
            • lstrcpy.KERNEL32(Courier New,Arial), ref: 00401469
            • CreateFontIndirectA.GDI32(00404502), ref: 0040148C
            • CreateFontIndirectA.GDI32(00404502), ref: 004014A2
            • CreateFontIndirectA.GDI32(00404502), ref: 004014B8
            • CreateFontIndirectA.GDI32(00404502), ref: 004014DF
            • CreateFontIndirectA.GDI32(00404502), ref: 004014F5
            • lstrcpy.KERNEL32(Courier New,Arial), ref: 00401510
            • CreateFontIndirectA.GDI32(00404502), ref: 0040151A
            • lstrcpy.KERNEL32(Courier New,Courier New), ref: 00401546
            • CreateFontIndirectA.GDI32(00404502), ref: 00401550
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: CreateFontIndirect$lstrcpy$A570
            • String ID: Arial$Courier New$Courier New
            • API String ID: 3902587163-1433627370
            • Opcode ID: ded095a6b63415cbe41941f20e53f4e3cfaa762d2fb99479eb7245fd9449c5ef
            • Instruction ID: 1ef82b58a86a87003d355650f7bf29d0903c9d7e50422105c9f6bfa7a9bd31fb
            • Opcode Fuzzy Hash: ded095a6b63415cbe41941f20e53f4e3cfaa762d2fb99479eb7245fd9449c5ef
            • Instruction Fuzzy Hash: 1111F9F82803107BE6507BB66E4BB0969949BC9B1DF10447FB7017A1F2CAFC0540863E
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004021F3 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121windowmemorystringCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 159 4021f3-402205 160 402354-402358 159->160 161 40220b-402211 159->161 162 402213-40221a 161->162 163 40221f-402241 161->163 164 4022cd-40234c SendMessageA SetWindowPos SendMessageA * 4 162->164 165 402247-40224b 163->165 164->160 167 40234e-40234f GlobalFree 164->167 165->160 166 402251-402260 lstrcmp 165->166 166->165 168 402262-402266 166->168 167->160 168->160 169 40226c-402273 168->169 169->160 170 402279-4022c8 GlobalAlloc RtlMoveMemory * 3 169->170 170->164
            APIs
            • lstrcmp.KERNEL32(00406984,?), ref: 00402257
            • GlobalAlloc.KERNEL32(00000040,?,00000001), ref: 00402291
            • RtlMoveMemory.NTDLL(00000000,?,00000040), ref: 004022A2
            • RtlMoveMemory.NTDLL(?,?,?), ref: 004022B3
            • RtlMoveMemory.NTDLL(?,}&Log User Off,00000001), ref: 004022C8
            • SendMessageA.USER32(?,00000449,00004002,00404116), ref: 004022F0
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,?,00000449,00004002,00404116,?,}&Log User Off,00000001,?,?), ref: 00402305
            • SendMessageA.USER32(?,0000043F,00000001,00000001), ref: 00402314
            • SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 00402323
            • SendMessageA.USER32(?,00000447,00000000,0040452C), ref: 00402335
            • SendMessageA.USER32(?,000000B1,000000FF,00000000), ref: 00402344
            • GlobalFree.KERNEL32(00000000), ref: 0040234F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: MessageSend$MemoryMove$Global$AllocFreeWindowlstrcmp
            • String ID: }&Log User Off
            • API String ID: 789034644-2413124617
            • Opcode ID: d6c7ce948b91bf2281b9f94ed78b3558fe9222748033e659b3a07819dd9c180f
            • Instruction ID: 3575b4c96fed98f95f5127aa93ac033c16d7f926d6c125746a9dfe42132ce0aa
            • Opcode Fuzzy Hash: d6c7ce948b91bf2281b9f94ed78b3558fe9222748033e659b3a07819dd9c180f
            • Instruction Fuzzy Hash: 5231E9B5A40214BBDB10AFA4CECAF8E3B65AB85714F14416AF7147B3C2C6FC9941C758
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004010E1 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 65filememorywindowCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004010FB
            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,08000080,00000000,00000000,?,00000104), ref: 00401119
            • GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000003,00000000,00000003,08000080,00000000,00000000,?,00000104), ref: 00401123
            • GlobalAlloc.KERNEL32(00000040,-00000003,00000000,00000000,?,80000000,00000003,00000000,00000003,08000080,00000000,00000000,?,00000104), ref: 00401133
            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000040,-00000003,00000000,00000000,?,80000000,00000003,00000000,00000003,08000080), ref: 00401147
            • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000040,-00000003,00000000,00000000,?,80000000,00000003,00000000,00000003), ref: 0040114D
            • GlobalFree.KERNEL32(00000000), ref: 00401163
            • MessageBoxA.USER32(Something (perhaps evil) has modified this file's original contents.Since this should NEVER HAPPEN there was either as error duringtransmission, or a virus has deliberately altered this file's contents!In either case you need to get a fresh copy from Steve',This Program File is Damaged!,00000000,00000000), ref: 0040117E
            • ExitProcess.KERNEL32(000000FF,00000000,00000000,?,00000000,00000000,00000040,-00000003,00000000,00000000,?,80000000,00000003,00000000,00000003,08000080), ref: 00401185
            Strings
            • Something (perhaps evil) has modified this file's original contents.Since this should NEVER HAPPEN there was either as error duringtransmission, or a virus has deliberately altered this file's contents!In either case you need to get a fresh copy from Steve', xrefs: 00401173
            • This Program File is Damaged!, xrefs: 0040116E
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: File$Global$AllocCloseCreateExitFreeHandleMessageModuleNameProcessReadSize
            • String ID: Something (perhaps evil) has modified this file's original contents.Since this should NEVER HAPPEN there was either as error duringtransmission, or a virus has deliberately altered this file's contents!In either case you need to get a fresh copy from Steve'$This Program File is Damaged!
            • API String ID: 254174659-390588867
            • Opcode ID: cd2aa2fc28c8950acee15196b4bc7341d2a30b0c772e443347e024c266b90364
            • Instruction ID: 93ed45223b34bbc9cfbe9455566641a6b9236b65b576f87d81ac199488536795
            • Opcode Fuzzy Hash: cd2aa2fc28c8950acee15196b4bc7341d2a30b0c772e443347e024c266b90364
            • Instruction Fuzzy Hash: 3E01D8B238031537E62071B69E9BFAB214C9B40B24F24023FBB15FA1D2D9FC5A40456D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040166E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 176 40166e-40167d 177 40169c-4016a1 176->177 178 40167f-401692 SelectObject 176->178 180 401711-401716 177->180 181 4016a3-4016ee CallWindowProcA RtlFillMemory CallWindowProcA 177->181 179 401733-401737 178->179 182 401718 180->182 183 40171c-40172e CallWindowProcA 180->183 184 4016f0-4016fa call 40161c 181->184 185 4016fc-40170f SendMessageA 181->185 182->179 183->179 184->179 185->179
            APIs
            • SelectObject.GDI32(?), ref: 00401688
            • CallWindowProcA.USER32(?,?,?,?), ref: 004016B5
            • RtlFillMemory.KERNEL32(?,0000003C,00000000), ref: 004016C2
            • CallWindowProcA.USER32(?,0000043A,00000001,0000003C,?), ref: 004016E2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: CallProcWindow$FillMemoryObjectSelect
            • String ID: <$http://grc.com/stm/ShootTheMessenger.htm
            • API String ID: 1398603458-2275238739
            • Opcode ID: 336885e56b35d0e327c1501647482f6c3a3e4e2fe5fbae0af942c25634f51ec3
            • Instruction ID: f4128786012b56f6814e4c47288b53b4d53ed2b5823a891080e68bd827cba3af
            • Opcode Fuzzy Hash: 336885e56b35d0e327c1501647482f6c3a3e4e2fe5fbae0af942c25634f51ec3
            • Instruction Fuzzy Hash: 7F113376500148BBDF125F94EE45E9E3B69FB54304F108437FA10750F1D7BB8960AB5A
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004024C2 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38serviceCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 188 4024c2-4024e4 OpenSCManagerA 189 4024e6-402500 OpenServiceA 188->189 190 40252e-402531 188->190 191 402502-402518 QueryServiceStatus 189->191 192 402528-402529 CloseServiceHandle 189->192 193 402522-402523 CloseServiceHandle 191->193 194 40251a-402520 191->194 192->190 193->192 194->193
            APIs
            • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000001), ref: 004024D3
            • OpenServiceA.ADVAPI32(00000000,messenger,000F01FF,00000000,00000000,000F003F,?,00000001), ref: 004024F3
            • QueryServiceStatus.ADVAPI32(00000000,b&@d,00000000,messenger,000F01FF,00000000,00000000,000F003F,?,00000001), ref: 0040250F
            • CloseServiceHandle.ADVAPI32(00000000,00000000,b&@d,00000000,messenger,000F01FF,00000000,00000000,000F003F,?,00000001), ref: 00402523
            • CloseServiceHandle.ADVAPI32(00000000,00000000,messenger,000F01FF,00000000,00000000,000F003F,?,00000001), ref: 00402529
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: Service$CloseHandleOpen$ManagerQueryStatus
            • String ID: b&@d$messenger
            • API String ID: 2623946379-1030225956
            • Opcode ID: cc3eff1b30bd1849ac34c7cb9c3d11c57fa759ad1f97125b47b0473440832f5d
            • Instruction ID: fa5c93dd60b23d056a456b06244335dff2cc29069a22fb68c2b12c9f566839b0
            • Opcode Fuzzy Hash: cc3eff1b30bd1849ac34c7cb9c3d11c57fa759ad1f97125b47b0473440832f5d
            • Instruction Fuzzy Hash: 8BF090766042066AD72237A15E4AB7631A8E742744F108137BA02B21D7DBF88805856D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004011BD Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30registrywindowCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 195 4011bd-40120c RtlFillMemory LoadIconA RegisterClassA 196 401228-401229 195->196 197 40120e-401225 RegisterClassA 195->197 197->196
            APIs
            • RtlFillMemory.KERNEL32(?,00000028,00000000), ref: 004011CB
            • LoadIconA.USER32(STM), ref: 004011F1
            • RegisterClassA.USER32(?), ref: 00401204
            • RegisterClassA.USER32(?), ref: 00401220
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: ClassRegister$FillIconLoadMemory
            • String ID: 3DSINK$STM
            • API String ID: 3965701726-1684785264
            • Opcode ID: 49710389cb5f8748e27fff5b65099f922c5aa43219b0816fc44530f645e27062
            • Instruction ID: d51527d30bfaa02cc6eff30bbee6ef91149bbb572e57f46d9a081dba2a32f01e
            • Opcode Fuzzy Hash: 49710389cb5f8748e27fff5b65099f922c5aa43219b0816fc44530f645e27062
            • Instruction Fuzzy Hash: 66F0A9B0D01208AACB40DFE59E4ABCDBAF8AB45308F50457AE200B72D1E7B996549B5D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040155C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 198 40155c-40159e GetSystemMetrics CreateWindowExA 199 4015a0 call 40219c 198->199 200 4015ac-4015af 198->200 202 4015a5 199->202 202->200 203 4015a7 202->203 203->200
            APIs
            • GetSystemMetrics.USER32(00000004), ref: 0040155E
            • CreateWindowExA.USER32(00040001,STM, STM - Manage the built-in Messenger Service,80CA0100,00000000,00000000,000001D3,-00000151,00000000,00000000,00000000,00000004), ref: 00401592
              • Part of subcall function 0040219C: CreateWindowExA.USER32(00000000,0040460C,004044A3,50000000,0000009D,0000012D,00000092,00000018,00404684,0000FF01,00000000), ref: 004021D8
            Strings
            • STM, xrefs: 00401588
            • STM - Manage the built-in Messenger Service, xrefs: 00401583
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: CreateWindow$MetricsSystem
            • String ID: STM - Manage the built-in Messenger Service$STM
            • API String ID: 3564887802-3038220388
            • Opcode ID: 0487658f7ccc8e55f9ea71396b1e915a119ab84002c99f6e612ccc671994c89a
            • Instruction ID: 866272b55b592af51a6ebaaffa0bb786632a59bbfb1df797bf1372a3419da289
            • Opcode Fuzzy Hash: 0487658f7ccc8e55f9ea71396b1e915a119ab84002c99f6e612ccc671994c89a
            • Instruction Fuzzy Hash: C9E017F17C130179FA312A61AE0BF96250497D1F04FB0053B7700BC2E1E8FEA510862D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040118F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 204 40118f-40119d FindWindowA 205 4011bc 204->205 206 40119f-4011bb ShowWindow SetWindowPos 204->206 206->205
            APIs
            • FindWindowA.USER32(00000000, STM - Manage the built-in Messenger Service), ref: 00401196
            • ShowWindow.USER32(00000000,00000001,00000000,00401016,00000000), ref: 004011A3
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000003,00000001,00000000,00401016,00000000), ref: 004011B6
            Strings
            • STM - Manage the built-in Messenger Service, xrefs: 0040118F
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: Window$FindShow
            • String ID: STM - Manage the built-in Messenger Service
            • API String ID: 734913111-2094323438
            • Opcode ID: 1de89b23550236eda4346d452479e6507085824aab4148837c4cd800f5ad1b96
            • Instruction ID: fdee4dcf8bad525fc2621e598cb836a112ff44e7581d8833b92b99297864eac0
            • Opcode Fuzzy Hash: 1de89b23550236eda4346d452479e6507085824aab4148837c4cd800f5ad1b96
            • Instruction Fuzzy Hash: 95C002A179030035E92832626E6BF27050C4B40B14F24097B7B00FA0D2D8FE8940006D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 207 402390-402398 208 40239a-4023b8 call 4021f3 207->208 209 4023dc-4023dd 207->209 212 4023c7-4023d7 PlaySound 208->212 213 4023ba-4023c2 SetWindowTextA 208->213 212->209 213->212
            APIs
              • Part of subcall function 004021F3: SendMessageA.USER32(?,00000449,00004002,00404116), ref: 004022F0
              • Part of subcall function 004021F3: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,?,00000449,00004002,00404116,?,}&Log User Off,00000001,?,?), ref: 00402305
              • Part of subcall function 004021F3: SendMessageA.USER32(?,0000043F,00000001,00000001), ref: 00402314
              • Part of subcall function 004021F3: SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 00402323
              • Part of subcall function 004021F3: SendMessageA.USER32(?,00000447,00000000,0040452C), ref: 00402335
              • Part of subcall function 004021F3: SendMessageA.USER32(?,000000B1,000000FF,00000000), ref: 00402344
              • Part of subcall function 004021F3: GlobalFree.KERNEL32(00000000), ref: 0040234F
            • SetWindowTextA.USER32(00010414,004046E4), ref: 004023C2
            • PlaySound.WINMM(STM,00040005,004046E4), ref: 004023D7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: MessageSend$Window$FreeGlobalPlaySoundText
            • String ID: STM
            • API String ID: 3222582461-1191308422
            • Opcode ID: 508330a6f090fa848132db44ad6844480d122a2eee63477504889378a53ce9fb
            • Instruction ID: 52f541c35795220403ff56e4997e02aa7b1c819fdd8d4fe255768f673e9a4907
            • Opcode Fuzzy Hash: 508330a6f090fa848132db44ad6844480d122a2eee63477504889378a53ce9fb
            • Instruction Fuzzy Hash: 5EE046F4100205AFCA006FE9BF8AB1A3254B3A6309F000436B7007A0F2D7FE8020EE2C
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040219C Relevance: 1.5, APIs: 1, Instructions: 32COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 214 40219c-4021a2 215 4021a7-4021ba 214->215 216 4021bc 215->216 217 4021be-4021df CreateWindowExA 215->217 216->217 218 4021f1-4021f2 217->218 219 4021e1-4021e6 217->219 220 4021e8 219->220 221 4021ea-4021ee 219->221 220->221 221->215 222 4021f0 221->222 222->218
            APIs
            • CreateWindowExA.USER32(00000000,0040460C,004044A3,50000000,0000009D,0000012D,00000092,00000018,00404684,0000FF01,00000000), ref: 004021D8
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: CreateWindow
            • String ID:
            • API String ID: 716092398-0
            • Opcode ID: 9d72e4e56c1da0f7cf1b1a5ddb4909a0865b3319c7b89a1854587833ab8d3dec
            • Instruction ID: eaf38f4c18cbd5b155ce2975ca3517a41bc0abe2f5ed9a171c039a78943e48a5
            • Opcode Fuzzy Hash: 9d72e4e56c1da0f7cf1b1a5ddb4909a0865b3319c7b89a1854587833ab8d3dec
            • Instruction Fuzzy Hash: DDF0B276100B00AFDB324EC1CD84B1277F1FB48310B044929E7955A6D0D27AA8559B14
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00401697 Relevance: .0, Instructions: 6COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 223 401697 224 401733-401737 223->224
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 412f0a1a6f0592d40234aa9bde0b576859c91b1265235e19c85a07750cfbe9d8
            • Instruction ID: 8e4c8b3bf596a9e3cd7e6f46b899371231e0ca9d14fd18353cd9831b258f1fe0
            • Opcode Fuzzy Hash: 412f0a1a6f0592d40234aa9bde0b576859c91b1265235e19c85a07750cfbe9d8
            • Instruction Fuzzy Hash:
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040171A Relevance: .0, Instructions: 6COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 225 40171a 226 401733-401737 225->226
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 020b9f88692f9ea3f74911cf4c428a3c80f87b56bf9c5f8cc0f5e4c6a77c77df
            • Instruction ID: 8e4c8b3bf596a9e3cd7e6f46b899371231e0ca9d14fd18353cd9831b258f1fe0
            • Opcode Fuzzy Hash: 020b9f88692f9ea3f74911cf4c428a3c80f87b56bf9c5f8cc0f5e4c6a77c77df
            • Instruction Fuzzy Hash:
            Uniqueness

            Uniqueness Score: -1.00%

            Non-executed Functions

            Function 00402073 Relevance: 19.6, APIs: 13, Instructions: 75nativeCOMMON
            Download Yara Rule
            APIs
            • BeginPaint.USER32(?,?), ref: 0040208E
            • GetClientRect.USER32(?,?), ref: 0040209C
            • GetWindowLongA.USER32(?,000000F4), ref: 004020A6
            • DrawEdge.USER32(00000000,?,0000000A,0000000F), ref: 004020BD
            • MoveToEx.GDI32(00000000,00000000,00000000,00000000), ref: 004020D8
            • SelectObject.GDI32(00000000,00000000), ref: 004020E4
            • LineTo.GDI32(00000000,00000000,00000000), ref: 004020EE
            • LineTo.GDI32(00000000,00000000,00000000), ref: 004020F9
            • SelectObject.GDI32(00000000,00000000), ref: 00402105
            • LineTo.GDI32(00000000,00000000,00000000), ref: 00402111
            • LineTo.GDI32(00000000,000000FF,00000000), ref: 0040211C
            • EndPaint.USER32(?,?,?,000000F4,?,?), ref: 00402128
            • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0040213B
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: Line$ObjectPaintSelectWindow$BeginClientDrawEdgeLongMoveNtdllProc_Rect
            • String ID:
            • API String ID: 1602201318-0
            • Opcode ID: 59ee06eacaf82bd8c9d8e8516ace744e637a185e5a465809809f64247822795c
            • Instruction ID: b82e3ca855e9e0159240f140e9345979da3a8023049bd4df4a225704aeb47416
            • Opcode Fuzzy Hash: 59ee06eacaf82bd8c9d8e8516ace744e637a185e5a465809809f64247822795c
            • Instruction Fuzzy Hash: 2D214F36500008BADF127B91CE46FBE7A39EF45714F10823AFA10750E2D7BA9952A769
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402532 Relevance: 12.1, APIs: 8, Instructions: 59servicesleepCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000001), ref: 00402543
            • OpenServiceA.ADVAPI32(00000000,?,000F01FF,00000000,00000000,000F003F,?,00000001), ref: 00402557
            • ChangeServiceConfigA.ADVAPI32(00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000F01FF,00000000,00000000), ref: 00402578
            • StartServiceA.ADVAPI32(00000000,00000000,00000000,00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040258C
            • ControlService.ADVAPI32(00000000,00000004,?,00000000,00000000,00000000,00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040259C
            • Sleep.KERNEL32(0000000A,00000000,00000004,?,00000000,00000000,00000000,00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000), ref: 004025A3
            • CloseServiceHandle.ADVAPI32(00000000,00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,000F01FF,00000000), ref: 004025AF
            • CloseServiceHandle.ADVAPI32(00000000,00000000,?,000F01FF,00000000,00000000,000F003F,?,00000001), ref: 004025B5
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: Service$CloseHandleOpen$ChangeConfigControlManagerSleepStart
            • String ID:
            • API String ID: 1247052770-0
            • Opcode ID: 62a20289087108da84914259ee1ac8080f801bdcf92800ef8eba9cc202cf3716
            • Instruction ID: 85a6b39a04a1b62dd3bdf41d6405a637a2f22df25d9bb817fd733bba58892e5c
            • Opcode Fuzzy Hash: 62a20289087108da84914259ee1ac8080f801bdcf92800ef8eba9cc202cf3716
            • Instruction Fuzzy Hash: 1C01A22634422676DA2136654E0FFAF35484F01768F10833BB614B82D2DAFC8901C1AD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004023DE Relevance: 1.5, APIs: 1, Instructions: 4shutdownCOMMON
            Download Yara Rule
            APIs
            • ExitWindowsEx.USER32(00000000,00000000), ref: 004023E2
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: ExitWindows
            • String ID:
            • API String ID: 1089080001-0
            • Opcode ID: 80015efc19e2dd0ee8c27602c766c87f329b8309a2e010a4c9ac6fe38b756525
            • Instruction ID: 4d1c666431b60cf849b77cca9cd36e173650a8333348ae371dcd4d4aa6300bc3
            • Opcode Fuzzy Hash: 80015efc19e2dd0ee8c27602c766c87f329b8309a2e010a4c9ac6fe38b756525
            • Instruction Fuzzy Hash:
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004025C5 Relevance: 15.1, APIs: 10, Instructions: 65servicesleepCOMMON
            Download Yara Rule
            APIs
            • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000001), ref: 004025D6
            • OpenServiceA.ADVAPI32(00000000,?,000F01FF,00000000,00000000,000F003F,?,00000001), ref: 004025EA
            • ControlService.ADVAPI32(00000000,00000004,?,00000000,?,000F01FF,00000000,00000000,000F003F,?,00000001), ref: 004025FC
            • ControlService.ADVAPI32(00000000,00000001,?,00000000,00000004,?,00000000,?,000F01FF,00000000,00000000,000F003F,?,00000001), ref: 00402612
            • ControlService.ADVAPI32(00000000,00000004,?,00000000,00000001,?,00000000,00000004,?,00000000,?,000F01FF,00000000,00000000,000F003F), ref: 0040261E
            • Sleep.KERNEL32(00000014,00000000,00000004,?,00000000,00000001,?,00000000,00000004,?,00000000,?,000F01FF,00000000,00000000,000F003F), ref: 00402625
            • ChangeServiceConfigA.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000004,?,00000000,?), ref: 00402645
            • CloseServiceHandle.ADVAPI32(00000000,00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000004,?,00000000), ref: 0040264B
            • CloseServiceHandle.ADVAPI32(00000000,00000000,?,000F01FF,00000000,00000000,000F003F,?,00000001), ref: 00402651
            • Sleep.KERNEL32(00000064,00000000,00000000,000F003F,?,00000001), ref: 00402658
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: Service$Control$CloseHandleOpenSleep$ChangeConfigManager
            • String ID:
            • API String ID: 1337626383-0
            • Opcode ID: 737e7b60a9c951cdaa870d8aaff42dc9aa564248b08dea6536125649b92f36ad
            • Instruction ID: 5f5d2de957b00a36232bc906cdfd8833133acba376af206755f2d12a6c019b8d
            • Opcode Fuzzy Hash: 737e7b60a9c951cdaa870d8aaff42dc9aa564248b08dea6536125649b92f36ad
            • Instruction Fuzzy Hash: CF01D43265462636DA2176A14E4BFBF315C8F11728F00873BB720B91D3DAFD890181BD
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040175D Relevance: 15.0, APIs: 10, Instructions: 21COMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(004010D6), ref: 00401763
            • DeleteObject.GDI32(00000000), ref: 0040176E
            • DeleteObject.GDI32(00000000), ref: 00401779
            • DeleteObject.GDI32(00000000), ref: 00401784
            • DeleteObject.GDI32(00000000), ref: 0040178F
            • DeleteObject.GDI32(00000000), ref: 0040179A
            • DeleteObject.GDI32(00000000), ref: 004017A5
            • DeleteObject.GDI32(00000000), ref: 004017B0
            • DeleteObject.GDI32(00000000), ref: 004017BB
            • GlobalFree.KERNEL32(00000000), ref: 004017C6
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: DeleteObject$FreeGlobal
            • String ID:
            • API String ID: 1141912483-0
            • Opcode ID: 3a0eb32b18d92d170685d9846561835acfb92c7d4fa5f2da27e109efae53fae9
            • Instruction ID: 21995cb510ee0bc26512c53b3cc63ae1f24a43746de23b17b49c307c85d6eab2
            • Opcode Fuzzy Hash: 3a0eb32b18d92d170685d9846561835acfb92c7d4fa5f2da27e109efae53fae9
            • Instruction Fuzzy Hash: A3E07CB60111409ACE463761FF467083961EF853453719235B200314F1C77A1461951D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040185B Relevance: 12.0, APIs: 8, Instructions: 40stringCOMMON
            Download Yara Rule
            APIs
            • SetBkMode.GDI32(?,00000001), ref: 00401869
            • SelectObject.GDI32(?,?), ref: 00401875
            • SetTextColor.GDI32(?,00FFFFFF), ref: 00401880
            • lstrlen.KERNEL32(?,?,00FFFFFF,?,?,00000001), ref: 00401886
            • TextOutA.GDI32(?,?,?,?,00000000), ref: 00401894
            • SetTextColor.GDI32(?,00800000), ref: 0040189F
            • lstrlen.KERNEL32(?,?,00800000,?,?,?,?,00000000,?,?,00FFFFFF,?,?,00000001), ref: 004018A5
            • TextOutA.GDI32(?,00000000,00000000,?,00000000), ref: 004018B9
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: Text$Colorlstrlen$ModeObjectSelect
            • String ID:
            • API String ID: 2243092784-0
            • Opcode ID: 2eefa36e0a0347ac2cb7cda99b8bb29b9517025037ba10587451229a4191aae0
            • Instruction ID: 83c7cee47e9849eb1a24b6e61068296d29b718431f5c5bd4160de735afce648e
            • Opcode Fuzzy Hash: 2eefa36e0a0347ac2cb7cda99b8bb29b9517025037ba10587451229a4191aae0
            • Instruction Fuzzy Hash: E8F01D3700011976CB127F569E46EFF3A3DEF86768F00413AFA10311D287BD9422A6BA
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004015B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
            Download Yara Rule
            APIs
            • 73A1A570.USER32 ref: 004015C6
            • SetBkMode.GDI32(00000000,00000001), ref: 004015D0
            • SelectObject.GDI32(00000000), ref: 004015DC
            • SetTextColor.GDI32(00000000,?), ref: 004015E3
            • TextOutA.GDI32(00000000,http://grc.com/mail.htm to,00000017), ref: 004015FF
            Strings
            • http://grc.com/mail.htm to, xrefs: 004015ED
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: Text$A570ColorModeObjectSelect
            • String ID: http://grc.com/mail.htm to
            • API String ID: 2272361179-1223271601
            • Opcode ID: 8aa52008f18e33cc356c8af4e240edc65a5646a69f60378c67df93b044af5360
            • Instruction ID: f5656e963b5c9008fbe42c8b6d14691f282eb66b793e16990292681468bf9878
            • Opcode Fuzzy Hash: 8aa52008f18e33cc356c8af4e240edc65a5646a69f60378c67df93b044af5360
            • Instruction Fuzzy Hash: F6F05EBA1001047BC6127B52DE86D3A366DE7D6758B01453AF300320F1ABBE0840966D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 0040161C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23windowCOMMON
            Download Yara Rule
            APIs
            • SetCursor.USER32 ref: 00401625
              • Part of subcall function 004015B0: 73A1A570.USER32 ref: 004015C6
              • Part of subcall function 004015B0: SetBkMode.GDI32(00000000,00000001), ref: 004015D0
              • Part of subcall function 004015B0: SelectObject.GDI32(00000000), ref: 004015DC
              • Part of subcall function 004015B0: SetTextColor.GDI32(00000000,?), ref: 004015E3
              • Part of subcall function 004015B0: TextOutA.GDI32(00000000,http://grc.com/mail.htm to,00000017), ref: 004015FF
            • ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00401644
              • Part of subcall function 0040183D: SetCursor.USER32(00401653), ref: 00401843
            • MessageBoxA.USER32(We were unable to successfully launchthis system's Internet web Browser.Please check out the http://grc.com websiteto find out what's new !,Unable to Launch a Web Browser,00000000), ref: 00401665
            Strings
            • We were unable to successfully launchthis system's Internet web Browser.Please check out the http://grc.com websiteto find out what's new !, xrefs: 0040165A
            • Unable to Launch a Web Browser, xrefs: 00401655
            • open, xrefs: 0040163D
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: CursorText$A570ColorExecuteMessageModeObjectSelectShell
            • String ID: Unable to Launch a Web Browser$We were unable to successfully launchthis system's Internet web Browser.Please check out the http://grc.com websiteto find out what's new !$open
            • API String ID: 899305780-2796175318
            • Opcode ID: a967044cdc3634cfba15481c527176c5f4dea8450fc00b7b8612f5a6f5fc40bb
            • Instruction ID: 63510a2413bb285a5e26d48dd60b68d7f05d86e8b4c0ccab657b18dbb3cdfb10
            • Opcode Fuzzy Hash: a967044cdc3634cfba15481c527176c5f4dea8450fc00b7b8612f5a6f5fc40bb
            • Instruction Fuzzy Hash: EDE0EC7138030476EA2137A29E4BF0939159BA5F89F60493BBB00790F29CFEA950655D
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004018C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON
            Download Yara Rule
            APIs
            • SelectObject.GDI32(00000000,00000000), ref: 004018DD
            • 73A24D40.GDI32(?,00000000,00000000,00000050,00000044,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000), ref: 004018FF
            • SelectObject.GDI32(00000000), ref: 0040191F
            • DeleteDC.GDI32(00000000), ref: 00401925
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: ObjectSelect$Delete
            • String ID: D
            • API String ID: 119191458-2746444292
            • Opcode ID: 64f3451c48a77b234ea588465b57226f13e4f3aa719b68e92cbc14c88d4a5e7f
            • Instruction ID: 6b1a9f5fff017e06a5cfe95200946e5ff0da3fbe4d4ae9230d0e1fe390e5db45
            • Opcode Fuzzy Hash: 64f3451c48a77b234ea588465b57226f13e4f3aa719b68e92cbc14c88d4a5e7f
            • Instruction Fuzzy Hash: C8F024B2A00214BAEB2172918E8AFAF755CCB01768F20413BF604751C1D6FC0E0052BE
            Uniqueness

            Uniqueness Score: -1.00%

            Function 00402146 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 00402154
            • GetSystemMetrics.USER32(00000000), ref: 0040215B
            • GetSystemMetrics.USER32(00000001), ref: 0040216B
            • MoveWindow.USER32(?,00000001,?,?,?,00000001,?), ref: 00402192
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: MetricsSystemWindow$MoveRect
            • String ID:
            • API String ID: 514606546-0
            • Opcode ID: a4082767f559ca358be3dbbeb9f3d1857949bee3de3e4cf843cfe9f65d3e03fc
            • Instruction ID: 59af8feb520ea5e4787dddbbd2b7c22acb93d5dff272d36a16987e28ab77a922
            • Opcode Fuzzy Hash: a4082767f559ca358be3dbbeb9f3d1857949bee3de3e4cf843cfe9f65d3e03fc
            • Instruction Fuzzy Hash: 26F01D7191010DBFDB01DBACCEC6EBEB7BCEB00308F104665B514E61D1DAB1AA518A68
            Uniqueness

            Uniqueness Score: -1.00%

            Function 004023F0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 30stringCOMMON
            Download Yara Rule
            APIs
            • lstrcmpiA.KERNEL32(?,enable), ref: 004023FB
            • lstrcmpiA.KERNEL32(?,disable), ref: 00402436
              • Part of subcall function 00401931: GetSystemMenu.USER32(?,00000000,?), ref: 00401952
              • Part of subcall function 00401931: DeleteMenu.USER32(00000000,0000F030,00000000,?,00000000,?), ref: 00401961
              • Part of subcall function 00401931: DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,?,00000000,?), ref: 0040196E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2877685513.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
            • Associated: 00000000.00000002.2877669160.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877685513.000000000040C000.00000040.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877725512.000000000040D000.00000080.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2877745794.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_400000_shootthemessenger.jbxd
            Similarity
            • API ID: Menu$Deletelstrcmpi$System
            • String ID: disable$enable
            • API String ID: 3734198065-2180829059
            • Opcode ID: 434664366509452eebf424052518f363b91a53b13e3b8c575b829a21a7060a7d
            • Instruction ID: cdf821103999f5b5e458dc91a4b3259a68404b2d6e8563da709dbe6b92a339b4
            • Opcode Fuzzy Hash: 434664366509452eebf424052518f363b91a53b13e3b8c575b829a21a7060a7d
            • Instruction Fuzzy Hash: 22F012B4341306BBDE326B22EF4BB653A5197A2768F104236F710361F2DBFA55509A0D
            Uniqueness

            Uniqueness Score: -1.00%