Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Pictures.exe

Overview

General Information

Sample name:Pictures.exe
Analysis ID:1432279
MD5:0017413629107fb8b1a300fe714798a7
SHA1:4168ee9a4bbbb6541741b17481da79808c7a9d6d
SHA256:b31fb6f44818b2df444399a417c3323fd98234c5546235cc863494a22992a5a7
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Creates an undocumented autostart registry key
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
PE file has a writeable .text section
Sigma detected: System File Execution Location Anomaly
Sigma detected: Uncommon Userinit Child Process
Contains functionality to dynamically determine API calls
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May infect USB drives
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Userinit Child Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Pictures.exe (PID: 6784 cmdline: "C:\Users\user\Desktop\Pictures.exe" MD5: 0017413629107FB8B1A300FE714798A7)
    • userinit.exe (PID: 4868 cmdline: C:\Windows\userinit.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 6600 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3136 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5700 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3416 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 6704 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 2264 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3268 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 992 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5100 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 764 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5208 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 1616 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 2244 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3796 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3940 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 4144 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 1396 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5280 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 6812 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 4560 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 2724 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 6784 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5908 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5256 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 424 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 7136 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3416 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 2656 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3976 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5648 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5552 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5320 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3664 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: System File Execution Location Anomaly
Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Windows\userinit.exe, CommandLine: C:\Windows\userinit.exe, CommandLine|base64offset|contains: , Image: C:\Windows\userinit.exe, NewProcessName: C:\Windows\userinit.exe, OriginalFileName: C:\Windows\userinit.exe, ParentCommandLine: "C:\Users\user\Desktop\Pictures.exe", ParentImage: C:\Users\user\Desktop\Pictures.exe, ParentProcessId: 6784, ParentProcessName: Pictures.exe, ProcessCommandLine: C:\Windows\userinit.exe, ProcessId: 4868, ProcessName: userinit.exe
Sigma detected: Uncommon Userinit Child Process
Source: Process startedAuthor: Tom Ueltschi (@c_APT_ure), Tim Shelton: Data: Command: C:\Windows\system32\system.exe, CommandLine: C:\Windows\system32\system.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\system.exe, NewProcessName: C:\Windows\SysWOW64\system.exe, OriginalFileName: C:\Windows\SysWOW64\system.exe, ParentCommandLine: C:\Windows\userinit.exe, ParentImage: C:\Windows\userinit.exe, ParentProcessId: 4868, ParentProcessName: userinit.exe, ProcessCommandLine: C:\Windows\system32\system.exe, ProcessId: 6600, ProcessName: system.exe
Sigma detected: Suspicious Userinit Child Process
Source: Process startedAuthor: Florian Roth (Nextron Systems), Samir Bousseaden (idea): Data: Command: C:\Windows\system32\system.exe, CommandLine: C:\Windows\system32\system.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\system.exe, NewProcessName: C:\Windows\SysWOW64\system.exe, OriginalFileName: C:\Windows\SysWOW64\system.exe, ParentCommandLine: C:\Windows\userinit.exe, ParentImage: C:\Windows\userinit.exe, ParentProcessId: 4868, ParentProcessName: userinit.exe, ProcessCommandLine: C:\Windows\system32\system.exe, ProcessId: 6600, ProcessName: system.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Pictures.exeAvira: detected
Multi AV Scanner detection for dropped file
Source: C:\Windows\SysWOW64\system.exeReversingLabs: Detection: 100%
Source: C:\Windows\userinit.exeReversingLabs: Detection: 100%
Multi AV Scanner detection for submitted file
Source: Pictures.exeReversingLabs: Detection: 100%
Machine Learning detection for sample
Source: Pictures.exeJoe Sandbox ML: detected
Source: Pictures.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Pictures.exeBinary or memory string: \AutoRun.inf
Source: Pictures.exeBinary or memory string: D:\AutoRun.inf
Source: Pictures.exeBinary or memory string: [autorun]
Source: Pictures.exeBinary or memory string: [AutoRun]
Source: Pictures.exe, 00000000.00000002.2098576049.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: \AutoRun.inf
Source: Pictures.exe, 00000000.00000002.2098576049.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
Source: Pictures.exe, 00000000.00000002.2098576049.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: D:\AutoRun.inf
Source: Pictures.exe, 00000000.00000002.2098576049.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000003.00000002.2125658147.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000003.00000002.2125658147.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000003.00000002.2125658147.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000003.00000002.2125658147.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000004.00000002.2137065523.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000004.00000002.2137065523.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000004.00000002.2137065523.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000004.00000002.2137065523.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000005.00000002.2148937407.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000005.00000002.2148937407.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000005.00000002.2148937407.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000005.00000002.2148937407.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000006.00000002.2173653364.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000006.00000002.2173653364.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000006.00000002.2173653364.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000006.00000002.2173653364.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000007.00000002.2184895640.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000007.00000002.2184895640.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000007.00000002.2184895640.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000007.00000002.2184895640.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000008.00000002.2196284108.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000008.00000002.2196284108.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000008.00000002.2196284108.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000008.00000002.2196284108.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000009.00000002.2208756667.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000009.00000002.2208756667.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000009.00000002.2208756667.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000009.00000002.2208756667.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000000A.00000002.2263689726.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000000A.00000002.2263689726.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000000A.00000002.2263689726.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000000A.00000002.2263689726.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000000B.00000002.2264535748.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000000B.00000002.2264535748.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000000B.00000002.2264535748.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000000B.00000002.2264535748.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000000D.00000002.2293311272.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000000D.00000002.2293311272.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000000D.00000002.2293311272.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000000D.00000002.2293311272.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000000E.00000002.2303953696.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000000E.00000002.2303953696.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000000E.00000002.2303953696.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000000E.00000002.2303953696.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000011.00000002.2318369586.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000011.00000002.2318369586.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000011.00000002.2318369586.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000011.00000002.2318369586.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000012.00000002.2325136429.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000012.00000002.2325136429.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000012.00000002.2325136429.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000012.00000002.2325136429.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000013.00000002.2333163285.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000013.00000002.2333163285.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000013.00000002.2333163285.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000013.00000002.2333163285.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000014.00000002.2355791531.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000014.00000002.2355791531.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000014.00000002.2355791531.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000014.00000002.2355791531.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000015.00000002.2365056192.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000015.00000002.2365056192.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000015.00000002.2365056192.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000015.00000002.2365056192.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000016.00000002.2372241370.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000016.00000002.2372241370.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000016.00000002.2372241370.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000016.00000002.2372241370.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000017.00000002.2377815439.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000017.00000002.2377815439.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000017.00000002.2377815439.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000017.00000002.2377815439.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000018.00000002.2382642859.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000018.00000002.2382642859.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000018.00000002.2382642859.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000018.00000002.2382642859.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000019.00000002.2402928376.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000019.00000002.2402928376.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000019.00000002.2402928376.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000019.00000002.2402928376.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000001A.00000002.2410255368.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000001A.00000002.2410255368.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000001A.00000002.2410255368.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001A.00000002.2410255368.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe, 0000001B.00000002.2412526741.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000001B.00000002.2412526741.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000001B.00000002.2412526741.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001B.00000002.2412526741.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000001C.00000002.2416241950.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000001C.00000002.2416241950.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000001C.00000002.2416241950.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001C.00000002.2416241950.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000001D.00000002.2420611393.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000001D.00000002.2420611393.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000001D.00000002.2420611393.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001D.00000002.2420611393.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000001E.00000002.2440818904.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000001E.00000002.2440818904.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000001E.00000002.2440818904.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001E.00000002.2440818904.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000001F.00000002.2444785624.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000001F.00000002.2444785624.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000001F.00000002.2444785624.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001F.00000002.2444785624.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000020.00000002.2447227132.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000020.00000002.2447227132.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000020.00000002.2447227132.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000020.00000002.2447227132.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000021.00000002.2450214608.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000021.00000002.2450214608.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000021.00000002.2450214608.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000021.00000002.2450214608.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000022.00000002.2478834430.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000022.00000002.2478834430.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000022.00000002.2478834430.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000022.00000002.2478834430.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000023.00000002.2479525295.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000023.00000002.2479525295.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000023.00000002.2479525295.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000023.00000002.2479525295.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000025.00000002.2481120751.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000025.00000002.2481120751.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000025.00000002.2481120751.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000025.00000002.2481120751.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000026.00000002.2489171370.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000026.00000002.2489171370.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000026.00000002.2489171370.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000026.00000002.2489171370.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000027.00000002.2490632018.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000027.00000002.2490632018.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000027.00000002.2490632018.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000027.00000002.2490632018.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer

System Summary

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sampleStatic PE information: Filename: Pictures.exe
PE file has a writeable .text section
Source: Pictures.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: userinit.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: system.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\Desktop\Pictures.exeFile created: C:\Windows\userinit.exeJump to behavior
Source: C:\Windows\userinit.exeFile created: C:\Windows\kdcoms.dllJump to behavior
Source: C:\Windows\userinit.exeFile created: C:\Windows\SysWOW64\system.exeJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0052000D0_2_0052000D
Source: C:\Windows\SysWOW64\system.exeCode function: 3_2_0052000D3_2_0052000D
Source: C:\Windows\SysWOW64\system.exeCode function: 4_2_0051000D4_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 5_2_0051000D5_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 6_2_0051000D6_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 7_2_0044000D7_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 8_2_0044000D8_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 9_2_0051000D9_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 10_2_0062000D10_2_0062000D
Source: C:\Windows\SysWOW64\system.exeCode function: 11_2_0044000D11_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 13_2_0051000D13_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 14_2_0044000D14_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 17_2_0051000D17_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 18_2_0051000D18_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 19_2_0044000D19_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 20_2_0051000D20_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 21_2_0044000D21_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 22_2_0045000D22_2_0045000D
Source: C:\Windows\SysWOW64\system.exeCode function: 23_2_0051000D23_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 24_2_0052000D24_2_0052000D
Source: C:\Windows\SysWOW64\system.exeCode function: 25_2_0044000D25_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 26_2_0051000D26_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 27_2_0051000D27_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 28_2_0051000D28_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 29_2_0044000D29_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 30_2_0044000D30_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 31_2_0051000D31_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 32_2_0044000D32_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 33_2_0044000D33_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 34_2_0045000D34_2_0045000D
Source: C:\Windows\SysWOW64\system.exeCode function: 35_2_0052000D35_2_0052000D
Source: C:\Windows\SysWOW64\system.exeCode function: 37_2_0054000D37_2_0054000D
Source: C:\Windows\SysWOW64\system.exeCode function: 38_2_0044000D38_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 39_2_0051000D39_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: String function: 00401218 appears 32 times
Source: Pictures.exeBinary or memory string: OriginalFilename vs Pictures.exe
Source: Pictures.exe, 00000000.00000000.2093480164.0000000000430000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamehoney.exe vs Pictures.exe
Source: Pictures.exe, 00000000.00000002.2098576049.0000000000430000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamehoney.exe vs Pictures.exe
Source: Pictures.exeBinary or memory string: OriginalFilenamehoney.exe vs Pictures.exe
Source: Pictures.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Pictures.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: userinit.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: system.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: system.exeBinary or memory string: *\AD:\Setup\Drivers\Audio\Installs_the_RealTek_AC_97_audio_driver\WDM5630\WDM\WDM\Basic\SH\74\worm.vbp
Source: Pictures.exe, 00000000.00000002.2098576049.0000000000401000.00000040.00000001.01000000.00000003.sdmp, system.exe, 00000003.00000002.2125658147.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000004.00000002.2137065523.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000005.00000002.2148937407.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000006.00000002.2173653364.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000007.00000002.2184895640.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000008.00000002.2196284108.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000009.00000002.2208756667.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 0000000A.00000002.2263689726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 0000000B.00000002.2264535748.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 0000000D.00000002.2293311272.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: @*\AD:\Setup\Drivers\Audio\Installs_the_RealTek_AC_97_audio_driver\WDM5630\WDM\WDM\Basic\SH\74\worm.vbp *m
Source: system.exe, system.exe, 00000027.00000002.2490632018.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: @*\AD:\Setup\Drivers\Audio\Installs_the_RealTek_AC_97_audio_driver\WDM5630\WDM\WDM\Basic\SH\74\worm.vbp
Source: classification engineClassification label: mal100.evad.winEXE@626/38@0/0
Source: C:\Windows\SysWOW64\system.exeMutant created: NULL
Source: C:\Users\user\Desktop\Pictures.exeFile created: C:\Users\user\AppData\Local\Temp\~DFC5FDE2593792060A.TMPJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Pictures.exeReversingLabs: Detection: 100%
Source: C:\Users\user\Desktop\Pictures.exeFile read: C:\Users\user\Desktop\Pictures.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Pictures.exe "C:\Users\user\Desktop\Pictures.exe"
Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Windows\userinit.exe C:\Windows\userinit.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Users\user\Desktop\Pictures.exeProcess created: C:\Windows\userinit.exe C:\Windows\userinit.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\userinit.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\userinit.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\userinit.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\userinit.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\userinit.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\userinit.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Pictures.exeUnpacked PE file: 0.2.Pictures.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 3.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 4.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 5.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 6.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 7.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 8.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 9.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 10.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 11.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 13.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 14.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 17.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 18.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 19.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 20.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 21.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 22.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 23.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 24.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 25.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 26.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 27.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 28.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 29.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 30.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 31.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 32.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 33.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 34.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 35.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 37.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 38.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 39.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_00520AD3 LoadLibraryA,GetProcAddress,0_2_00520AD3
Source: system.exe.2.drStatic PE information: real checksum: 0x1b443 should be: 0x17b87
Source: userinit.exe.0.drStatic PE information: real checksum: 0x1b443 should be: 0x17b87
Source: Pictures.exeStatic PE information: real checksum: 0x1b443 should be: 0x17b87
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BC50 push 00401212h; ret 0_2_0040BC63
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040C852 push 00401212h; ret 0_2_0040C865
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BC64 push 00401212h; ret 0_2_0040BC77
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BC78 push 00401212h; ret 0_2_0040BC8B
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BC00 push 00401212h; ret 0_2_0040BC13
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040C802 push 00401212h; ret 0_2_0040C815
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BC14 push 00401212h; ret 0_2_0040BC27
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040C816 push 00401212h; ret 0_2_0040C829
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BC28 push 00401212h; ret 0_2_0040BC3B
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040C82A push 00401212h; ret 0_2_0040C83D
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BC3C push 00401212h; ret 0_2_0040BC4F
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040C83E push 00401212h; ret 0_2_0040C851
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BCC8 push 00401212h; ret 0_2_0040BCDB
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BCDC push 00401212h; ret 0_2_0040BCEF
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BCF0 push 00401212h; ret 0_2_0040BD03
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BC8C push 00401212h; ret 0_2_0040BC9F
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BCA0 push 00401212h; ret 0_2_0040BCB3
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BCB4 push 00401212h; ret 0_2_0040BCC7
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BD40 push 00401212h; ret 0_2_0040BD53
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BD54 push 00401212h; ret 0_2_0040BD67
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BD68 push 00401212h; ret 0_2_0040BD7B
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BD7C push 00401212h; ret 0_2_0040BD8F
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BD04 push 00401212h; ret 0_2_0040BD17
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BD18 push 00401212h; ret 0_2_0040BD2B
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BD2C push 00401212h; ret 0_2_0040BD3F
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040C934 push esp; retf 0_2_0040C935
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BDCC push 00401212h; ret 0_2_0040BDDF
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040A9DC push 00401212h; ret 0_2_0040AACB
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BDE0 push 00401212h; ret 0_2_0040BDF3
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_0040BDF4 push 00401212h; ret 0_2_0040BE07
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_004031FE push edi; iretd 0_2_004033CC
Source: Pictures.exeStatic PE information: section name: .text entropy: 7.992500880288964
Source: userinit.exe.0.drStatic PE information: section name: .text entropy: 7.992500880288964
Source: system.exe.2.drStatic PE information: section name: .text entropy: 7.992500880288964

Persistence and Installation Behavior

barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\Pictures.exeFile created: C:\Windows\userinit.exeJump to dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\userinit.exeExecutable created and started: C:\Windows\SysWOW64\system.exeJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeExecutable created and started: C:\Windows\userinit.exeJump to behavior
Source: C:\Windows\userinit.exeFile created: C:\Windows\SysWOW64\system.exeJump to dropped file
Source: C:\Users\user\Desktop\Pictures.exeFile created: C:\Windows\userinit.exeJump to dropped file
Source: C:\Windows\userinit.exeFile created: C:\Windows\SysWOW64\system.exeJump to dropped file
Source: C:\Users\user\Desktop\Pictures.exeFile created: C:\Windows\userinit.exeJump to dropped file

Boot Survival

barindex
Creates an undocumented autostart registry key
Source: C:\Windows\userinit.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\userinit.exeWindow / User API: foregroundWindowGot 1775Jump to behavior
Source: C:\Users\user\Desktop\Pictures.exeAPI call chain: ExitProcess graph end nodegraph_0-777
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_3-777
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_4-777
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_5-777
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_6-777
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_7-778
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_8-778
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_9-777
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_10-777
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_11-778
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_13-777
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_14-778
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_17-777
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Pictures.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\Pictures.exeCode function: 0_2_00520AD3 LoadLibraryA,GetProcAddress,0_2_00520AD3

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		1
Native API		1
Registry Run Keys / Startup Folder		1
Process Injection		22
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Registry Run Keys / Startup Folder		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Peripheral Device Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Pictures.exe100%ReversingLabsWin32.Worm.Generic
Pictures.exe100%AviraTR/Crypt.CFI.Gen
Pictures.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\SysWOW64\system.exe100%ReversingLabsWin32.Worm.Generic
C:\Windows\userinit.exe100%ReversingLabsWin32.Worm.Generic

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1432279
Start date and time:2024-04-26 19:15:35 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 9m 20s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Pictures.exe
Detection:MAL
Classification:mal100.evad.winEXE@626/38@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 71%
  • Number of executed functions: 203
  • Number of non-executed functions: 1
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtReadVirtualMemory calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

TimeTypeDescription
19:16:23API Interceptor4421x Sleep call for process: userinit.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF0E5166C6579859E5.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019425820744617
Encrypted:false
SSDEEP:192:u27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:97XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:B74AFD76B34BCB3C58818BF01E8916AD
SHA1:583474A0FA89F8A241BEF06CBF0459913437AAA1
SHA-256:49925850F1B0A4D7899651BC009B38454B6DA4C225FE8FCB2450C29B747F7BBD
SHA-512:6C58C0E18A4F681173DF30B87C86034FD6075B154718D4CA76C22BDFE284637E6F522D3D9A08894F376C6001B3BAC7D36FB18647C4772738201F3E7B56C2882E
Malicious:false
Reputation:low
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF108307CAA25920A6.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019680107404083
Encrypted:false
SSDEEP:192:827dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:/7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:F3EDE37FC09D4D287F9BAB91CA281876
SHA1:9076CBD1C248B7CD1410E8355FA0A64B4251DB16
SHA-256:5C2056C6DBDC7DDF2919FD11B2AF6220A119EB6FBE91EB21F6807C6E69ABA40F
SHA-512:9DEDBAC9950412C36AB7CD07992E05E68E78ABB90051FCE99EF72A5D2F9775F4EB1D36E49BF46341302469FA17C0B46B23800375AEC109ACD33F1AE6A5C788B0
Malicious:false
Reputation:low
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF18216F25DB4B1006.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019527407120234
Encrypted:false
SSDEEP:192:m27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:l7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:14406198A45746A1934838A5D19AAA86
SHA1:54B4635A5A29432A4EF5ACB6B128E8C44CFEB95C
SHA-256:EE552E92EE46773EE41B142320E15EEEE2E5A095FFFECCF95D80C074A7AF5DE8
SHA-512:FD9F165A6813EEF1D65A45DE446E5D14DED6BE6CE819204E030D1D73060E96C9AF960EC36046C4082447FC24519DE47CC0A1273D662C666507479DA332EA651C
Malicious:false
Reputation:low
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF19EDF17D35177F22.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.0197752040372885
Encrypted:false
SSDEEP:192:p27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:s7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:C70FC818D9651BA09E0CB1CFBD75CAAD
SHA1:830DCE2C533A3612894BF96DA5B5E6E98B0C2787
SHA-256:EE50DB98B26FEAF57798E0B4F7FC9227054CF2F26F4CB688A237BE2EAAB4294B
SHA-512:FCCB5CE25D8B06579E4E2AD83B1035A0A8875A7B02143B74DB8F9F37CD5E17A72E88777B272FDB85D5CA0489546FBDD3B73429AFDD2F4D8AAE2556F6703AA0B3
Malicious:false
Reputation:low
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF1BEF310699A1C269.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019330904863105
Encrypted:false
SSDEEP:192:227dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:V7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:AAF205767870B0A92798448D06B60BB2
SHA1:1C3BE9028B9F1C5483B7EBF35E25A45B0A431DED
SHA-256:63D28B65B314670BF08A5753BDC2B37C1B0D9109F44A64BA98049710C5E1D2D1
SHA-512:5FF8F8F5131BD122AB2594A39A9C63CCDC6E14C2F4615611960DF5CE6707AE7A17CA811B3C2241A1702B277F0BFC95527208CA642605C054579F83408F8BCC23
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF1D8A7F965C9F97F0.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.0196492114718145
Encrypted:false
SSDEEP:192:Q27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:b7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:F1F7101F05EAA49FC86ADF4FEB6FB756
SHA1:7B80654708B032E43B499F4594708E4F10BBB99E
SHA-256:8948CF6318D74EF4F4A08DF1978AEFA26DA820E8D470EC2A3FF9D103EEC17CB3
SHA-512:262D1B33291E68066CAFE2C0B1544453A9746C799134AA4146758935FDC220F98F173E0355FD1407D3B5C3815A6698D3DACE6C70090A8856D6B090B44ADE1D10
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF226DF4C04476175E.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019479084986262
Encrypted:false
SSDEEP:192:O27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:d7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:61D65A9F246E0BF380D0FBF09B662AC9
SHA1:5EDB85B94447EAD838033DFB6E5618406F174937
SHA-256:849DA3F315242DF6CEC25F3B208126CED3FC1D881B2C03166F75B8B6D79693DF
SHA-512:7B427B7E8C8D0C5A9B3BD2C42D57541C0A344ADABFBB781A39B3774BEB3BB7E402A1942D3FDD339445E3A83F7887E341C47763BA727D3D3BB036B833056C07A5
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF22AA3491101689FB.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.0195364209282785
Encrypted:false
SSDEEP:192:k27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:X7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:F337446BDD0FA37C355EEBA6A027B5A8
SHA1:E3C0196A6B11DD2B9A3D8E718DE91C63C0A2F4A6
SHA-256:0249186B46B00E941129FDEDE8366EF881E8748A13A8E0359D69A76B6AC609ED
SHA-512:926A6002440D79ED864A89FF0E36A29D4D117A11835F79AB124CFA431423B6FAAD223578EC3B76C44416CA4E6AC2034B78937E99F564A561B6C24485102531B9
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF2BBA5849E2E49FF3.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019442864905451
Encrypted:false
SSDEEP:192:L27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:y7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:8CF2CAEB32F10403D46F73EC934C49AC
SHA1:806DBA6E2F0B2AB579063F0F0A9540DD987D8299
SHA-256:09A6C963EB17B1FB89615BBF1D81D841E8D5E472B257498313939A87C30BFCCC
SHA-512:4C3C7B47F04A2F0AF7F5B16CB95FA67CCBAD7A2FF5C93E306526CC161C78DE5E838EE658EC15715E16045920BBDC64194B0A6FB87DA086357F3663286B3F7E81
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF2DA668E8B76A9345.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019628890160527
Encrypted:false
SSDEEP:192:227dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:V7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:7CE1EC99B443AE00F86D8ABAEEAFA856
SHA1:3C1D0DAEAAFB0393DAA831E304DB153DFDA6E441
SHA-256:43C58B83E16A3C2F78F75FEBD8A179DAE41DD0D256D12441CF8AF78EFEF45B4B
SHA-512:6699987B7B4EB06AA6286DA330C74D13184908A8903A8B853E1E6FCC200587FD6EDAB34E9B0581ED07DA3368F5A6ED4314A40253A07DA06008F6CBEC4732F8C2
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3AB0F1BC64487466.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019680176893687
Encrypted:false
SSDEEP:192:827dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:/7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:ABA59D1A3E1305C99AB4C4C1731726C3
SHA1:DCF21FAC9E6A512224C1F7CB4E107CF361D049AB
SHA-256:CBF1E4D7B40E9237AF562C7D41BD9EA996F97E430D619061405AE1AFB13B2BB2
SHA-512:792B7EADDE780AAC25AFCA038E4BE0F7B72620D0F3620F2CD834B160C519A42CBD4B4AF805CA6FE71545B01DB911B22C4631B901483BCFDFAEDC362D0CB0008A
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3DC260CBB18C5924.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019548461020982
Encrypted:false
SSDEEP:192:127dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:Q7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:2E3E6986BC1E897D128547F31124C7DE
SHA1:D1D3ACE2EECB6318A6517AD589B3ECADCF576C85
SHA-256:FD646BFA471BB2C86F5A96CD3C72819D52BF54E2D7D1F926F3671E512CCBD0B7
SHA-512:156827E19EFF92399E77562D17C797C4CBF94669359133FAC6394ED7C46471D311EACBB5A53029389DC94E7B66823B779B560C38F705DC5A9650571DE02B7F59
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF42F66D6A098651BA.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019564160010398
Encrypted:false
SSDEEP:192:R27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:k7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:E54EA643F9982F80A89DF034FEC5754D
SHA1:E8BCF522B65FC1C56D184E736176E77FD962D6D3
SHA-256:9800CC80DC1069B933CAF1E5470A2F7D687C436D6EA449F2A7848B4C1AE103E1
SHA-512:2FB9D1B7B09E57F1844DD43CFED5D0F8A3FA788898B85AF13A0F3868370DF154E811B532A03DED25BFAB6A42AE66AA28999F7F2F4F76D5F80E473AE5648B5504
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF4A61A7DFC83203B4.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019686021820228
Encrypted:false
SSDEEP:192:z27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:q7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:11C4844667DEC0F0F3B1F7B43B696426
SHA1:F5481208D75863DF1E311E780253EC45F9488B06
SHA-256:6DB4606C0DBCD74A6CE7E3055BC237CBB4C045418EDBF83802AEA445C0713E4B
SHA-512:BB09E29508A4046DCBE40DDE9F5B88143ADEEC877742E4100FA1560E8CA26DE110056D8F1174345CE6BF716F2CC983E8A2915415F7230A0791FE9CD56ABB8A5D
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF4F1F778ED1B4B7DD.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.0196611086739376
Encrypted:false
SSDEEP:192:M27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:v7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:ECE6A59A14038062C6F742040A3EE576
SHA1:3599F8AAE5C6BA732833D42FB271B3FD04A7FAB3
SHA-256:62F82D784C7D48C23722246EABAC04300333EC77A409456398E078C16CB6D07D
SHA-512:33ECB4E97FE94824756C17223A19AAFEC648BD827DF85AB4E4F4E53596EB6E15FCC371C550FCF75E33500211F5DF9FEEF21606CD66EC02B9F4B857E00FD92469
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF5382F0ADCC369889.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019557010877401
Encrypted:false
SSDEEP:192:W27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:17XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:9E8524293DF5ED511CA83983CCB7A3D2
SHA1:CA026D48AAAFA2870615FBA96CF23E02DDD876DC
SHA-256:77522FCE5685FAF39B70EA6C2D15DA66EAC9BDD4A8C15C25D06E394E9E6D3B3F
SHA-512:5724D39AEBB1DC16B0368CAB4F001FA30D2EC6961978692195729484DDF57C09524514ADCFFADAE0A075D2D9B480C18A32B35D9FD7F05C68F77245AE4BF7212D
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF54904F10E1F45D8C.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019686805220593
Encrypted:false
SSDEEP:192:N27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:Y7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:5CB8009FF2A167BED61D1740700E9BE5
SHA1:4084E35934061EEE9EB9136F985E0541E573FF13
SHA-256:481086E790CBAAF8E6ACE19608E58BEBC12D4EC8B3F2F77181EEEB73FFA1E5A3
SHA-512:B5F46C61E41265AD3C787AA39B523127C1BE1CDC69A35E9EAAA4990D4B25446E3937AB64F582BC18C83E287E46A13B713523A5E5C96F24876A6AC12F41B963C6
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF59079B1FD157FE22.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019496162253443
Encrypted:false
SSDEEP:192:527dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:c7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:96C124F71796C7854165D255AE31B489
SHA1:3C614BE83217C728A04A403EE63BC092BDE53D39
SHA-256:B55B053800F879A0F0D3FA889F60CF2EFF75B4538E09C1610A554BE4D715EB79
SHA-512:9E13E45C8BDFF4B69E970F501248BE8DEC91743A6F4713187D49C15090F903ADEA3F860B6374426466219D0E62691C0CA0854D80EB351482475B284044483E56
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF5C37EAAD6790041B.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019495567423202
Encrypted:false
SSDEEP:192:O27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:d7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:CCDA523A0362A41FED8E9A7149D48ADA
SHA1:265E0C00B72561A633768F8504318D82390BF2D6
SHA-256:E68E7B833227C7A7BB3FB3D429072E6BBE82739D8482C3DA394BDE6F75C0400B
SHA-512:13101398C2A1801B24338396603AEB6B4D840545BA71D53E661C0B17AAAB79CC5166C3FAF0FAEB23CDCC59A17EEC0E83D87A64370F241439E50237FA58DD5402
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6F9CAB6296318BA9.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.0197035535340655
Encrypted:false
SSDEEP:192:p27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:s7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:30BB9DAAB01502ADB937F9EC4F6A6E49
SHA1:5FF4F9BFCC8B174F85FA6725FE88FB29563BDA4C
SHA-256:B695FC059C1CEA9077CB383CECEEC9BD16B9179C1017C82590C620E666E5AEA7
SHA-512:489FDB9A533A3ADAFBF332AFC97381083345DD748E518D378BC60B4127744D82E8675BDCB9BC02C4AA14F9C412575C3E6CD86FC132E3514FF38BFDDF0ACD607F
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF86320B6503BA1E1E.TMP

Download File
Process:C:\Windows\userinit.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):49152
Entropy (8bit):3.4070728863790936
Encrypted:false
SSDEEP:192:y27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKD:Z7XIxA1a8ButlHmzTGf8Rfvgm/YKD
MD5:2B0A1E43441DC2059291F8B78CE5E398
SHA1:6E119C19721019756C9984F52C20C93433F157C2
SHA-256:50605275562BA4D09FE5988EDCE9CDD6DB5AF5AFF5315972E64B96874EF8CFE2
SHA-512:9AA2EF82BF3EC578104094977E8FD85A6A1358C2F611E6EF4184EE24D0C3EB70A6A7C1AC08DCBDA32FC8BA27F8FFD50AF125FDB8D32BF2A34C7B323E5BD33F62
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF8E47D10B35C7B7E8.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019480199510347
Encrypted:false
SSDEEP:192:g27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:L7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:F38A192FA762C0DD2A162F9882D4BA6A
SHA1:1D65B06BF54AB3B3AA658A551D215306848997DC
SHA-256:D55CA55D1B0C4C58A87216858E74E40E39EDA881662A0FF76959278D3404D300
SHA-512:CE1B07F0070B834A14E87B8B882D25EA377113FDB12EBDDB0A6CE11A0AB909495EACEFF5D1B9A7EF42FC1E9E839ACC902FA0B2B918DCED74D26DC669FE160B99
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF9DE310405789B0E1.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.01969240364506
Encrypted:false
SSDEEP:192:d27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:I7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:ED8736982804E33178C14CCB485C65C1
SHA1:3A8B99089CC0A3E2881B5A06D0A64A9F007C2E54
SHA-256:578DB9763B4839B0969A9B2C6B5293BE97477EC0E8F1639985D6F7870132DEDF
SHA-512:E73FCF5202F4C819504A0527BC0E7C2F245F0B4EB9D43D78748FBFD7E90206670D927962A456DA7160479C60181745522AADC66DFA56225C956F5B2438A2E5A7
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFA50EEA1301A5A3E6.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019609509886161
Encrypted:false
SSDEEP:192:G27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:F7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:7AED7A434CFF3A322D82A4695157CB2D
SHA1:B9A84B81599AB1775540699C9FAE939128D84109
SHA-256:CE24412ED7791E424D63978E7C0E699401FF1CE9F3956559096C03B6928BDD63
SHA-512:B8F2443C827AE1D7EA70A4C779032C434C4C7CB3558E0FBF78D30FA1B127905FCD4FE09268F88A02ACF66309126720CDCB8D04B8CDC78D527F8006C614B28248
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFA80339085F82D5BE.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019715362123369
Encrypted:false
SSDEEP:192:c27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:f7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:54A5DFC487C99CA8A2C0075356B15267
SHA1:56ECC8419E2A497107F33D49C9D1A0A3BDB9BCE6
SHA-256:191A91BE4A20C52B0E508D9666B99085D52D00D38496BE006FAE1F5F5D5B5395
SHA-512:6AAE5DBA00C01FB5258D435D3A5F587F361AFE849547C7FE5817057BAD3D0ED08F07BEBFC744B829FB11CFE7EE6ACC1A79B624E7C2B66D7F5806D10F5FB5565C
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFAD6F67D6EFD5DAB0.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019521060839558
Encrypted:false
SSDEEP:192:027dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:H7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:0E70D25CF1BC5AAEA2B89A2A937FA283
SHA1:6D0FEA06ECA2D2C2E0D43156CF2EEF61B20E3CB7
SHA-256:A8ED6494223DF2645DD91FF31C2BF3334555FF5429F3D2D1D98DE77F27271ED7
SHA-512:17F0B962446E27B300583D9B79D86679B84A62891B040C98A892CF85FB461437A988269F8515F03EE9A6275ED7925F574975DBC118951A74B21F9825876114F1
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB690CBBBF3CD8E65.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019680779254818
Encrypted:false
SSDEEP:192:V27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:w7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:B4B4EC5E355A995CDF8ECFC1006050DC
SHA1:F5E50234570EF9F3314AB8B6D441D9C02D9D15CF
SHA-256:B4D261ECDB10467F4C974C4D5078624496E66DC44DDD204209A1CE631DE7B1E9
SHA-512:2E0624F0B3BBD4D7B94120ABA6B56428C9C9007A8B224D81AB7496DC614D9719094BFF4FC3EF3806F22A1532B9AEE62E7B2E2B20D73D2D8C37E51CB1E69FEB70
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC5FDE2593792060A.TMP

Download File
Process:C:\Users\user\Desktop\Pictures.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019723506194546
Encrypted:false
SSDEEP:192:527dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:c7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:026A3CDCC079AC6B192E125179758736
SHA1:C7DBFCDF8EFF4EFB12086F9687C99E9DACDDFE7E
SHA-256:717F06D6A64D75C739E6E893D987EC4FF28E9726FE3A31EEB9373FF433606B91
SHA-512:7D3E6C6417E1D8049D3B04F0EF874F5B3E958DFE0107957DA880D1C494A6D01CE3FDC92DDB7ECB9ACD06301B35C323EEAED9A3EE065F092A8503F417E89BD450
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCB25FE835862AC58.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.0195360289235476
Encrypted:false
SSDEEP:192:S27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:57XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:3706B7A89ABAE03B7174FCB789CC4C62
SHA1:C92E0657AFAFA4B48586A590B68C1F225583C307
SHA-256:E23DC875E925AC5FF2EF2EC762D83FDD276E6F9D0D03A28C5E4F31E8DED3B795
SHA-512:B795CE5DD83FC4CA82DC057BA40FA7A19E6EEA49AF5E4F73CCAF5C3A71752B9C862F0D296835D1E857FD07E7E4275762B83F0EFA7E513774EA1155B97003FFA6
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD11451439E2871AB.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019630838965778
Encrypted:false
SSDEEP:192:M27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:v7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:4402BA2BCC1F5AFFA70A1AB1B1A21782
SHA1:4D36BD092918D23C32A010D3E996EC0A70BC52C8
SHA-256:58B592446A45B537BD8D10F59EC0442FF96106EBE955404A20DD24FCAB720532
SHA-512:E0373A6357C5043B04502DFEF0EB559116F117F620C46A9B3C97C97DCD0524674EB65C729982259243D19D34E2F585C8784788A355CA9025D6FEDBE7203119EC
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD5A12942C1A68F25.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019519858418611
Encrypted:false
SSDEEP:192:/27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:e7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:86A20B65D6858762147B6270612219DC
SHA1:A99F974F007B67EF8CF98A4DA21DF99AEB3D917A
SHA-256:B3E959F3F78867EEE0AB790FC95AEED045A0773B3DD6FB5520156B577B0B1F5C
SHA-512:5F8923F6CCDAB6A23F795F06E82D050A8F0C319EE10E387C1D64B2416524E6C4D8810F0874C51179E6F320DBD696685F4C077A3ADC572EB54A6F323FA98A1C9B
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFDDCFB5D7FD9B2893.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019712074713214
Encrypted:false
SSDEEP:192:w27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:77XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:48E647CC206E401757BB5A2FD088E458
SHA1:CEC2F341B2C7BC297B411ABA2C94F67D7FA41D9C
SHA-256:ED8967F89B0DC2CF390C1779BE0C4EDA1C89FA710E9D9BF8A01998919219F65A
SHA-512:C1C0A2D24A1CE8B43E239540EA89DE99AE4564744A01122DFBA0624A8C824A685E4FD5F9AADC7DCB2DDA5CBCAFBF77AEE9AA19E2452BF0AFDEE95696FC05527B
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE996C0378DA4299B.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019648319883602
Encrypted:false
SSDEEP:192:V27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:w7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:0A762C47C9F724E3F97E21C719A41EED
SHA1:2F496195E0D8608E88B3D325B5864B0FBC5C5E20
SHA-256:9B6223023E0E3EE3175A2C4BB0655C630FDEF4475E84F495DA460065811643AB
SHA-512:8FAB7F6FCCFFF85A90077E439F71B259DE15BBD5A3855BE75D57C10E314B4378854B4B64BCDD7B7D7B198335458F8AA05966A71252B8FB9F59C50AD879685340
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFEDE84A74E66A176D.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.01968015107461
Encrypted:false
SSDEEP:192:o27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:D7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:9221AEC9334A0E893769B1CD45B0E039
SHA1:CC098B74A4651285B6C0750FB4926C05D72BA35D
SHA-256:E768D78DD754782A53924EF6A4D6C02E8149A4FEE079E102094D92F9FEF59B1E
SHA-512:9DDA427D1E5D13D68324826A6362D1E120295764614E3F11A1F8A46110743BE81CE8DA19A377BE183D44B188B0B863F7398906A45B42C059FC30C3AC5C750A01
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFEFB8E58E47B6DA43.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019672475398089
Encrypted:false
SSDEEP:192:R27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:k7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:7AFEDC89974E4A928F0AC77848F46529
SHA1:4C22191495F525E09EC78AC77768CA66FBB1B7C7
SHA-256:3802E6668E3C3EFAADBD677ACC5EB0DCB889120D4D28387A6090252A9DB71DF1
SHA-512:93D07331B2433B6B72D19AC54CF245D180F41D92437801F09C3CA28E7F4075C847DC0AE0960AF6FD2DAB79128CA94FC3094D43B1E046033A25F4BAE245308E4D
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\system.exe

Download File
Process:C:\Windows\userinit.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Category:dropped
Size (bytes):69632
Entropy (8bit):6.375769435198149
Encrypted:false
SSDEEP:768:UPhg+bINh/0cNNduw8RiMc5lU1wzNE6Xf1zBmQzTGfmgyH3rDFU:MbIbNHiRJQrzXf1zwQVgq3lU
MD5:0017413629107FB8B1A300FE714798A7
SHA1:4168EE9A4BBBB6541741B17481DA79808C7A9D6D
SHA-256:B31FB6F44818B2DF444399A417C3323FD98234C5546235CC863494A22992A5A7
SHA-512:FD6C0B535DE28291524DC30377E8B79F5F38CA028DD583C37F95F1083E2BD3E5DB480C1F6A88D504CFCAD8B4D0B7F6FC996610058AE70E7419A3997116FB3A62
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 100%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............si..si..si..ld..si.Rich.si.........................PE..L.....AK............................ .............@..........................0......C................................................................................................................................................................text....p.......l......PEC2TO......`....rsrc................n.............. ............p.d...A&....^Y=]..]...=...|Jz......X..%w.!_X.3..f..3...{..-.............7.Ov.)..y._.B.....q8....D .s.M!s?.84...p...;..44a.fL=.........Qm...ewt./...y..J.Br&.....\ZL/@!.....z..!.+oK.....R#.?.2....d.... .u..W>.^Y.B..J.h.E..{.of.[].=~D......W....j\..lJ.G.C.u^o.hi.vS.#g%R...{..B....84;.6.x...n........;....O.c..%..].J.F.S.........U/...2.ik.....q..k(.Nn."..|3......{..Bvo...[L.C}>....MOd..?9...6....VF&.0.....L#....4D.D..0G...:.R .S.gb..a.].g1..;_O....._]..-ML.

C:\Windows\kdcoms.dll

Download File
Process:C:\Windows\userinit.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):44
Entropy (8bit):4.079225801519103
Encrypted:false
SSDEEP:3:6CFXXPkN9ymLkQmu:6Clo9yyd
MD5:270199FCBE0622A97988C3B14434853B
SHA1:F834C64DFA3F98EE0C6D3F10C2DB954002FC3614
SHA-256:EE7D8C86D929C9BB6A8DE6E2C24705B36C4E12A805C49FB543872218C336C89D
SHA-512:3519DA2FB21A41C0274D070B188A9E636256D32D2E4690E35CC86C3D947B969C6B5161632778F0C1B0AEC9410973F8176ACABBD14ADFBEE1B96725FACD212AEF
Malicious:false
Preview:Don't worry! I will protect your computer...

C:\Windows\userinit.exe

Download File
Process:C:\Users\user\Desktop\Pictures.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Category:dropped
Size (bytes):69632
Entropy (8bit):6.375769435198149
Encrypted:false
SSDEEP:768:UPhg+bINh/0cNNduw8RiMc5lU1wzNE6Xf1zBmQzTGfmgyH3rDFU:MbIbNHiRJQrzXf1zwQVgq3lU
MD5:0017413629107FB8B1A300FE714798A7
SHA1:4168EE9A4BBBB6541741B17481DA79808C7A9D6D
SHA-256:B31FB6F44818B2DF444399A417C3323FD98234C5546235CC863494A22992A5A7
SHA-512:FD6C0B535DE28291524DC30377E8B79F5F38CA028DD583C37F95F1083E2BD3E5DB480C1F6A88D504CFCAD8B4D0B7F6FC996610058AE70E7419A3997116FB3A62
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 100%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............si..si..si..ld..si.Rich.si.........................PE..L.....AK............................ .............@..........................0......C................................................................................................................................................................text....p.......l......PEC2TO......`....rsrc................n.............. ............p.d...A&....^Y=]..]...=...|Jz......X..%w.!_X.3..f..3...{..-.............7.Ov.)..y._.B.....q8....D .s.M!s?.84...p...;..44a.fL=.........Qm...ewt./...y..J.Br&.....\ZL/@!.....z..!.+oK.....R#.?.2....d.... .u..W>.^Y.B..J.h.E..{.of.[].=~D......W....j\..lJ.G.C.u^o.hi.vS.#g%R...{..B....84;.6.x...n........;....O.c..%..].J.F.S.........U/...2.ik.....q..k(.Nn."..|3......{..Bvo...[L.C}>....MOd..?9...6....VF&.0.....L#....4D.D..0G...:.R .S.gb..a.].g1..;_O....._]..-ML.

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Entropy (8bit):6.375769435198149
TrID:
  • Win32 Executable (generic) a (10002005/4) 98.96%
  • Win32 EXE PECompact compressed (v2.x) (59071/9) 0.58%
  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
File name:Pictures.exe
File size:69'632 bytes
MD5:0017413629107fb8b1a300fe714798a7
SHA1:4168ee9a4bbbb6541741b17481da79808c7a9d6d
SHA256:b31fb6f44818b2df444399a417c3323fd98234c5546235cc863494a22992a5a7
SHA512:fd6c0b535de28291524dc30377e8b79f5f38ca028dd583c37f95f1083e2bd3e5db480c1f6a88d504cfcad8b4d0b7f6fc996610058ae70e7419a3997116fb3a62
SSDEEP:768:UPhg+bINh/0cNNduw8RiMc5lU1wzNE6Xf1zBmQzTGfmgyH3rDFU:MbIbNHiRJQrzXf1zwQVgq3lU
TLSH:5A634B022F71FDC6E454C935497389D822CCBD229D2376A265903EEEFE36342792D972
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............si..si..si..ld..si.Rich.si.........................PE..L.....AK............................ .............@................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x401220
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x4B41F8B7 [Mon Jan 4 14:18:31 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:09d0478591d4f788cb3e5ea416c25237

Entrypoint Preview

Instruction
mov eax, 00431FD8h
push eax
push dword ptr fs:[00000000h]
mov dword ptr fs:[00000000h], esp
xor eax, eax
mov dword ptr [eax], ecx
push eax
inc ebp
inc ebx
outsd
insd
jo 00007F3E107BF953h
arpl word ptr [edx+esi+00h], si
or al, byte ptr [edi]
sbb al, 6Bh
jmp far B5A4h : 42BC1CCEh
sbb edx, eax
sbb dl, byte ptr [ebx+7E1B9605h]
cmp dword ptr [esi-15CB4221h], ebx
les esp, fword ptr [eax-62h]
xor byte ptr [esp-06h], bh
inc ebx
hlt
rcl bh, cl
jp 00007F3E107BF8ABh
push esi
shl dword ptr [eax-10h], cl
adc al, 71h
and ebp, esi
imul esi, edi, 35h
fsave [esi]
mov edx, 80FC5871h
fdiv dword ptr [ebx+6Eh]
mov ecx, 87743B8Ah
inc esp
sub ch, FFFFFFB6h
sub byte ptr [edx], FFFFFF8Ch
test dword ptr [9FBA6C70h], eax
xor al, 98h
outsb
jne 00007F3E107BF908h
xchg eax, esi
dec edi
and al, F2h
inc eax
add esp, dword ptr [edi-53h]
js 00007F3E107BF94Ch
or dword ptr [edi-2Ah], esi
fild qword ptr [edx]
into
lodsb
je 00007F3E107BF971h
jnle 00007F3E107BF908h
add ebp, dword ptr [ecx-13AC9B0Ah]
dec ecx
out dx, al
jmp 00007F3E107BF962h
cmp eax, A4EDF340h
cmpsd
jc 00007F3E107BF8D4h
cmc
lds edi, fword ptr [ebx]
int1
mov cl, 5Bh
lodsd
jns 00007F3E107BF883h
lea edi, edi
f2xm1
setb ch
cmp dl, dh
push eax
mov dl, 18h
pop ebp
mul byte ptr [ebx-4B66DE9Ch]
int 95h
jns 00007F3E107BF945h
mov esp, A50C8914h
xchg eax, edx
aas

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x313a40x8f.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE0x280000x938c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x270000x6c007d8628e87be428ac5420e06d290379e7False1.0005787037037037data7.992500880288964IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x280000xb0000xa2001ce240c83bb947ba990812b5a6e5b417False0.2927517361111111data4.68055929875683IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x282980x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.11036585365853659
RT_ICON0x289000x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.1827956989247312
RT_ICON0x28be80x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.4222972972972973
RT_ICON0x28d100xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.4048507462686567
RT_ICON0x29bb80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.4936823104693141
RT_ICON0x2a4600x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.27601156069364163
RT_ICON0x2a9c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.2020746887966805
RT_ICON0x2cf700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.2976078799249531
RT_ICON0x2e0180x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.3421985815602837
RT_ICON0x2e4800x2ca8Device independent bitmap graphic, 96 x 192 x 8, image size 00.15789013296011198
RT_GROUP_ICON0x311280x94Atari 68xxx CPX file (version 7400)0.8175675675675675
RT_VERSION0x311c00x1ccdataEnglishUnited States0.5304347826086957

Imports

DLLImport
kernel32.dllLoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:19:16:23
Start date:26/04/2024
Path:C:\Users\user\Desktop\Pictures.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\Pictures.exe"
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:2
Start time:19:16:23
Start date:26/04/2024
Path:C:\Windows\userinit.exe
Wow64 process (32bit):true
Commandline:C:\Windows\userinit.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 100%, ReversingLabs
Reputation:low
Has exited:false

General

Target ID:3
Start time:19:16:26
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 100%, ReversingLabs
Reputation:low
Has exited:true

General

Target ID:4
Start time:19:16:27
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:5
Start time:19:16:28
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:6
Start time:19:16:30
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:7
Start time:19:16:32
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:8
Start time:19:16:33
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:9
Start time:19:16:34
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:10
Start time:19:16:35
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:11
Start time:19:16:39
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:13
Start time:19:16:42
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:14
Start time:19:16:44
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:17
Start time:19:16:45
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:18
Start time:19:16:46
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:19
Start time:19:16:47
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:20
Start time:19:16:47
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:21
Start time:19:16:49
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:22
Start time:19:16:50
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:23
Start time:19:16:51
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:24
Start time:19:16:52
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:25
Start time:19:16:52
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:26
Start time:19:16:54
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:27
Start time:19:16:54
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:28
Start time:19:16:55
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:29
Start time:19:16:55
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:30
Start time:19:16:56
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:31
Start time:19:16:56
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:32
Start time:19:16:58
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:33
Start time:19:16:58
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:34
Start time:19:16:59
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:35
Start time:19:16:59
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:37
Start time:19:17:01
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:38
Start time:19:17:02
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:39
Start time:19:17:02
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:9.7%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:18.9%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 757 520ad3 758 520add LoadLibraryA 757->758 759 520af5 758->759 759->758 760 520afb GetProcAddress 759->760 761 520b18 759->761 760->759 762 520db0 763 520dcd 762->763 765 520dc3 762->765 764 520ed3 765->764 767 520804 VirtualAlloc 765->767 770 52000d 767->770 771 520065 VirtualFree 770->771 771->765 800 521274 GetProcAddress 772 520909 774 520919 772->774 775 52094e 774->775 776 52097f VirtualAlloc 775->776 778 5209ac 776->778 777 520a4e MessageBoxA ExitProcess 778->777 779 520a68 778->779 788 521030 778->788 784 520aa8 VirtualFree 779->784 782 5209ed 783 5209fd wsprintfA 782->783 786 520a0d wsprintfA 782->786 787 520a48 783->787 786->787 787->777 790 52103c 788->790 789 5209e9 789->779 789->782 790->789 792 521086 790->792 794 521094 792->794 795 5210b6 794->795 796 5210cb 795->796 798 521252 LoadLibraryA 795->798 798->795 799 52129c VirtualProtect VirtualProtect 801 5211ed VirtualProtect 802 521228 801->802 803 52122c VirtualProtect 801->803 802->803

    Executed Functions

    Function 00520AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 520ad3-520ada 32 520add-520af3 LoadLibraryA 31->32 33 520af5-520af9 32->33 34 520b11-520b16 33->34 35 520afb-520b0f GetProcAddress 33->35 34->32 36 520b18-520b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00520AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00520B04
    Memory Dump Source
    • Source File: 00000000.00000002.2098632297.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_520000_Pictures.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: ac671fd8cb1e3d44797065b3f654b27b8083125aa39b50b28b2d0c208dd0aeb1
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 14F0E2736012009BCB20CF18DCC09AAF7B1FF953653298839D84297345D335FD158A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00520919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005214CC), ref: 0052099A
    • wsprintfA.USER32 ref: 00520A23
    • wsprintfA.USER32 ref: 00520A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00520A5A
    • ExitProcess.KERNEL32(00000000), ref: 00520A62
    • VirtualFree.KERNELBASE(005C0000,00000000,00008000,ED815D00,SWVU), ref: 00520AB5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2098632297.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_520000_Pictures.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 41d90491af8c99a2912e75238901586d3a54d179d463eec4cd36eadf2f8979e1
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: D641CF326027569BDB38DF24CC44BEF77A8FF46341F040229ED0697686DB70A915CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0052129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 52129c-5212ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005212C7
    • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 005212E0
    Memory Dump Source
    • Source File: 00000000.00000002.2098632297.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_520000_Pictures.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00520804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 520804-52087f VirtualAlloc call 52000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0052084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00520876
    Memory Dump Source
    • Source File: 00000000.00000002.2098632297.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_520000_Pictures.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: 13586288bd638891b2d04fd6f79ee3e627a4cff77d9cb1ca0d2dba955e47f66b
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B20196726002187FE7009E59DC45FAEB7ADEB44350F104026F554E62C1D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00521252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 521252-521266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0052125C
    Memory Dump Source
    • Source File: 00000000.00000002.2098632297.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_520000_Pictures.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000000.00000002.2098576049.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.2098564694.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2098576049.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2098576049.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_Pictures.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 0052000D Relevance: .7, Instructions: 702COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 111 52000d-520063 112 520070-52007f 111->112 113 520065-52006e 111->113 114 520080-520095 112->114 113->112 114->114 115 520097-52009a 114->115 116 5200a8-5200be 115->116 117 52009c-5200a2 115->117 118 5200c0-5200d4 116->118 119 5200d7-5200e4 116->119 118->119 120 5200ea-52012d 119->120 121 520269-520289 119->121 124 5201d2-5201dd 120->124 125 520133-520140 120->125 122 5202a2-5202af 121->122 123 52028b-52029f 121->123 126 5202b1-5202d7 122->126 127 5202f4-520314 122->127 123->122 128 5201f6-520203 124->128 129 5201df-5201f3 124->129 130 520143-520164 125->130 133 5202d9-5202dd 126->133 134 5202df 126->134 135 520316-52032a 127->135 136 52032d-52033a 127->136 137 520205-520217 128->137 138 520219-520227 128->138 129->128 131 520166-52017a 130->131 132 52017d-52018a 130->132 131->132 139 5201ab-5201c2 132->139 140 52018c-5201a3 132->140 141 5202e6-5202ef 133->141 134->141 135->136 143 520340-520367 136->143 144 5203eb-52040b 136->144 142 52022b-520231 137->142 138->142 139->142 148 5201c4-5201ca 139->148 140->142 145 5201a9 140->145 149 5204e7-5204ec 141->149 142->124 150 520233-520246 142->150 151 520382-52038f 143->151 152 520369-52037f 143->152 146 520424-520431 144->146 147 52040d-520421 144->147 145->148 153 520433-520446 146->153 154 520448-520468 146->154 147->146 148->130 155 5201d0 148->155 158 520505-520512 149->158 159 5204ee-520502 149->159 156 520251-520255 150->156 157 520248-52024c 150->157 160 520391-5203a5 151->160 161 5203d8-5203e6 151->161 152->151 169 5204c2-5204c8 153->169 170 520481-52048e 154->170 171 52046a-52047e 154->171 155->150 162 520260-520264 156->162 163 520257-52025b 156->163 172 5207eb-5207f1 157->172 166 520514-520534 158->166 167 520539-52054c 158->167 159->158 164 5203ab-5203d3 160->164 165 5207fc-5207fe 160->165 168 5204cb-5204e1 161->168 162->172 163->172 164->172 175 5205ba-5205c3 166->175 176 520565-520573 167->176 177 52054e-520562 167->177 168->149 169->168 178 520490-5204a3 170->178 179 5204a5-5204b9 170->179 171->170 173 5207f7 172->173 174 5200a5 172->174 173->165 174->116 182 5205ca-5205cf 175->182 180 520575-520599 176->180 181 52059b-5205b2 176->181 177->176 183 5204bc-5204bf 178->183 179->183 184 5205b9 180->184 181->184 185 5205d1-5205e5 182->185 186 5205e8-5205f9 182->186 183->169 184->175 185->186 187 520614-52062d 186->187 188 5205fb-520612 186->188 189 520630-520633 187->189 188->189 189->182 190 520635-520648 189->190 191 52064e-520656 190->191 192 5207bc-5207c5 190->192 193 520658-52065b 191->193 194 52065d-52065f 191->194 192->165 195 5207c7-5207ce 192->195 196 520660-52066d 193->196 194->196 197 5207d0-5207e4 195->197 198 520674-520679 196->198 197->172 199 5207e6-5207e9 197->199 200 520692-5206a0 198->200 201 52067b-52068f 198->201 199->172 199->197 202 5206a2-5206b5 200->202 203 5206b7-5206c9 200->203 201->200 204 5206cd-5206d0 202->204 203->204 204->198 205 5206d2-5206da 204->205 206 5207b2-5207b6 205->206 207 5206e0-5206f1 205->207 206->117 206->192 208 520702 207->208 209 5206f3-520700 207->209 211 520705-52070a 208->211 210 520745-52074b 209->210 212 52074e-520753 210->212 213 520723-52072a 211->213 214 52070c-520720 211->214 217 520755-520769 212->217 218 52076c-52077a 212->218 215 520732-520733 213->215 216 52072c-52072f 213->216 214->213 215->211 219 520735-52073e 215->219 216->215 217->218 220 520791-5207a6 218->220 221 52077c-52078f 218->221 219->210 222 5207aa-5207b0 220->222 221->222 222->206 222->212
    Memory Dump Source
    • Source File: 00000000.00000002.2098632297.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_520000_Pictures.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d32333b559d4a590a820417eb3e2af78739bf06cd756918fe05bff833f4e6337
    • Instruction ID: 016516a10c46f6077742c6c7af08844518ae938896ee21dac826a9eb443f18c2
    • Opcode Fuzzy Hash: d32333b559d4a590a820417eb3e2af78739bf06cd756918fe05bff833f4e6337
    • Instruction Fuzzy Hash: F6525A72D011399BCB18CE69D4841ADBBB1FF89350F26D26AEC596B2C5C674AE41CFC0
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.7%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 757 520ad3 758 520add LoadLibraryA 757->758 759 520af5 758->759 759->758 760 520afb GetProcAddress 759->760 761 520b18 759->761 760->759 762 520db0 763 520dcd 762->763 765 520dc3 762->765 764 520ed3 765->764 767 520804 VirtualAlloc 765->767 770 52000d 767->770 771 520065 VirtualFree 770->771 771->765 800 521274 GetProcAddress 772 520909 774 520919 772->774 775 52094e 774->775 776 52097f VirtualAlloc 775->776 778 5209ac 776->778 777 520a4e MessageBoxA ExitProcess 778->777 779 520a68 778->779 788 521030 778->788 784 520aa8 VirtualFree 779->784 782 5209ed 783 5209fd wsprintfA 782->783 786 520a0d wsprintfA 782->786 787 520a48 783->787 786->787 787->777 790 52103c 788->790 789 5209e9 789->779 789->782 790->789 792 521086 790->792 794 521094 792->794 795 5210b6 794->795 796 5210cb 795->796 798 521252 LoadLibraryA 795->798 798->795 799 52129c VirtualProtect VirtualProtect 801 5211ed VirtualProtect 802 521228 801->802 803 52122c VirtualProtect 801->803 802->803

    Executed Functions

    Function 00520919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005214CC), ref: 0052099A
    • wsprintfA.USER32 ref: 00520A23
    • wsprintfA.USER32 ref: 00520A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00520A5A
    • ExitProcess.KERNEL32(00000000), ref: 00520A62
    • VirtualFree.KERNELBASE(00540000,00000000,00008000,ED815D00,SWVU), ref: 00520AB5
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.2125715274.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_520000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 41d90491af8c99a2912e75238901586d3a54d179d463eec4cd36eadf2f8979e1
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: D641CF326027569BDB38DF24CC44BEF77A8FF46341F040229ED0697686DB70A915CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00520AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 520ad3-520ada 32 520add-520af3 LoadLibraryA 31->32 33 520af5-520af9 32->33 34 520b11-520b16 33->34 35 520afb-520b0f GetProcAddress 33->35 34->32 36 520b18-520b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00520AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00520B04
    Memory Dump Source
    • Source File: 00000003.00000002.2125715274.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_520000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: ac671fd8cb1e3d44797065b3f654b27b8083125aa39b50b28b2d0c208dd0aeb1
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 14F0E2736012009BCB20CF18DCC09AAF7B1FF953653298839D84297345D335FD158A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0052129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 52129c-5212ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005212C7
    • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 005212E0
    Memory Dump Source
    • Source File: 00000003.00000002.2125715274.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_520000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00520804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 520804-52087f VirtualAlloc call 52000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0052084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00520876
    Memory Dump Source
    • Source File: 00000003.00000002.2125715274.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_520000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: 13586288bd638891b2d04fd6f79ee3e627a4cff77d9cb1ca0d2dba955e47f66b
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B20196726002187FE7009E59DC45FAEB7ADEB44350F104026F554E62C1D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00521252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 521252-521266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0052125C
    Memory Dump Source
    • Source File: 00000003.00000002.2125715274.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_520000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000003.00000002.2125658147.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.2125645802.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.2125658147.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.2125658147.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.7%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 757 510db0 758 510dcd 757->758 760 510dc3 757->760 759 510ed3 760->759 762 510804 VirtualAlloc 760->762 765 51000d 762->765 766 510065 VirtualFree 765->766 766->760 767 510ad3 768 510add LoadLibraryA 767->768 769 510af5 768->769 769->768 770 510afb GetProcAddress 769->770 771 510b18 769->771 770->769 800 511274 GetProcAddress 772 510909 774 510919 772->774 775 51094e 774->775 776 51097f VirtualAlloc 775->776 778 5109ac 776->778 777 510a4e MessageBoxA ExitProcess 778->777 779 510a68 778->779 788 511030 778->788 784 510aa8 VirtualFree 779->784 782 5109ed 783 5109fd wsprintfA 782->783 786 510a0d wsprintfA 782->786 787 510a48 783->787 786->787 787->777 790 51103c 788->790 789 5109e9 789->779 789->782 790->789 792 511086 790->792 794 511094 792->794 795 5110b6 794->795 796 5110cb 795->796 798 511252 LoadLibraryA 795->798 798->795 801 5111ed VirtualProtect 802 511228 801->802 803 51122c VirtualProtect 801->803 802->803 799 51129c VirtualProtect VirtualProtect

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(005C0000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.2137123046.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000004.00000002.2137123046.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000004.00000002.2137123046.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000004.00000002.2137123046.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000004.00000002.2137123046.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000004.00000002.2137065523.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.2137050027.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000004.00000002.2137065523.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000004.00000002.2137065523.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.7%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 757 510db0 758 510dcd 757->758 760 510dc3 757->760 759 510ed3 760->759 762 510804 VirtualAlloc 760->762 765 51000d 762->765 766 510065 VirtualFree 765->766 766->760 767 510ad3 768 510add LoadLibraryA 767->768 769 510af5 768->769 769->768 770 510afb GetProcAddress 769->770 771 510b18 769->771 770->769 800 511274 GetProcAddress 772 510909 774 510919 772->774 775 51094e 774->775 776 51097f VirtualAlloc 775->776 778 5109ac 776->778 777 510a4e MessageBoxA ExitProcess 778->777 779 510a68 778->779 788 511030 778->788 784 510aa8 VirtualFree 779->784 782 5109ed 783 5109fd wsprintfA 782->783 786 510a0d wsprintfA 782->786 787 510a48 783->787 786->787 787->777 790 51103c 788->790 789 5109e9 789->779 789->782 790->789 792 511086 790->792 794 511094 792->794 795 5110b6 794->795 796 5110cb 795->796 798 511252 LoadLibraryA 795->798 798->795 801 5111ed VirtualProtect 802 511228 801->802 803 51122c VirtualProtect 801->803 802->803 799 51129c VirtualProtect VirtualProtect

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(005C0000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2148987345.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000005.00000002.2148987345.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000005.00000002.2148987345.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000005.00000002.2148987345.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000005.00000002.2148987345.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000005.00000002.2148937407.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.2148921921.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000005.00000002.2148937407.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000005.00000002.2148937407.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.7%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 757 510db0 758 510dcd 757->758 760 510dc3 757->760 759 510ed3 760->759 762 510804 VirtualAlloc 760->762 765 51000d 762->765 766 510065 VirtualFree 765->766 766->760 767 510ad3 768 510add LoadLibraryA 767->768 769 510af5 768->769 769->768 770 510afb GetProcAddress 769->770 771 510b18 769->771 770->769 800 511274 GetProcAddress 772 510909 774 510919 772->774 775 51094e 774->775 776 51097f VirtualAlloc 775->776 778 5109ac 776->778 777 510a4e MessageBoxA ExitProcess 778->777 781 510a68 778->781 788 511030 778->788 784 510aa8 VirtualFree 781->784 782 5109ed 783 5109fd wsprintfA 782->783 786 510a0d wsprintfA 782->786 787 510a48 783->787 786->787 787->777 790 51103c 788->790 789 5109e9 789->781 789->782 790->789 792 511086 790->792 794 511094 792->794 795 5110b6 794->795 796 5110cb 795->796 798 511252 LoadLibraryA 795->798 798->795 801 5111ed VirtualProtect 802 511228 801->802 803 51122c VirtualProtect 801->803 802->803 799 51129c VirtualProtect VirtualProtect

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(00590000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.2173739543.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000006.00000002.2173739543.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000006.00000002.2173739543.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000006.00000002.2173739543.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000006.00000002.2173739543.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000006.00000002.2173653364.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000006.00000002.2173633648.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000006.00000002.2173653364.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000006.00000002.2173653364.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.7%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 800 441274 GetProcAddress 757 440db0 758 440dcd 757->758 760 440dc3 757->760 759 440ed3 760->759 762 440804 VirtualAlloc 760->762 765 44000d 762->765 766 440065 VirtualFree 765->766 766->760 767 440ad3 768 440add LoadLibraryA 767->768 769 440af5 768->769 769->768 770 440afb GetProcAddress 769->770 771 440b18 769->771 770->769 772 44129c VirtualProtect VirtualProtect 801 4411ed VirtualProtect 802 44122c VirtualProtect 801->802 803 441228 801->803 803->802 773 440909 775 440919 773->775 776 44094e 775->776 777 44097f VirtualAlloc 776->777 779 4409ac 777->779 778 440a4e MessageBoxA ExitProcess 779->778 782 440a68 779->782 789 441030 779->789 785 440aa8 VirtualFree 782->785 783 4409ed 784 4409fd wsprintfA 783->784 787 440a0d wsprintfA 783->787 788 440a48 784->788 787->788 788->778 791 44103c 789->791 790 4409e9 790->782 790->783 791->790 793 441086 791->793 795 441094 793->795 796 4410b6 795->796 797 4410cb 796->797 799 441252 LoadLibraryA 796->799 799->796

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(00510000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.2184971575.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000007.00000002.2184971575.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000007.00000002.2184971575.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000007.00000002.2184971575.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000007.00000002.2184971575.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000007.00000002.2184895640.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.2184852571.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000007.00000002.2184895640.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000007.00000002.2184895640.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.7%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 800 441274 GetProcAddress 757 440db0 758 440dcd 757->758 760 440dc3 757->760 759 440ed3 760->759 762 440804 VirtualAlloc 760->762 765 44000d 762->765 766 440065 VirtualFree 765->766 766->760 767 440ad3 768 440add LoadLibraryA 767->768 769 440af5 768->769 769->768 770 440afb GetProcAddress 769->770 771 440b18 769->771 770->769 772 44129c VirtualProtect VirtualProtect 801 4411ed VirtualProtect 802 44122c VirtualProtect 801->802 803 441228 801->803 803->802 773 440909 775 440919 773->775 776 44094e 775->776 777 44097f VirtualAlloc 776->777 779 4409ac 777->779 778 440a4e MessageBoxA ExitProcess 779->778 782 440a68 779->782 789 441030 779->789 785 440aa8 VirtualFree 782->785 783 4409ed 784 4409fd wsprintfA 783->784 787 440a0d wsprintfA 783->787 788 440a48 784->788 787->788 788->778 791 44103c 789->791 790 4409e9 790->782 790->783 791->790 793 441086 791->793 795 441094 793->795 796 4410b6 795->796 797 4410cb 796->797 799 441252 LoadLibraryA 796->799 799->796

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(02070000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.2196358258.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000008.00000002.2196358258.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000008.00000002.2196358258.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000008.00000002.2196358258.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000008.00000002.2196358258.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000008.00000002.2196284108.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000008.00000002.2196264097.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000008.00000002.2196284108.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000008.00000002.2196284108.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.7%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 757 510db0 758 510dcd 757->758 760 510dc3 757->760 759 510ed3 760->759 762 510804 VirtualAlloc 760->762 765 51000d 762->765 766 510065 VirtualFree 765->766 766->760 767 510ad3 768 510add LoadLibraryA 767->768 769 510af5 768->769 769->768 770 510afb GetProcAddress 769->770 771 510b18 769->771 770->769 800 511274 GetProcAddress 772 510909 774 510919 772->774 775 51094e 774->775 776 51097f VirtualAlloc 775->776 778 5109ac 776->778 777 510a4e MessageBoxA ExitProcess 778->777 779 510a68 778->779 788 511030 778->788 784 510aa8 VirtualFree 779->784 782 5109ed 783 5109fd wsprintfA 782->783 786 510a0d wsprintfA 782->786 787 510a48 783->787 786->787 787->777 790 51103c 788->790 789 5109e9 789->779 789->782 790->789 792 511086 790->792 794 511094 792->794 795 5110b6 794->795 796 5110cb 795->796 798 511252 LoadLibraryA 795->798 798->795 801 5111ed VirtualProtect 802 511228 801->802 803 51122c VirtualProtect 801->803 802->803 799 51129c VirtualProtect VirtualProtect

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(005D0000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.2208840583.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000009.00000002.2208840583.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000009.00000002.2208840583.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000009.00000002.2208840583.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000009.00000002.2208840583.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000009.00000002.2208756667.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000009.00000002.2208711916.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000009.00000002.2208756667.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000009.00000002.2208756667.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.7%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 757 620ad3 758 620add LoadLibraryA 757->758 759 620af5 758->759 759->758 760 620afb GetProcAddress 759->760 761 620b18 759->761 760->759 762 620db0 763 620dcd 762->763 765 620dc3 762->765 764 620ed3 765->764 767 620804 VirtualAlloc 765->767 770 62000d 767->770 771 620065 VirtualFree 770->771 771->765 800 621274 GetProcAddress 772 620909 774 620919 772->774 775 62094e 774->775 776 62097f VirtualAlloc 775->776 778 6209ac 776->778 777 620a4e MessageBoxA ExitProcess 778->777 781 620a68 778->781 788 621030 778->788 784 620aa8 VirtualFree 781->784 782 6209ed 783 6209fd wsprintfA 782->783 786 620a0d wsprintfA 782->786 787 620a48 783->787 786->787 787->777 789 62103c 788->789 791 6209e9 789->791 792 621086 789->792 791->781 791->782 794 621094 792->794 795 6210b6 794->795 796 6210cb 795->796 798 621252 LoadLibraryA 795->798 798->795 799 62129c VirtualProtect VirtualProtect 801 6211ed VirtualProtect 802 621228 801->802 803 62122c VirtualProtect 801->803 802->803

    Executed Functions

    Function 00620919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,006214CC), ref: 0062099A
    • wsprintfA.USER32 ref: 00620A23
    • wsprintfA.USER32 ref: 00620A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00620A5A
    • ExitProcess.KERNEL32(00000000), ref: 00620A62
    • VirtualFree.KERNELBASE(01F30000,00000000,00008000,ED815D00,SWVU), ref: 00620AB5
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.2264054274.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_620000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: f0f662a6c6101768ca38dbb8051db39c4d3b162183e73e85bbc3d59e44a6110d
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: B241CF32601B969BEB38DF24CC44BEF73AAEF05341F00022DED0697646DB70A915CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00620AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 620ad3-620ada 32 620add-620af3 LoadLibraryA 31->32 33 620af5-620af9 32->33 34 620b11-620b16 33->34 35 620afb-620b0f GetProcAddress 33->35 34->32 36 620b18-620b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00620AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00620B04
    Memory Dump Source
    • Source File: 0000000A.00000002.2264054274.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_620000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 967061f56c31bc74acda673fa767d4c53f16c198c667deb3aaa0aae45f42147f
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 51F0E2736006009BDB20CF18DCC09AAF3B2EF943653298839DC4297305D235FD158E10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0062129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 62129c-6212ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 006212C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 006212E0
    Memory Dump Source
    • Source File: 0000000A.00000002.2264054274.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_620000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00620804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 620804-62087f VirtualAlloc call 62000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0062084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00620876
    Memory Dump Source
    • Source File: 0000000A.00000002.2264054274.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_620000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: 5f2e80eb1d6b2a13ad31efeb48f86e4e04a9b47a4ad0e33ef21f683c376930f9
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B201B572A00218BFFB009F59DC41FEEB7BDEB48350F108026F654E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00621252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 621252-621266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0062125C
    Memory Dump Source
    • Source File: 0000000A.00000002.2264054274.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_620000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000000A.00000002.2263689726.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000A.00000002.2263653272.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000A.00000002.2263689726.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000A.00000002.2263689726.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.7%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 800 441274 GetProcAddress 757 440db0 758 440dcd 757->758 760 440dc3 757->760 759 440ed3 760->759 762 440804 VirtualAlloc 760->762 765 44000d 762->765 766 440065 VirtualFree 765->766 766->760 767 440ad3 768 440add LoadLibraryA 767->768 769 440af5 768->769 769->768 770 440afb GetProcAddress 769->770 771 440b18 769->771 770->769 772 44129c VirtualProtect VirtualProtect 801 4411ed VirtualProtect 802 44122c VirtualProtect 801->802 803 441228 801->803 803->802 773 440909 775 440919 773->775 776 44094e 775->776 777 44097f VirtualAlloc 776->777 779 4409ac 777->779 778 440a4e MessageBoxA ExitProcess 779->778 782 440a68 779->782 789 441030 779->789 785 440aa8 VirtualFree 782->785 783 4409ed 784 4409fd wsprintfA 783->784 787 440a0d wsprintfA 783->787 788 440a48 784->788 787->788 788->778 791 44103c 789->791 790 4409e9 790->782 790->783 791->790 793 441086 791->793 795 441094 793->795 796 4410b6 795->796 797 4410cb 796->797 799 441252 LoadLibraryA 796->799 799->796

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(01F30000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 0000000B.00000002.2264653069.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_11_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 0000000B.00000002.2264653069.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_11_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 0000000B.00000002.2264653069.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_11_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 0000000B.00000002.2264653069.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_11_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 0000000B.00000002.2264653069.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_11_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000000B.00000002.2264535748.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000B.00000002.2264236355.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000B.00000002.2264535748.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000B.00000002.2264535748.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_11_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.7%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 757 510db0 758 510dcd 757->758 760 510dc3 757->760 759 510ed3 760->759 762 510804 VirtualAlloc 760->762 765 51000d 762->765 766 510065 VirtualFree 765->766 766->760 767 510ad3 768 510add LoadLibraryA 767->768 769 510af5 768->769 769->768 770 510afb GetProcAddress 769->770 771 510b18 769->771 770->769 800 511274 GetProcAddress 772 510909 774 510919 772->774 775 51094e 774->775 776 51097f VirtualAlloc 775->776 778 5109ac 776->778 777 510a4e MessageBoxA ExitProcess 778->777 779 510a68 778->779 788 511030 778->788 784 510aa8 VirtualFree 779->784 782 5109ed 783 5109fd wsprintfA 782->783 786 510a0d wsprintfA 782->786 787 510a48 783->787 786->787 787->777 790 51103c 788->790 789 5109e9 789->779 789->782 790->789 792 511086 790->792 794 511094 792->794 795 5110b6 794->795 796 5110cb 795->796 798 511252 LoadLibraryA 795->798 798->795 801 5111ed VirtualProtect 802 511228 801->802 803 51122c VirtualProtect 801->803 802->803 799 51129c VirtualProtect VirtualProtect

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(00690000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 0000000D.00000002.2293400925.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 0000000D.00000002.2293400925.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 0000000D.00000002.2293400925.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 0000000D.00000002.2293400925.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 0000000D.00000002.2293400925.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000000D.00000002.2293311272.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000D.00000002.2293278071.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000D.00000002.2293311272.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000D.00000002.2293311272.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_13_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.7%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 800 441274 GetProcAddress 757 440db0 758 440dcd 757->758 760 440dc3 757->760 759 440ed3 760->759 762 440804 VirtualAlloc 760->762 765 44000d 762->765 766 440065 VirtualFree 765->766 766->760 767 440ad3 768 440add LoadLibraryA 767->768 769 440af5 768->769 769->768 770 440afb GetProcAddress 769->770 771 440b18 769->771 770->769 772 44129c VirtualProtect VirtualProtect 801 4411ed VirtualProtect 802 44122c VirtualProtect 801->802 803 441228 801->803 803->802 773 440909 775 440919 773->775 776 44094e 775->776 777 44097f VirtualAlloc 776->777 779 4409ac 777->779 778 440a4e MessageBoxA ExitProcess 779->778 782 440a68 779->782 789 441030 779->789 785 440aa8 VirtualFree 782->785 783 4409ed 784 4409fd wsprintfA 783->784 787 440a0d wsprintfA 783->787 788 440a48 784->788 787->788 788->778 791 44103c 789->791 790 4409e9 790->782 790->783 791->790 793 441086 791->793 795 441094 793->795 796 4410b6 795->796 797 4410cb 796->797 799 441252 LoadLibraryA 796->799 799->796

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(004B0000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.2304048881.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 0000000E.00000002.2304048881.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 0000000E.00000002.2304048881.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 0000000E.00000002.2304048881.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 0000000E.00000002.2304048881.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000000E.00000002.2303953696.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.2303923724.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000E.00000002.2303953696.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000E.00000002.2303953696.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.7%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 757 510db0 758 510dcd 757->758 760 510dc3 757->760 759 510ed3 760->759 762 510804 VirtualAlloc 760->762 765 51000d 762->765 766 510065 VirtualFree 765->766 766->760 767 510ad3 768 510add LoadLibraryA 767->768 769 510af5 768->769 769->768 770 510afb GetProcAddress 769->770 771 510b18 769->771 770->769 800 511274 GetProcAddress 772 510909 774 510919 772->774 775 51094e 774->775 776 51097f VirtualAlloc 775->776 778 5109ac 776->778 777 510a4e MessageBoxA ExitProcess 778->777 781 510a68 778->781 788 511030 778->788 784 510aa8 VirtualFree 781->784 782 5109ed 783 5109fd wsprintfA 782->783 786 510a0d wsprintfA 782->786 787 510a48 783->787 786->787 787->777 790 51103c 788->790 789 5109e9 789->781 789->782 790->789 792 511086 790->792 794 511094 792->794 795 5110b6 794->795 796 5110cb 795->796 798 511252 LoadLibraryA 795->798 798->795 801 5111ed VirtualProtect 802 511228 801->802 803 51122c VirtualProtect 801->803 802->803 799 51129c VirtualProtect VirtualProtect

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(006D0000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2318472494.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000011.00000002.2318472494.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000011.00000002.2318472494.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000011.00000002.2318472494.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000011.00000002.2318472494.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000011.00000002.2318369586.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000011.00000002.2318336395.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000011.00000002.2318369586.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000011.00000002.2318369586.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(006D0000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.2325225319.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000012.00000002.2325225319.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000012.00000002.2325225319.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000012.00000002.2325225319.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000012.00000002.2325225319.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000012.00000002.2325136429.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000002.2325106530.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000012.00000002.2325136429.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000012.00000002.2325136429.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(005D0000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.2333252023.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000013.00000002.2333252023.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000013.00000002.2333252023.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000013.00000002.2333252023.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000013.00000002.2333252023.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000013.00000002.2333163285.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000013.00000002.2333089788.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000013.00000002.2333163285.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000013.00000002.2333163285.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(005E0000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.2355908744.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000014.00000002.2355908744.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000014.00000002.2355908744.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000014.00000002.2355908744.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000014.00000002.2355908744.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000014.00000002.2355791531.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000014.00000002.2355772625.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000014.00000002.2355791531.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000014.00000002.2355791531.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(00590000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000015.00000002.2365120321.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_21_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000015.00000002.2365120321.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_21_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000015.00000002.2365120321.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_21_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000015.00000002.2365120321.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_21_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000015.00000002.2365120321.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_21_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000015.00000002.2365056192.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000015.00000002.2365037816.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000015.00000002.2365056192.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000015.00000002.2365056192.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_21_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00450919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004514CC), ref: 0045099A
    • wsprintfA.USER32 ref: 00450A23
    • wsprintfA.USER32 ref: 00450A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00450A5A
    • ExitProcess.KERNEL32(00000000), ref: 00450A62
    • VirtualFree.KERNELBASE(02070000,00000000,00008000,ED815D00,SWVU), ref: 00450AB5
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.2372384325.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_450000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: a68b9e4b470a4c4d7d6d1a9a22ef3059d8189f78a6167b784e13947708d59b53
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 2841AD366017469BDB38DF24CC44BEB73A8AF45342F00022EED069764ADB74AD19CB58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00450AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 450ad3-450ada 32 450add-450af3 LoadLibraryA 31->32 33 450af5-450af9 32->33 34 450b11-450b16 33->34 35 450afb-450b0f GetProcAddress 33->35 34->32 36 450b18-450b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00450AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00450B04
    Memory Dump Source
    • Source File: 00000016.00000002.2372384325.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_450000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: c3a81a2d2ca1aec655e532447ef5a933ec4ee7638c291e49d404dccaf7f5da54
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: DEF0E27B6002009BCB10CF58CCC09AAB3B1EFA4366329883ADC4297305D239FD198A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0045129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 45129c-4512ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004512C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004512E0
    Memory Dump Source
    • Source File: 00000016.00000002.2372384325.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_450000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00450804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 450804-45087f VirtualAlloc call 45000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0045084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00450876
    Memory Dump Source
    • Source File: 00000016.00000002.2372384325.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_450000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: 04b4ee4dcd4e75d97ea7d44b4961b71730b0f39b06dc86596b597cbe1b53a709
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: 5601B576A00218BFEB009F59DC41FEEB7BCEB48754F108026F654E72C1D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00451252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 451252-451266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0045125C
    Memory Dump Source
    • Source File: 00000016.00000002.2372384325.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_450000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000016.00000002.2372241370.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000016.00000002.2372178391.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000016.00000002.2372241370.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000016.00000002.2372241370.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(00580000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000017.00000002.2377929293.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000017.00000002.2377929293.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000017.00000002.2377929293.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000017.00000002.2377929293.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000017.00000002.2377929293.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000017.00000002.2377815439.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000017.00000002.2377785269.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000017.00000002.2377815439.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000017.00000002.2377815439.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00520919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005214CC), ref: 0052099A
    • wsprintfA.USER32 ref: 00520A23
    • wsprintfA.USER32 ref: 00520A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00520A5A
    • ExitProcess.KERNEL32(00000000), ref: 00520A62
    • VirtualFree.KERNELBASE(00590000,00000000,00008000,ED815D00,SWVU), ref: 00520AB5
    Strings
    Memory Dump Source
    • Source File: 00000018.00000002.2382812985.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_520000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 41d90491af8c99a2912e75238901586d3a54d179d463eec4cd36eadf2f8979e1
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: D641CF326027569BDB38DF24CC44BEF77A8FF46341F040229ED0697686DB70A915CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00520AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 520ad3-520ada 32 520add-520af3 LoadLibraryA 31->32 33 520af5-520af9 32->33 34 520b11-520b16 33->34 35 520afb-520b0f GetProcAddress 33->35 34->32 36 520b18-520b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00520AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00520B04
    Memory Dump Source
    • Source File: 00000018.00000002.2382812985.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_520000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: ac671fd8cb1e3d44797065b3f654b27b8083125aa39b50b28b2d0c208dd0aeb1
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 14F0E2736012009BCB20CF18DCC09AAF7B1FF953653298839D84297345D335FD158A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0052129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 52129c-5212ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005212C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005212E0
    Memory Dump Source
    • Source File: 00000018.00000002.2382812985.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_520000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00520804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 520804-52087f VirtualAlloc call 52000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0052084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00520876
    Memory Dump Source
    • Source File: 00000018.00000002.2382812985.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_520000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: 13586288bd638891b2d04fd6f79ee3e627a4cff77d9cb1ca0d2dba955e47f66b
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B20196726002187FE7009E59DC45FAEB7ADEB44350F104026F554E62C1D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00521252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 521252-521266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0052125C
    Memory Dump Source
    • Source File: 00000018.00000002.2382812985.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_520000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000018.00000002.2382642859.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000018.00000002.2382614285.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000018.00000002.2382642859.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000018.00000002.2382642859.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(01F40000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000019.00000002.2402997919.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_25_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000019.00000002.2402997919.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_25_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000019.00000002.2402997919.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_25_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000019.00000002.2402997919.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_25_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000019.00000002.2402997919.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_25_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000019.00000002.2402928376.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000019.00000002.2402907601.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000019.00000002.2402928376.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000019.00000002.2402928376.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_25_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(00580000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 0000001A.00000002.2410358820.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_26_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 0000001A.00000002.2410358820.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_26_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 0000001A.00000002.2410358820.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_26_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 0000001A.00000002.2410358820.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_26_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 0000001A.00000002.2410358820.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_26_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000001A.00000002.2410255368.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000001A.00000002.2410223415.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001A.00000002.2410255368.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001A.00000002.2410255368.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_26_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Callgraph

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(005D0000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 0000001B.00000002.2412608940.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_27_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 0000001B.00000002.2412608940.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_27_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 0000001B.00000002.2412608940.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_27_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 0000001B.00000002.2412608940.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_27_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 0000001B.00000002.2412608940.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_27_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(005D0000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 0000001C.00000002.2416329923.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_28_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 0000001C.00000002.2416329923.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_28_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 0000001C.00000002.2416329923.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_28_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 0000001C.00000002.2416329923.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_28_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 0000001C.00000002.2416329923.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_28_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000001C.00000002.2416241950.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000001C.00000002.2416217156.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001C.00000002.2416241950.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001C.00000002.2416241950.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_28_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(00500000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 0000001D.00000002.2420848896.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_29_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 0000001D.00000002.2420848896.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_29_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 0000001D.00000002.2420848896.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_29_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 0000001D.00000002.2420848896.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_29_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 0000001D.00000002.2420848896.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_29_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000001D.00000002.2420611393.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000001D.00000002.2420580845.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001D.00000002.2420611393.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001D.00000002.2420611393.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_29_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(004D0000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 0000001E.00000002.2441362080.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_30_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 0000001E.00000002.2441362080.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_30_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 0000001E.00000002.2441362080.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_30_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 0000001E.00000002.2441362080.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_30_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 0000001E.00000002.2441362080.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_30_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000001E.00000002.2440818904.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000001E.00000002.2440435773.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001E.00000002.2440818904.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001E.00000002.2440818904.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_30_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(01F30000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 0000001F.00000002.2444891983.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_31_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 0000001F.00000002.2444891983.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_31_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 0000001F.00000002.2444891983.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_31_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 0000001F.00000002.2444891983.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_31_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 0000001F.00000002.2444891983.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_31_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000001F.00000002.2444785624.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000001F.00000002.2444735428.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001F.00000002.2444785624.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001F.00000002.2444785624.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_31_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(00510000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000020.00000002.2447405191.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_32_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000020.00000002.2447405191.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_32_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000020.00000002.2447405191.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_32_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000020.00000002.2447405191.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_32_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000020.00000002.2447405191.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_32_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000020.00000002.2447227132.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000020.00000002.2447177452.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000020.00000002.2447227132.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000020.00000002.2447227132.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_32_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(02080000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000021.00000002.2450407016.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_33_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000021.00000002.2450407016.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_33_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000021.00000002.2450407016.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_33_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000021.00000002.2450407016.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_33_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000021.00000002.2450407016.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_33_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000021.00000002.2450214608.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000021.00000002.2450181020.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000021.00000002.2450214608.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000021.00000002.2450214608.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_33_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00450919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004514CC), ref: 0045099A
    • wsprintfA.USER32 ref: 00450A23
    • wsprintfA.USER32 ref: 00450A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00450A5A
    • ExitProcess.KERNEL32(00000000), ref: 00450A62
    • VirtualFree.KERNELBASE(02080000,00000000,00008000,ED815D00,SWVU), ref: 00450AB5
    Strings
    Memory Dump Source
    • Source File: 00000022.00000002.2479107279.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_34_2_450000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: a68b9e4b470a4c4d7d6d1a9a22ef3059d8189f78a6167b784e13947708d59b53
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 2841AD366017469BDB38DF24CC44BEB73A8AF45342F00022EED069764ADB74AD19CB58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00450AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 450ad3-450ada 32 450add-450af3 LoadLibraryA 31->32 33 450af5-450af9 32->33 34 450b11-450b16 33->34 35 450afb-450b0f GetProcAddress 33->35 34->32 36 450b18-450b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00450AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00450B04
    Memory Dump Source
    • Source File: 00000022.00000002.2479107279.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_34_2_450000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: c3a81a2d2ca1aec655e532447ef5a933ec4ee7638c291e49d404dccaf7f5da54
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: DEF0E27B6002009BCB10CF58CCC09AAB3B1EFA4366329883ADC4297305D239FD198A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0045129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 45129c-4512ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004512C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004512E0
    Memory Dump Source
    • Source File: 00000022.00000002.2479107279.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_34_2_450000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00450804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 450804-45087f VirtualAlloc call 45000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0045084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00450876
    Memory Dump Source
    • Source File: 00000022.00000002.2479107279.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_34_2_450000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: 04b4ee4dcd4e75d97ea7d44b4961b71730b0f39b06dc86596b597cbe1b53a709
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: 5601B576A00218BFEB009F59DC41FEEB7BCEB48754F108026F654E72C1D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00451252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 451252-451266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0045125C
    Memory Dump Source
    • Source File: 00000022.00000002.2479107279.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_34_2_450000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000022.00000002.2478834430.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000022.00000002.2478783387.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000022.00000002.2478834430.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000022.00000002.2478834430.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_34_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00520919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005214CC), ref: 0052099A
    • wsprintfA.USER32 ref: 00520A23
    • wsprintfA.USER32 ref: 00520A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00520A5A
    • ExitProcess.KERNEL32(00000000), ref: 00520A62
    • VirtualFree.KERNELBASE(01F30000,00000000,00008000,ED815D00,SWVU), ref: 00520AB5
    Strings
    Memory Dump Source
    • Source File: 00000023.00000002.2479789890.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_35_2_520000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 41d90491af8c99a2912e75238901586d3a54d179d463eec4cd36eadf2f8979e1
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: D641CF326027569BDB38DF24CC44BEF77A8FF46341F040229ED0697686DB70A915CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00520AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 520ad3-520ada 32 520add-520af3 LoadLibraryA 31->32 33 520af5-520af9 32->33 34 520b11-520b16 33->34 35 520afb-520b0f GetProcAddress 33->35 34->32 36 520b18-520b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00520AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00520B04
    Memory Dump Source
    • Source File: 00000023.00000002.2479789890.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_35_2_520000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: ac671fd8cb1e3d44797065b3f654b27b8083125aa39b50b28b2d0c208dd0aeb1
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 14F0E2736012009BCB20CF18DCC09AAF7B1FF953653298839D84297345D335FD158A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0052129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 52129c-5212ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005212C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005212E0
    Memory Dump Source
    • Source File: 00000023.00000002.2479789890.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_35_2_520000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00520804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 520804-52087f VirtualAlloc call 52000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0052084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00520876
    Memory Dump Source
    • Source File: 00000023.00000002.2479789890.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_35_2_520000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: 13586288bd638891b2d04fd6f79ee3e627a4cff77d9cb1ca0d2dba955e47f66b
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B20196726002187FE7009E59DC45FAEB7ADEB44350F104026F554E62C1D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00521252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 521252-521266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0052125C
    Memory Dump Source
    • Source File: 00000023.00000002.2479789890.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_35_2_520000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000023.00000002.2479525295.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000023.00000002.2479495605.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000023.00000002.2479525295.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000023.00000002.2479525295.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_35_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00540919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005414CC), ref: 0054099A
    • wsprintfA.USER32 ref: 00540A23
    • wsprintfA.USER32 ref: 00540A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00540A5A
    • ExitProcess.KERNEL32(00000000), ref: 00540A62
    • VirtualFree.KERNELBASE(01F30000,00000000,00008000,ED815D00,SWVU), ref: 00540AB5
    Strings
    Memory Dump Source
    • Source File: 00000025.00000002.2481403370.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_37_2_540000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: e4bce1b88d8b9b3d117da4b9a8466959e81a96dcb78aef4bb05090c58ba0b19f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: B941ED3260174A9BDB38DF24CC84BEF77A8FF49345F140229EE0697289DB70AA15CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00540AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 540ad3-540ada 32 540add-540af3 LoadLibraryA 31->32 33 540af5-540af9 32->33 34 540b11-540b16 33->34 35 540afb-540b0f GetProcAddress 33->35 34->32 36 540b18-540b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00540AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00540B04
    Memory Dump Source
    • Source File: 00000025.00000002.2481403370.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_37_2_540000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 3a33e7003f9aa462f38678885642dc24dcabe6c439de9a80c039fd872ee7dbaa
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 6BF0E2736002009BCB10CF18CCC09EAB7B2FF943A93298839D94297304D235FD158A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0054129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 54129c-5412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005412E0
    Memory Dump Source
    • Source File: 00000025.00000002.2481403370.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_37_2_540000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00540804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 540804-54087f VirtualAlloc call 54000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0054084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00540876
    Memory Dump Source
    • Source File: 00000025.00000002.2481403370.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_37_2_540000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: 758721ccd1ac4b6c4d9caab5d041b670bc1f84fdf8b3d018b5113c6c44843ca1
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: AA01B9726002187FE7009F59DC45FEEB7BCEB44354F104026F654E72C1D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00541252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 541252-541266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0054125C
    Memory Dump Source
    • Source File: 00000025.00000002.2481403370.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_37_2_540000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000025.00000002.2481120751.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000025.00000002.2481073812.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000025.00000002.2481120751.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000025.00000002.2481120751.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_37_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(02090000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000026.00000002.2489491457.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_38_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000026.00000002.2489491457.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_38_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000026.00000002.2489491457.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_38_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000026.00000002.2489491457.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_38_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000026.00000002.2489491457.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_38_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000026.00000002.2489171370.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000026.00000002.2488761310.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000026.00000002.2489171370.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000026.00000002.2489171370.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_38_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(02090000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000027.00000002.2491051065.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_39_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000027.00000002.2491051065.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_39_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000027.00000002.2491051065.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_39_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000027.00000002.2491051065.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_39_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000027.00000002.2491051065.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_39_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000027.00000002.2490632018.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000027.00000002.2490603246.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000027.00000002.2490632018.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000027.00000002.2490632018.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_39_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%