Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
system.exe

Overview

General Information

Sample name:system.exe
Analysis ID:1432288
MD5:0017413629107fb8b1a300fe714798a7
SHA1:4168ee9a4bbbb6541741b17481da79808c7a9d6d
SHA256:b31fb6f44818b2df444399a417c3323fd98234c5546235cc863494a22992a5a7
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Creates an undocumented autostart registry key
Drops PE files with benign system names
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for sample
PE file has a writeable .text section
Sigma detected: System File Execution Location Anomaly
Sigma detected: Uncommon Userinit Child Process
Contains functionality to dynamically determine API calls
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May infect USB drives
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Userinit Child Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • system.exe (PID: 4688 cmdline: "C:\Users\user\Desktop\system.exe" MD5: 0017413629107FB8B1A300FE714798A7)
    • userinit.exe (PID: 4304 cmdline: C:\Windows\userinit.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5672 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3496 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 7140 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 6580 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 4324 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3648 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5608 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 2804 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3144 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 2928 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3252 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 4688 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5084 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 6768 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 1276 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5704 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5276 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3480 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 7056 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 1576 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 1784 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 2284 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3996 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5488 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 4832 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3844 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3752 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5264 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3652 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 1256 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 6168 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 1052 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 5884 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3856 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 3716 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
      • system.exe (PID: 2944 cmdline: C:\Windows\system32\system.exe MD5: 0017413629107FB8B1A300FE714798A7)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: System File Execution Location Anomaly
Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Windows\userinit.exe, CommandLine: C:\Windows\userinit.exe, CommandLine|base64offset|contains: , Image: C:\Windows\userinit.exe, NewProcessName: C:\Windows\userinit.exe, OriginalFileName: C:\Windows\userinit.exe, ParentCommandLine: "C:\Users\user\Desktop\system.exe", ParentImage: C:\Users\user\Desktop\system.exe, ParentProcessId: 4688, ParentProcessName: system.exe, ProcessCommandLine: C:\Windows\userinit.exe, ProcessId: 4304, ProcessName: userinit.exe
Sigma detected: Uncommon Userinit Child Process
Source: Process startedAuthor: Tom Ueltschi (@c_APT_ure), Tim Shelton: Data: Command: C:\Windows\system32\system.exe, CommandLine: C:\Windows\system32\system.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\system.exe, NewProcessName: C:\Windows\SysWOW64\system.exe, OriginalFileName: C:\Windows\SysWOW64\system.exe, ParentCommandLine: C:\Windows\userinit.exe, ParentImage: C:\Windows\userinit.exe, ParentProcessId: 4304, ParentProcessName: userinit.exe, ProcessCommandLine: C:\Windows\system32\system.exe, ProcessId: 5672, ProcessName: system.exe
Sigma detected: Suspicious Userinit Child Process
Source: Process startedAuthor: Florian Roth (Nextron Systems), Samir Bousseaden (idea): Data: Command: C:\Windows\system32\system.exe, CommandLine: C:\Windows\system32\system.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\system.exe, NewProcessName: C:\Windows\SysWOW64\system.exe, OriginalFileName: C:\Windows\SysWOW64\system.exe, ParentCommandLine: C:\Windows\userinit.exe, ParentImage: C:\Windows\userinit.exe, ParentProcessId: 4304, ParentProcessName: userinit.exe, ProcessCommandLine: C:\Windows\system32\system.exe, ProcessId: 5672, ProcessName: system.exe

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: system.exeAvira: detected
Multi AV Scanner detection for dropped file
Source: C:\Windows\SysWOW64\system.exeReversingLabs: Detection: 100%
Source: C:\Windows\userinit.exeReversingLabs: Detection: 100%
Multi AV Scanner detection for submitted file
Source: system.exeReversingLabs: Detection: 100%
Machine Learning detection for sample
Source: system.exeJoe Sandbox ML: detected
Source: system.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000000.00000002.1971769073.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000000.00000002.1971769073.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000000.00000002.1971769073.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000000.00000002.1971769073.0000000000401000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000003.00000002.1982544314.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000003.00000002.1982544314.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000003.00000002.1982544314.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000003.00000002.1982544314.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000004.00000002.1994019255.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000004.00000002.1994019255.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000004.00000002.1994019255.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000004.00000002.1994019255.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000005.00000002.2006926435.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000005.00000002.2006926435.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000005.00000002.2006926435.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000005.00000002.2006926435.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000006.00000002.2017840118.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000006.00000002.2017840118.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000006.00000002.2017840118.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000006.00000002.2017840118.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000007.00000002.2029152908.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000007.00000002.2029152908.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000007.00000002.2029152908.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000007.00000002.2029152908.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000008.00000002.2041309022.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000008.00000002.2041309022.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000008.00000002.2041309022.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000008.00000002.2041309022.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000009.00000002.2063809010.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000009.00000002.2063809010.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000009.00000002.2063809010.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000009.00000002.2063809010.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000000A.00000002.2075254296.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000000A.00000002.2075254296.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000000A.00000002.2075254296.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000000A.00000002.2075254296.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000000B.00000002.2087102066.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000000B.00000002.2087102066.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000000B.00000002.2087102066.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000000B.00000002.2087102066.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000000C.00000002.2144589813.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000000C.00000002.2144589813.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000000C.00000002.2144589813.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000000C.00000002.2144589813.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000000E.00000002.2172638469.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000000E.00000002.2172638469.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000000E.00000002.2172638469.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000000E.00000002.2172638469.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000000F.00000002.2183172587.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000000F.00000002.2183172587.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000000F.00000002.2183172587.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000000F.00000002.2183172587.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000010.00000002.2191778811.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000010.00000002.2191778811.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000010.00000002.2191778811.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000010.00000002.2191778811.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000011.00000002.2202956533.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000011.00000002.2202956533.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000011.00000002.2202956533.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000011.00000002.2202956533.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000012.00000002.2207609246.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000012.00000002.2207609246.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000012.00000002.2207609246.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000012.00000002.2207609246.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000013.00000002.2215071617.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000013.00000002.2215071617.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000013.00000002.2215071617.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000013.00000002.2215071617.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000014.00000002.2221305446.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000014.00000002.2221305446.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000014.00000002.2221305446.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000014.00000002.2221305446.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000015.00000002.2227494861.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000015.00000002.2227494861.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000015.00000002.2227494861.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000015.00000002.2227494861.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000016.00000002.2234419301.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000016.00000002.2234419301.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000016.00000002.2234419301.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000016.00000002.2234419301.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000017.00000002.2257314126.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000017.00000002.2257314126.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000017.00000002.2257314126.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000017.00000002.2257314126.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000018.00000002.2257274752.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000018.00000002.2257274752.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000018.00000002.2257274752.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000018.00000002.2257274752.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000019.00000002.2266023677.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000019.00000002.2266023677.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000019.00000002.2266023677.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000019.00000002.2266023677.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000001A.00000002.2267496829.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000001A.00000002.2267496829.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000001A.00000002.2267496829.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001A.00000002.2267496829.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000001B.00000002.2273094305.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000001B.00000002.2273094305.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000001B.00000002.2273094305.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001B.00000002.2273094305.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000001C.00000002.2276168046.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000001C.00000002.2276168046.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000001C.00000002.2276168046.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001C.00000002.2276168046.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000001D.00000002.2278109099.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000001D.00000002.2278109099.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000001D.00000002.2278109099.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001D.00000002.2278109099.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000001E.00000002.2281374809.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000001E.00000002.2281374809.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000001E.00000002.2281374809.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001E.00000002.2281374809.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 0000001F.00000002.2284819530.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 0000001F.00000002.2284819530.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 0000001F.00000002.2284819530.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 0000001F.00000002.2284819530.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000020.00000002.2330019391.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000020.00000002.2330019391.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000020.00000002.2330019391.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000020.00000002.2330019391.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000021.00000002.2333053122.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000021.00000002.2333053122.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000021.00000002.2333053122.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000021.00000002.2333053122.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000022.00000002.2353072004.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000022.00000002.2353072004.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000022.00000002.2353072004.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000022.00000002.2353072004.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000023.00000002.2354859970.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000023.00000002.2354859970.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000023.00000002.2354859970.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000023.00000002.2354859970.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000024.00000002.2363593858.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000024.00000002.2363593858.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000024.00000002.2363593858.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000024.00000002.2363593858.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exe, 00000025.00000002.2365649894.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000025.00000002.2365649894.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000025.00000002.2365649894.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000025.00000002.2365649894.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000026.00000002.2368815443.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000026.00000002.2368815443.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000026.00000002.2368815443.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000026.00000002.2368815443.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer
Source: system.exeBinary or memory string: \AutoRun.inf
Source: system.exeBinary or memory string: D:\AutoRun.inf
Source: system.exeBinary or memory string: [autorun]
Source: system.exeBinary or memory string: [AutoRun]
Source: system.exe, 00000027.00000002.2373488440.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: \AutoRun.inf
Source: system.exe, 00000027.00000002.2373488440.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [autorun]
Source: system.exe, 00000027.00000002.2373488440.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: D:\AutoRun.inf
Source: system.exe, 00000027.00000002.2373488440.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: [AutoRun]&shell\open\Command=,shell\explore\Command=vSoftware\Microsoft\Windows\CurrentVersion\Policies\Explorer

System Summary

barindex
PE file has a writeable .text section
Source: system.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: userinit.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: system.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\Desktop\system.exeFile created: C:\Windows\userinit.exeJump to behavior
Source: C:\Windows\userinit.exeFile created: C:\Windows\kdcoms.dllJump to behavior
Source: C:\Windows\userinit.exeFile created: C:\Windows\SysWOW64\system.exeJump to behavior
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0053000D0_2_0053000D
Source: C:\Windows\SysWOW64\system.exeCode function: 3_2_0055000D3_2_0055000D
Source: C:\Windows\SysWOW64\system.exeCode function: 4_2_0051000D4_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 5_2_0044000D5_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 6_2_0051000D6_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 7_2_0044000D7_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 8_2_0051000D8_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 9_2_0051000D9_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 10_2_0044000D10_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 11_2_0044000D11_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 12_2_0051000D12_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 14_2_0051000D14_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 15_2_0051000D15_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 16_2_0044000D16_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 17_2_0051000D17_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 18_2_0051000D18_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 19_2_0051000D19_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 20_2_0044000D20_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 21_2_0044000D21_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 22_2_0044000D22_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 23_2_0044000D23_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 24_2_0052000D24_2_0052000D
Source: C:\Windows\SysWOW64\system.exeCode function: 25_2_0052000D25_2_0052000D
Source: C:\Windows\SysWOW64\system.exeCode function: 26_2_0051000D26_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 27_2_0044000D27_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 28_2_0045000D28_2_0045000D
Source: C:\Windows\SysWOW64\system.exeCode function: 29_2_0051000D29_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 30_2_0051000D30_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 31_2_0044000D31_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 32_2_0044000D32_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 33_2_0051000D33_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 34_2_0051000D34_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 35_2_0044000D35_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 36_2_0051000D36_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 37_2_0051000D37_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: 38_2_0044000D38_2_0044000D
Source: C:\Windows\SysWOW64\system.exeCode function: 39_2_0051000D39_2_0051000D
Source: C:\Windows\SysWOW64\system.exeCode function: String function: 00401218 appears 35 times
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000000.00000000.1965695461.0000000000430000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000000.00000002.1971769073.0000000000430000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000003.00000000.1980175381.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000003.00000002.1982544314.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000004.00000000.1992222735.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000004.00000002.1994019255.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000005.00000002.2006926435.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000005.00000000.2003686715.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000006.00000000.2016090694.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000006.00000002.2017840118.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000007.00000000.2027192602.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000007.00000002.2029152908.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000008.00000002.2041309022.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000008.00000000.2038452064.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000009.00000000.2059579621.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000009.00000002.2063809010.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 0000000A.00000002.2075254296.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 0000000A.00000000.2073200041.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 0000000B.00000000.2084732898.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 0000000B.00000002.2087102066.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 0000000C.00000000.2141105461.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 0000000C.00000002.2144589813.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 0000000E.00000000.2164485696.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 0000000E.00000002.2172638469.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 0000000F.00000002.2183172587.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 0000000F.00000000.2177725117.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000010.00000002.2191778811.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000010.00000000.2187827427.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000011.00000002.2202956533.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000011.00000000.2196365470.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000012.00000000.2205076470.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000012.00000002.2207609246.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000013.00000002.2215071617.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000013.00000000.2211590413.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000014.00000000.2218046850.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000014.00000002.2221305446.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000015.00000000.2224239431.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000015.00000002.2227494861.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000016.00000002.2234419301.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000016.00000000.2229479547.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000017.00000002.2257314126.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000017.00000000.2235438142.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000018.00000002.2257274752.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000018.00000000.2253150601.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000019.00000000.2258676303.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000019.00000002.2266023677.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 0000001A.00000002.2267496829.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 0000001A.00000000.2265104904.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 0000001B.00000002.2273094305.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 0000001B.00000000.2268639801.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 0000001C.00000000.2271781992.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 0000001C.00000002.2276168046.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 0000001D.00000000.2275101445.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 0000001D.00000002.2278109099.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 0000001E.00000000.2278074618.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 0000001E.00000002.2281374809.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 0000001F.00000002.2284819530.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 0000001F.00000000.2281189785.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000020.00000002.2330019391.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000020.00000000.2284333507.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000021.00000002.2333053122.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000021.00000000.2328106172.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000022.00000002.2353072004.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000022.00000000.2332125037.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000023.00000002.2354859970.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000023.00000000.2336411348.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000024.00000000.2352598881.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000024.00000002.2363593858.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000025.00000000.2358418560.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000025.00000002.2365649894.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000026.00000000.2364311746.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000026.00000002.2368815443.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilename vs system.exe
Source: system.exe, 00000027.00000000.2368273609.0000000000430000.00000080.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe, 00000027.00000002.2373488440.0000000000430000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exe.1.drBinary or memory string: OriginalFilenamehoney.exe vs system.exe
Source: system.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: system.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: userinit.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: system.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: system.exeBinary or memory string: *\AD:\Setup\Drivers\Audio\Installs_the_RealTek_AC_97_audio_driver\WDM5630\WDM\WDM\Basic\SH\74\worm.vbp
Source: system.exe, 00000000.00000002.1971769073.0000000000401000.00000040.00000001.01000000.00000003.sdmp, system.exe, 00000003.00000002.1982544314.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000004.00000002.1994019255.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000005.00000002.2006926435.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000006.00000002.2017840118.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000007.00000002.2029152908.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000008.00000002.2041309022.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 00000009.00000002.2063809010.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 0000000A.00000002.2075254296.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 0000000B.00000002.2087102066.0000000000401000.00000040.00000001.01000000.00000008.sdmp, system.exe, 0000000C.00000002.2144589813.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: @*\AD:\Setup\Drivers\Audio\Installs_the_RealTek_AC_97_audio_driver\WDM5630\WDM\WDM\Basic\SH\74\worm.vbp
Source: system.exe, system.exe, 00000027.00000002.2373488440.0000000000401000.00000040.00000001.01000000.00000008.sdmpBinary or memory string: @*\AD:\Setup\Drivers\Audio\Installs_the_RealTek_AC_97_audio_driver\WDM5630\WDM\WDM\Basic\SH\74\worm.vbp
Source: classification engineClassification label: mal100.evad.winEXE@551/41@0/0
Source: C:\Windows\SysWOW64\system.exeMutant created: NULL
Source: C:\Users\user\Desktop\system.exeFile created: C:\Users\user\AppData\Local\Temp\~DF71428448FA06B7FC.TMPJump to behavior
Source: C:\Users\user\Desktop\system.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: system.exeReversingLabs: Detection: 100%
Source: C:\Users\user\Desktop\system.exeFile read: C:\Users\user\Desktop\system.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\system.exe "C:\Users\user\Desktop\system.exe"
Source: C:\Users\user\Desktop\system.exeProcess created: C:\Windows\userinit.exe C:\Windows\userinit.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exe
Source: C:\Users\user\Desktop\system.exeProcess created: C:\Windows\userinit.exe C:\Windows\userinit.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: C:\Windows\SysWOW64\system.exe C:\Windows\system32\system.exeJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\userinit.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\system.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\system.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\system.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Users\user\Desktop\system.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\system.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\system.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\userinit.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\userinit.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\userinit.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\userinit.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\userinit.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\userinit.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: msvbvm60.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: vb6zz.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\system.exeSection loaded: sxs.dll

Data Obfuscation

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\system.exeUnpacked PE file: 0.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 3.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 4.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 5.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 6.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 7.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 8.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 9.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 10.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 11.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 12.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 14.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 15.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 16.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 17.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 18.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 19.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 20.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 21.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 22.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 23.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 24.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 25.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 26.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 27.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 28.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 29.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 30.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 31.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 32.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 33.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 34.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 35.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 36.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 37.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 38.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Windows\SysWOW64\system.exeUnpacked PE file: 39.2.system.exe.400000.0.unpack .text:EW;.rsrc:EW; vs .text:ER;.rsrc:EW;
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_00530AD3 LoadLibraryA,GetProcAddress,0_2_00530AD3
Source: system.exe.1.drStatic PE information: real checksum: 0x1b443 should be: 0x17b87
Source: userinit.exe.0.drStatic PE information: real checksum: 0x1b443 should be: 0x17b87
Source: system.exeStatic PE information: real checksum: 0x1b443 should be: 0x17b87
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BC50 push 00401212h; ret 0_2_0040BC63
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040C852 push 00401212h; ret 0_2_0040C865
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BC64 push 00401212h; ret 0_2_0040BC77
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BC78 push 00401212h; ret 0_2_0040BC8B
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BC00 push 00401212h; ret 0_2_0040BC13
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040C802 push 00401212h; ret 0_2_0040C815
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BC14 push 00401212h; ret 0_2_0040BC27
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040C816 push 00401212h; ret 0_2_0040C829
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BC28 push 00401212h; ret 0_2_0040BC3B
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040C82A push 00401212h; ret 0_2_0040C83D
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BC3C push 00401212h; ret 0_2_0040BC4F
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040C83E push 00401212h; ret 0_2_0040C851
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BCC8 push 00401212h; ret 0_2_0040BCDB
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BCDC push 00401212h; ret 0_2_0040BCEF
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BCF0 push 00401212h; ret 0_2_0040BD03
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BC8C push 00401212h; ret 0_2_0040BC9F
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BCA0 push 00401212h; ret 0_2_0040BCB3
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BCB4 push 00401212h; ret 0_2_0040BCC7
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BD40 push 00401212h; ret 0_2_0040BD53
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BD54 push 00401212h; ret 0_2_0040BD67
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BD68 push 00401212h; ret 0_2_0040BD7B
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BD7C push 00401212h; ret 0_2_0040BD8F
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BD04 push 00401212h; ret 0_2_0040BD17
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BD18 push 00401212h; ret 0_2_0040BD2B
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BD2C push 00401212h; ret 0_2_0040BD3F
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040C934 push esp; retf 0_2_0040C935
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BDCC push 00401212h; ret 0_2_0040BDDF
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040A9DC push 00401212h; ret 0_2_0040AACB
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BDE0 push 00401212h; ret 0_2_0040BDF3
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_0040BDF4 push 00401212h; ret 0_2_0040BE07
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_004031FE push edi; iretd 0_2_004033CC
Source: system.exeStatic PE information: section name: .text entropy: 7.992500880288964
Source: userinit.exe.0.drStatic PE information: section name: .text entropy: 7.992500880288964
Source: system.exe.1.drStatic PE information: section name: .text entropy: 7.992500880288964

Persistence and Installation Behavior

barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\system.exeFile created: C:\Windows\userinit.exeJump to dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\userinit.exeExecutable created and started: C:\Windows\SysWOW64\system.exeJump to behavior
Source: C:\Users\user\Desktop\system.exeExecutable created and started: C:\Windows\userinit.exeJump to behavior
Source: C:\Windows\userinit.exeFile created: C:\Windows\SysWOW64\system.exeJump to dropped file
Source: C:\Users\user\Desktop\system.exeFile created: C:\Windows\userinit.exeJump to dropped file
Source: C:\Windows\userinit.exeFile created: C:\Windows\SysWOW64\system.exeJump to dropped file
Source: C:\Users\user\Desktop\system.exeFile created: C:\Windows\userinit.exeJump to dropped file

Boot Survival

barindex
Creates an undocumented autostart registry key
Source: C:\Windows\userinit.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Users\user\Desktop\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\userinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\system.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\userinit.exeWindow / User API: foregroundWindowGot 1774Jump to behavior
Source: C:\Users\user\Desktop\system.exeAPI call chain: ExitProcess graph end nodegraph_0-785
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_3-786
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_4-785
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_5-786
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_6-785
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_7-786
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_8-785
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_9-785
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_10-786
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_11-786
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_12-785
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_14-785
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end nodegraph_15-785
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\system.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\system.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\system.exeCode function: 0_2_00530AD3 LoadLibraryA,GetProcAddress,0_2_00530AD3

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		1
Native API		1
Registry Run Keys / Startup Folder		1
Process Injection		22
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Registry Run Keys / Startup Folder		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook3
Obfuscated Files or Information		NTDS1
Peripheral Device Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
Software Packing		LSA Secrets1
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
system.exe100%ReversingLabsWin32.Worm.Generic
system.exe100%AviraTR/Crypt.CFI.Gen
system.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\SysWOW64\system.exe100%ReversingLabsWin32.Worm.Generic
C:\Windows\userinit.exe100%ReversingLabsWin32.Worm.Generic

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1432288
Start date and time:2024-04-26 19:29:01 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 9m 39s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:system.exe
Detection:MAL
Classification:mal100.evad.winEXE@551/41@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 71%
  • Number of executed functions: 221
  • Number of non-executed functions: 1
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtReadVirtualMemory calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

TimeTypeDescription
19:29:45API Interceptor3850x Sleep call for process: userinit.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF02D4FFBA64EB0B70.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.01953544226125
Encrypted:false
SSDEEP:192:y27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:Z7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:245627F6C2A0544CB2669060FA56D0B2
SHA1:8CC5037452AB2E169B4F2A78DF9C5AA5F065F448
SHA-256:738946892476BB4C0C47200A0485116C4000F9158CE96940B7D4C6DE624D236B
SHA-512:E1375CF6B123480A0B7B5C2B2537AA263CCEFC8565002A9528CE3BE698C25608614105AAD222694F0A8B44B32F4FBD5B59C696842B114F6733043EFBA3FED277
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF09197A0DF881A327.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.0193738499958505
Encrypted:false
SSDEEP:192:mP27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:p7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:7DE6E6D037006CDEFF73D844D467E6F2
SHA1:9BBDFF9467A3FCC26DE53A8FF8141F356C998FC2
SHA-256:F45D7C987D054DD6608FFD3952113A634573AE0BACABB284E3EBC4A40E441BE6
SHA-512:0023E0B7DAD6D97EB63DC82366730F75E0BD408B9D76912C9E9690D20D2A03088FAEE32AF5A009683D2AF834FB5CB33441D42B8371DB191D8E14EEE86F3C9EB3
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF0CF1C00C64F3DCD8.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019507653776729
Encrypted:false
SSDEEP:192:627dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:R7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:048CFEBFB35974C90EB9FB9699A86E24
SHA1:E50B755E0EAB2C6291B61DDFE6CEFC523D1B28D6
SHA-256:89F7D9534BF3B0B7CCB4611805BA8AD6B1F1CEACAC9CCA6ADB375383EF56CDB4
SHA-512:E02E51C99A5BC0361070590724B5B842042A8F3797D0B2846262B6DB4E4B8B72F875C5DE28C55C28E226673C2658D2E9EBA9DE621257992D7228A088AB9CE822
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF0D43D0343FCD2EB0.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019389846533521
Encrypted:false
SSDEEP:192:d27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:I7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:6A1B1C77C9E7E70F625BC0287E681AD8
SHA1:1A5022FF83A58FAFA439E2A93A7F4DAF4A988D08
SHA-256:844AB43F49CC3A515384DBBD358DD983715BBE7C79926B403A79F0674B4C05B8
SHA-512:669394C219526F73876D59C43CFE2AA3B9C41F7138FE4FF85AE88DEB85C8F7B75D042C347768F7EBD6022B71DF1E0F2AC46ED1E24F4EA43661C9D450168F2236
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF18FC267C464D5435.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.0194606946077585
Encrypted:false
SSDEEP:192:a27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:x7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:C1A018D37355AC4635A46EC9F2D02D1E
SHA1:AAE54F069E164FFA4928E518342FBACADCB627E9
SHA-256:BCAE3D9921EF53B528F61AA22E9FE7B92F1099228D01258751490E869FB36EEC
SHA-512:080AAA55F2626455B38F72CC54C70327235CE8B8441B5151203A523752CE36D4C71E9DECEDB749ABCE12F5CF8B75454BF24CDAFC93C61D3F0972293A656DCD1A
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF30C69C0517664377.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.0192127713411505
Encrypted:false
SSDEEP:192:M27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:v7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:79BE24971D16365967A348C7FF77D2C4
SHA1:C89EF83250B89A748547482CD23C37FAB07A1710
SHA-256:6E753FD59D32A5798619EF3612A61A0C5F8FF3BDE38740600C51F3BD3E5CDC20
SHA-512:48BACFB30E0815B078F56AB3139D321DA6CF2A2195437242B902C4ADF55F3865B84D58D62544902107CA3ABA023463A419561238CE506810BF46503842CBBC6F
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3B262ACA447BD50D.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019475946935109
Encrypted:false
SSDEEP:192:/27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:e7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:7807EB0512B6E12C6B6245A15A2FBE21
SHA1:64C0189562B1758C22207C6D77C40E981EAB73CE
SHA-256:124A1671E8FBA8E3DD6A745136E02FB35CF1B1F4488A1D071F3514DAAAA1D6A7
SHA-512:D1D27A2051D28A7439DE9A7B9265B30DBAA39D87E9AD21470EB7B286A2B55A6FFCA1F7C3BBA51493E13E38FE0E4B8434E5DDE2CD17BEF4B7AFCB16B31882923C
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF4455D01976EA8263.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019275028795835
Encrypted:false
SSDEEP:192:x27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:E7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:DC9D8D0FDF217A235BF7A8FA802ADEBC
SHA1:86831B6A001A71DFDE672AEFE9AE37045CEF4C2C
SHA-256:AA7160BB25A0A15A143EC6B26EE93BC44D5B0B68D5546FED8B598082C17AD1FB
SHA-512:0B24F4494262D342558FFAAEF815AB358DDF9B6050636417C46668F9F6251CF72BD93A2155B66B2F1C4549C8C62EA6C9A93528E605AD0EF6FB339C1F80AD2293
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF493D641EF8E3C4CD.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019480393794544
Encrypted:false
SSDEEP:192:c27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:f7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:B96E0DE2384825E2E61490E045360415
SHA1:D688E1D31CF757A771A6DDA635E7387D3F9DEB9A
SHA-256:9C1825F7C4E9010FA69787BAD34ED78CF9526FBB195710A685999B8D37A2E871
SHA-512:C8AE2A0DACD291B6387BDE402687B924DC2EDF52B4697960FABCD1A125E061E91BA911F9C265CC79F35019B09163F0C49AEBC1EDB272B2A6FD3A14CB9C5E5F90
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF4AB977172C770139.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019243406439896
Encrypted:false
SSDEEP:192:IL27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:Iy7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:95419BA5797AD2FE0DB32189EAE27205
SHA1:6BCA3194DE27517176BEACF478AADD3AF2B71E92
SHA-256:61AEDAA225962F8C1DE89C455F67D9B47A281B3F67B0DDF55ECD8AB0395EFE9F
SHA-512:C89360400BE11847D791238B9F26BAF941D88751515E3F88F7DD7C8BFA53A8FD6FFF989E94502CD195832C88A6C4AEBB1A3B7AB5F25C3C847CAEA18B4BEC089D
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF507224AC54059BFB.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019381010718937
Encrypted:false
SSDEEP:192:227dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:V7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:033B776C1B43C2C5D40BC6B95C966086
SHA1:02C66616EF5C5483BEE8155D73DC1DDAD841EED5
SHA-256:2ED14147B6797692024D43D5743017AE709048E6AD8B9EBB2848AE0605ACE2E4
SHA-512:7BEA014EBF8864A2F5797BAE9A75A7AEE9D8E98E96961C72229AF063DA53325E1529FC99AA344A5CD578152E35BA225D8B2BB344B1E99F8F351FCC954A546CAE
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF58B68C3C999D97E9.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.01950415422596
Encrypted:false
SSDEEP:192:627dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:R7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:4A46BF6A98289BB3EE38770B74477559
SHA1:5B3CDA08954CB1F07A2DCFFAAF2C5DED4A63D5F0
SHA-256:5CAFE6048B5BBD9D01D7099F1D6F5066D198D8AC417002F0C35355AF93BA92F3
SHA-512:AE478EFC281B04ED446CA9D34A07DAC1C551B7E553BD8DBC52CEB47B507565EB9E07DB0455EB46C114A55A872BDB3D55D4078F18E5C450427CE00526B5ED66E3
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF670247A3508B03B2.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019327610154629
Encrypted:false
SSDEEP:192:L27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:y7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:097531A0F98371BC59D9B7A8FF2E2A8A
SHA1:CE524B8EF2B3C6165022AA78BC284434AFFB6B35
SHA-256:98C95DF7DEEDD5DB95C8675FEECE0BC7058D6175C4256A832D6857E736B38E4E
SHA-512:8A8BAB287B159431E2AA0185CFD36887DD728CA6BC4E0F89BE55037C142712D325EF9D066288EEB70DBF363A08ECDAE89AD3EC52BDD357A05D3F679CF954DDC4
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6BB330B0BC4E061E.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019455255903072
Encrypted:false
SSDEEP:192:t27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:47XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:5E6D69C6E9141875BF9CD117C6D28164
SHA1:E271C77AB0970EAC8C89B9CA91EBDA84696FA32B
SHA-256:EBD6516D8A442F6D906DF68D619D1A362C769AD5FCD470AD5CFAF14F75C1A76D
SHA-512:DF74A882834253BC8BD54AD446592ED6C2E1E5505F7032BEF0C8E8E8DFC20EAE194FB3664C7DE1032AF305AE40CDCDB6EA2E1292A1FA8C6AA7E6D96C2CCFFD70
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6FD76B61FEA85199.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.0194576660875505
Encrypted:false
SSDEEP:192:727dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:C7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:05D8E6A5CA4B8EE708B2C3FF607505F3
SHA1:28F5F275513238D5F48953ABCB402467EAD7EA19
SHA-256:BA6DAFF2854387A100BA7581EAF89300ADF49339A2F9ED6EF6D3320D1D65AB15
SHA-512:472E97FE83C7D90006D062E702E9EB9019DB94BE74232477B8983C9C36494F94F898EC8CE2584626DE2DF99244A44F48B73597D80C0BD0F37B8005141AD74D09
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF71428448FA06B7FC.TMP

Download File
Process:C:\Users\user\Desktop\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019464808983005
Encrypted:false
SSDEEP:192:G27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:F7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:42ED3CC6554BB95AE24B39639DEA8022
SHA1:BB24CBC59468726B21656E698C6A1BAFE1E4A0CD
SHA-256:40B1439AFF691BF3D7579220344E25A6F5F27F81E6D2849FBFB5FD8B858971D4
SHA-512:B7ECFDFE382F50DA5B976D6EA5C620420979F732AA51A84BC71E7B742DE102C87ABD0C71153B446ADD1B8F16EA0F1DE2DAE78DA42FA3D2C2AC45861433C0EF2F
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF79081E3449EDD0FD.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.0195260550318945
Encrypted:false
SSDEEP:192:z027dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:r7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:7FD32CD854558C50E706D99C7E07F67C
SHA1:19400B506527465B4CB46143FDBBA5FB8FECDE42
SHA-256:6CD16DAB6F90C20BBE0991C5E01EAB1B2535EDFE009889CAF8B9C6393994F56A
SHA-512:F3F9619BD21B2762553BAC0534E156AFB3D734A5B62C7C009087AF73D63397FD7BDE60CFFE393A135D3ECCCF088C68B02ABD70EF416C9377DD43398C3F3BA226
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF806957BE7A05924A.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019357476787679
Encrypted:false
SSDEEP:192:f27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:+7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:B42005372147D6A5CDABAF6E09052E47
SHA1:2A5C9D5D83E082BE82884B5E121C251D889EFA84
SHA-256:8F0F9E727E807C5EBC3500086D421B42B0C5E9C242A4F6AFCFAF6493DA8FD837
SHA-512:8CE27FF979CE7FA729ED022BF4D12A1C0366BF2CB4E76670B2F2DF0498992B50DE7EA7A1E6E9EA9536A2D7576738DD85CA52194B7B660C3F4D20E0D02A200F8B
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF87F751C2BAE9768B.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.01947199243286
Encrypted:false
SSDEEP:192:X27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:G7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:9A7727E40BCF58ABEB50F8888CE719C9
SHA1:E1FB97C9F37FE468C84D13D844DC3BCD13F310E9
SHA-256:5838997E0ED745FDB6F1E4D3E2D327953789C06C62E3EAA3AD00EA5D358EF054
SHA-512:75DD54D18202DB13BDADBB02525F4B89CB246AA383EC65CCBAD2BCAFEF268239B530440336883E2A9E9FEC4B1E63A7EC4204A8B37E48BB346C0FB9712BB937FC
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF9A36809A39096866.TMP

Download File
Process:C:\Windows\userinit.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):49152
Entropy (8bit):3.4070728863790936
Encrypted:false
SSDEEP:192:y27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKD:Z7XIxA1a8ButlHmzTGf8Rfvgm/YKD
MD5:2B0A1E43441DC2059291F8B78CE5E398
SHA1:6E119C19721019756C9984F52C20C93433F157C2
SHA-256:50605275562BA4D09FE5988EDCE9CDD6DB5AF5AFF5315972E64B96874EF8CFE2
SHA-512:9AA2EF82BF3EC578104094977E8FD85A6A1358C2F611E6EF4184EE24D0C3EB70A6A7C1AC08DCBDA32FC8BA27F8FFD50AF125FDB8D32BF2A34C7B323E5BD33F62
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF9EA2868BC6E635B2.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019501095921618
Encrypted:false
SSDEEP:192:827dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:/7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:DC7CDC758C12E0DD5C793D9B316586AE
SHA1:D472005B1E14F59746AB8627C10301006AF33480
SHA-256:D903E68C819B9B7110C9360322CAB2D3C4C67A274D7B78B84A02703AB906CFEC
SHA-512:45369957C7A071FCA2BFFD0BF4A087E6FD1D19B52D71CE8BCF8AAD1D88381488F6D1D5A567AC9F8352D97B1F2CB503EC3E8906E848518DA0987C0E97F501E148
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFA218865F0376BB71.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019362904933136
Encrypted:false
SSDEEP:192:F27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:A7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:EF4BB6BFBAAECEBF98F6AFBBE10B3B17
SHA1:A1014EF1EE34E9BAC2EAB7204674F335AF3875F0
SHA-256:DAFC26264B33E4938AC60C6B6EF836747BE0A9C17A1B5AB070F3A432B17782C3
SHA-512:6F7935521E5698409A2458B385BAC7B532C2A03A08550D7BFD8BC80FB4198C2380673C28CA4E47FFFBE94C15EB399AC41BE46CF60F2F8F0746FD2B1C5F66AA73
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB0C8923FE0D690A0.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019398092290491
Encrypted:false
SSDEEP:192:b27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:i7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:EE00BD56DD085381A631D7A8F01BD715
SHA1:76F8470507227665C24609CEB7ACA3BD2C75968F
SHA-256:B09DC6A88E51CC7DFF78EE524835F05EBD41D7D3D394CD823C31925BD66495A0
SHA-512:B0F5C223CE3BA27E1D339EC8E0F2943294EE147251FBB03C204544C406447EB570BFF52B4A63162300675A33946DBEB653E9284AB060202C51E0F65B6DB37088
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFB653B043BC3280C5.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019446109673614
Encrypted:false
SSDEEP:192:m27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:l7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:423F926489535358EAF289889D561B71
SHA1:312EC27DAA05A36CDDD677ED352E2C695262A7C7
SHA-256:AD2ED73EE2C08D400495267CC8BEA81CF7949F4BADB2F32A16EF7BC29436D015
SHA-512:A1AE57886C40E7318AEA84D3616EAC0FFB8F2314F0814EE8B87DF35D4B18BE9581A9681F8660D16CB81BAF0657C4C95CC3F79F091FDBEBA4166CEF2E0EA672BC
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFBBC705F04777AA75.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019428733538059
Encrypted:false
SSDEEP:192:/27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:e7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:75A5AB14117FF554796775C4E392B92E
SHA1:E5DF4A3CC67659EBF3DF4F0A463E6827E1582DAC
SHA-256:C4AA77CFE593A913370968CECAD8AA792B6E4F1118DF0D68E09A20AAE3CD344A
SHA-512:22AB82626DD4F5C7EFEC7E9112A92163FFB0C7A33A16BA519CEBA017B64664F49A84860C64D3F63C797CB7397A9C6563CCD9779EAB0461A8044D59CEC3179A6E
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC59351AF92625C6A.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019506351886759
Encrypted:false
SSDEEP:192:527dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:c7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:A3D796F980625E1C757E3AF7B824D9A2
SHA1:D978D5A6BBD50626B4D877B55CCA3AA1E164DF1B
SHA-256:A5DEFEA10EDB75846D8361CC393BA6A8E92573314B3188D391A914999B322941
SHA-512:557DE33C3213FA1FD8F7734CBA700068BDD481CCAA458341F65401AC5E1A9588ABBEC1DE4D8F676F3C6A7728CB0FE6AA227B4635D7A7ADFAE2B8EF30F17B212A
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC747A4EA8E7A98B0.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019480495525032
Encrypted:false
SSDEEP:192:n27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:27XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:9E3C8599C1DFEE33DF6B4F162E6C4F2D
SHA1:21046D140B695DC48141CDD9190F965F2E73E4BB
SHA-256:D022027351105ADCC529346994FD2AB12DE7B5724C1763A179A374520D58C3D5
SHA-512:277F35DB15558233311E631C943DB38DC9DFF6095869A3B7E80D49949493BC6CFD26749609D3EA4E0854EA33C0600C4DC29C93901FB518C218568829176A824A
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCA60C10A250FC43D.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019586267436224
Encrypted:false
SSDEEP:192:j27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:67XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:B5C268E89495213990F4FFDDC82DA70D
SHA1:D4BCC7383B67BD6BE2ACB5DDD972C341CE9C8C65
SHA-256:832E348C2636CBDD69951826941A929EFAA19A0DE56FC112AAB7E54DAE475F1D
SHA-512:121D7655431336D95E8EBB81C91A6ABCC20440E53AD6E8C0CEC566D3688E30D9BAA60AAA3BC3D1F9362209F29F68BFEF0BCD8FBA264A9AC59648D204F25DBDAD
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCAF016D7690C4EF3.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.0194284226072625
Encrypted:false
SSDEEP:192:M27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:v7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:EDD3E4057E8C19CE24850E8EFCD2AA07
SHA1:B30367666D954214A493FC1C3A98FA72003CBC9B
SHA-256:1AA4FE46E1BBCAC1EDA1C0B56CC0324B3A5773BE2C5085A3651BCFFC8920534A
SHA-512:7E915986BDF73EE51027FA2BDFE965B96A656C6BA0CCCFB6348EC3417DE7D3C9956EAF402E126078E96EC1C6693F5014EE24C4CE8C85D95EBE0CE13161106859
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFCEE456433783D75F.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019536733260926
Encrypted:false
SSDEEP:192:p27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:s7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:1AF3620EE3D840867CF9E144C17FB0DC
SHA1:D6A3A5ABA2802BAB6FBAAE0AE3003BB1E07A0786
SHA-256:102ACA60F886831216C0050EE7CC2DC8EF1385876B63FF3802349C34A5BFE7C3
SHA-512:91417FC7D1E5DBDE77F285FC65F90B26CE85791E88DC8E431F431319DB13E85AFEAE5D61DC465AB1F871A8BD015A5707B750EBA45F78F672EC14F273043123B5
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD249043E4CFC7308.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.0193659868973945
Encrypted:false
SSDEEP:192:127dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:Q7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:0AC10EF34C249BCC958DA08C0E28976B
SHA1:9CA27B986C0590A36A65040575398473408D93D2
SHA-256:3F8D72B01CE484C22D2B2D84FB8A1D6957A4F6BDD2300A241AB1F94B223DF60B
SHA-512:773797062A88773B5ED044756B828A4793E2235B4C5A9861655BB5610BBEB737BE660AB39C98DDCD94865E4772C56110900B6A3AC3620E9BF33CFAE25C7B89C8
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD4A611440A64EB68.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019522272713182
Encrypted:false
SSDEEP:192:t27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:47XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:8320C54645714728D6816868F40C73EA
SHA1:AAC2F7BC8E7E87276EF858A364B82ACE52EDC536
SHA-256:E89A2B90D300C3F3E2EF6365C93066873374EC79135AA72E56FAD81B432CCE6C
SHA-512:4AB8C0FFC611B71501533D1AC56D7FB5F06BC85FB49B4E851B52C7BB45101EF1C07807602545ED2C8A2CC25C895578A0377D282797B2517AE6FDA903D314DCB1
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD52BAE28099C8567.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019271660796064
Encrypted:false
SSDEEP:192:U27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:n7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:45D3665CE1E3F0DE125674EADEDDBFE6
SHA1:0B24264BEFE2DA840ABFA2F995D61681E450F345
SHA-256:3864839197C1BA5C3C462F17EE2038CB73B98DB98CA1E83193D2DDD13A9CCC4E
SHA-512:7A9FF8CF5D82406CD380D365B0ABFBCA1685299553C3632580DAA1CB76633A002DF746241A179C685F52AA4D7B3D35703AC962E7A2E9F163DE449D71C9430388
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFDC7E90D3385B4CCA.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019452762799484
Encrypted:false
SSDEEP:192:m27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:l7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:0121097AF33F5826342DDB1FB92713AB
SHA1:57E131B01B01B8DCDE9E3617FC1531BFA8B2396D
SHA-256:C29E8450E0147B932F9477E9F118F9978D0BA95BE5DC2DB6D31824466081AEAC
SHA-512:A67D49AC7DC68C8EC8369B4CDC7523C30919D0217AFCAC49A8B30E945794D052C976FAB35E99E59B247B1F9700B2A84F2A5D284BB525F708C7D5DF03B4014DB1
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE67B463EA91DAAB5.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019197762204205
Encrypted:false
SSDEEP:192:p27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:s7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:CAAA1348F7746EBE17ED90BF3C6F0035
SHA1:2D41B7D2ADB5BF76285F8FAD399C1F171E9002E7
SHA-256:5CB80A7F5D96B2412AAC284F01782CE1639E774B16EBF87AB19B012F0EAC81A0
SHA-512:229DE42C3D1934646768E0E05FF6C49CE234BDC1444CB31C1258214F3402959EA64B19CE72FD7516B5350E7011E4DBDC62A1E63534DF4F9D543CA69A45BF76FA
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE70054CDE027DD7B.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019370599236772
Encrypted:false
SSDEEP:192:p27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:s7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:6E95D803E99AA4D9D5874332A309074E
SHA1:3994F09191078286328713D1A52FE5C6E247F588
SHA-256:B8B8D1E2B824F695A62753726F6E45A668D5C54309D7AF0B94291104CD23E2E3
SHA-512:797DBE5DD16F91220482A616B2341AE1F851A38F6B972200A602FEE1F64B73D78D3EDAD3D3DA095B70EDE8F26370F53FFBA2BF6FC79E27F65341C49CEA81EBF3
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFE9C93B8F46B8B1AC.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019412830488743
Encrypted:false
SSDEEP:192:P27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:O7XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:2DE73CBD9060A82E66E259B4C2D532AF
SHA1:0627F698E64E0702C092856F9C1FF1CAB8E06D34
SHA-256:AA623D92A80A8564060085DB43785F09583AF346829C5D65F9D0D7A16CD4D874
SHA-512:92EBEB44A7DEF9C1CA6E56F6283098032689EFC9AB3BE8E6A9BAA6FE7E277931A2C93E6949F74812D1F2AA6F35F840FCB331387AB183662782F22CB027AC6903
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFED5B3C75C29F513C.TMP

Download File
Process:C:\Windows\SysWOW64\system.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):38198
Entropy (8bit):4.019421119977938
Encrypted:false
SSDEEP:192:j27dsWINcVCBrUXbJrA+aki8ButlHmTAZbebAtMGV18ggzKEDFhgm/YKDH:67XIxA1a8ButlHmzTGf8Rfvgm/YKDH
MD5:A1305762448251A420A679DE9C574594
SHA1:56F1732D5AF447DA4BAF3399F775D4D18BB4610F
SHA-256:FF95D614DF4ED2AC11CBD36ABA001985E8FD163B6348F67C7E4F071056C9EBBC
SHA-512:BEE6C61D791DF44731262FAD462CAD05478A9E357E7CC7D4A6C730EB667A5CC1B6F0AD9AC10B0047734DDBBB44554548CFDB4F3860F3239340D3096A641E0C95
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\system.exe

Download File
Process:C:\Windows\userinit.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Category:dropped
Size (bytes):69632
Entropy (8bit):6.375769435198149
Encrypted:false
SSDEEP:768:UPhg+bINh/0cNNduw8RiMc5lU1wzNE6Xf1zBmQzTGfmgyH3rDFU:MbIbNHiRJQrzXf1zwQVgq3lU
MD5:0017413629107FB8B1A300FE714798A7
SHA1:4168EE9A4BBBB6541741B17481DA79808C7A9D6D
SHA-256:B31FB6F44818B2DF444399A417C3323FD98234C5546235CC863494A22992A5A7
SHA-512:FD6C0B535DE28291524DC30377E8B79F5F38CA028DD583C37F95F1083E2BD3E5DB480C1F6A88D504CFCAD8B4D0B7F6FC996610058AE70E7419A3997116FB3A62
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 100%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............si..si..si..ld..si.Rich.si.........................PE..L.....AK............................ .............@..........................0......C................................................................................................................................................................text....p.......l......PEC2TO......`....rsrc................n.............. ............p.d...A&....^Y=]..]...=...|Jz......X..%w.!_X.3..f..3...{..-.............7.Ov.)..y._.B.....q8....D .s.M!s?.84...p...;..44a.fL=.........Qm...ewt./...y..J.Br&.....\ZL/@!.....z..!.+oK.....R#.?.2....d.... .u..W>.^Y.B..J.h.E..{.of.[].=~D......W....j\..lJ.G.C.u^o.hi.vS.#g%R...{..B....84;.6.x...n........;....O.c..%..].J.F.S.........U/...2.ik.....q..k(.Nn."..|3......{..Bvo...[L.C}>....MOd..?9...6....VF&.0.....L#....4D.D..0G...:.R .S.gb..a.].g1..;_O....._]..-ML.

C:\Windows\kdcoms.dll

Download File
Process:C:\Windows\userinit.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):44
Entropy (8bit):4.079225801519103
Encrypted:false
SSDEEP:3:6CFXXPkN9ymLkQmu:6Clo9yyd
MD5:270199FCBE0622A97988C3B14434853B
SHA1:F834C64DFA3F98EE0C6D3F10C2DB954002FC3614
SHA-256:EE7D8C86D929C9BB6A8DE6E2C24705B36C4E12A805C49FB543872218C336C89D
SHA-512:3519DA2FB21A41C0274D070B188A9E636256D32D2E4690E35CC86C3D947B969C6B5161632778F0C1B0AEC9410973F8176ACABBD14ADFBEE1B96725FACD212AEF
Malicious:false
Preview:Don't worry! I will protect your computer...

C:\Windows\userinit.exe

Download File
Process:C:\Users\user\Desktop\system.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Category:dropped
Size (bytes):69632
Entropy (8bit):6.375769435198149
Encrypted:false
SSDEEP:768:UPhg+bINh/0cNNduw8RiMc5lU1wzNE6Xf1zBmQzTGfmgyH3rDFU:MbIbNHiRJQrzXf1zwQVgq3lU
MD5:0017413629107FB8B1A300FE714798A7
SHA1:4168EE9A4BBBB6541741B17481DA79808C7A9D6D
SHA-256:B31FB6F44818B2DF444399A417C3323FD98234C5546235CC863494A22992A5A7
SHA-512:FD6C0B535DE28291524DC30377E8B79F5F38CA028DD583C37F95F1083E2BD3E5DB480C1F6A88D504CFCAD8B4D0B7F6FC996610058AE70E7419A3997116FB3A62
Malicious:true
Antivirus:
  • Antivirus: ReversingLabs, Detection: 100%
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............si..si..si..ld..si.Rich.si.........................PE..L.....AK............................ .............@..........................0......C................................................................................................................................................................text....p.......l......PEC2TO......`....rsrc................n.............. ............p.d...A&....^Y=]..]...=...|Jz......X..%w.!_X.3..f..3...{..-.............7.Ov.)..y._.B.....q8....D .s.M!s?.84...p...;..44a.fL=.........Qm...ewt./...y..J.Br&.....\ZL/@!.....z..!.+oK.....R#.?.2....d.... .u..W>.^Y.B..J.h.E..{.of.[].=~D......W....j\..lJ.G.C.u^o.hi.vS.#g%R...{..B....84;.6.x...n........;....O.c..%..].J.F.S.........U/...2.ik.....q..k(.Nn."..|3......{..Bvo...[L.C}>....MOd..?9...6....VF&.0.....L#....4D.D..0G...:.R .S.gb..a.].g1..;_O....._]..-ML.

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Entropy (8bit):6.375769435198149
TrID:
  • Win32 Executable (generic) a (10002005/4) 98.96%
  • Win32 EXE PECompact compressed (v2.x) (59071/9) 0.58%
  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
File name:system.exe
File size:69'632 bytes
MD5:0017413629107fb8b1a300fe714798a7
SHA1:4168ee9a4bbbb6541741b17481da79808c7a9d6d
SHA256:b31fb6f44818b2df444399a417c3323fd98234c5546235cc863494a22992a5a7
SHA512:fd6c0b535de28291524dc30377e8b79f5f38ca028dd583c37f95f1083e2bd3e5db480c1f6a88d504cfcad8b4d0b7f6fc996610058ae70e7419a3997116fb3a62
SSDEEP:768:UPhg+bINh/0cNNduw8RiMc5lU1wzNE6Xf1zBmQzTGfmgyH3rDFU:MbIbNHiRJQrzXf1zwQVgq3lU
TLSH:5A634B022F71FDC6E454C935497389D822CCBD229D2376A265903EEEFE36342792D972
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............si..si..si..ld..si.Rich.si.........................PE..L.....AK............................ .............@................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x401220
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:0x4B41F8B7 [Mon Jan 4 14:18:31 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:09d0478591d4f788cb3e5ea416c25237

Entrypoint Preview

Instruction
mov eax, 00431FD8h
push eax
push dword ptr fs:[00000000h]
mov dword ptr fs:[00000000h], esp
xor eax, eax
mov dword ptr [eax], ecx
push eax
inc ebp
inc ebx
outsd
insd
jo 00007FC0052AEBB3h
arpl word ptr [edx+esi+00h], si
or al, byte ptr [edi]
sbb al, 6Bh
jmp far B5A4h : 42BC1CCEh
sbb edx, eax
sbb dl, byte ptr [ebx+7E1B9605h]
cmp dword ptr [esi-15CB4221h], ebx
les esp, fword ptr [eax-62h]
xor byte ptr [esp-06h], bh
inc ebx
hlt
rcl bh, cl
jp 00007FC0052AEB0Bh
push esi
shl dword ptr [eax-10h], cl
adc al, 71h
and ebp, esi
imul esi, edi, 35h
fsave [esi]
mov edx, 80FC5871h
fdiv dword ptr [ebx+6Eh]
mov ecx, 87743B8Ah
inc esp
sub ch, FFFFFFB6h
sub byte ptr [edx], FFFFFF8Ch
test dword ptr [9FBA6C70h], eax
xor al, 98h
outsb
jne 00007FC0052AEB68h
xchg eax, esi
dec edi
and al, F2h
inc eax
add esp, dword ptr [edi-53h]
js 00007FC0052AEBACh
or dword ptr [edi-2Ah], esi
fild qword ptr [edx]
into
lodsb
je 00007FC0052AEBD1h
jnle 00007FC0052AEB68h
add ebp, dword ptr [ecx-13AC9B0Ah]
dec ecx
out dx, al
jmp 00007FC0052AEBC2h
cmp eax, A4EDF340h
cmpsd
jc 00007FC0052AEB34h
cmc
lds edi, fword ptr [ebx]
int1
mov cl, 5Bh
lodsd
jns 00007FC0052AEAE3h
lea edi, edi
f2xm1
setb ch
cmp dl, dh
push eax
mov dl, 18h
pop ebp
mul byte ptr [ebx-4B66DE9Ch]
int 95h
jns 00007FC0052AEBA5h
mov esp, A50C8914h
xchg eax, edx
aas

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x313a40x8f.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE0x280000x938c.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x270000x6c007d8628e87be428ac5420e06d290379e7False1.0005787037037037data7.992500880288964IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x280000xb0000xa2001ce240c83bb947ba990812b5a6e5b417False0.2927517361111111data4.68055929875683IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x282980x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.11036585365853659
RT_ICON0x289000x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.1827956989247312
RT_ICON0x28be80x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.4222972972972973
RT_ICON0x28d100xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.4048507462686567
RT_ICON0x29bb80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.4936823104693141
RT_ICON0x2a4600x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.27601156069364163
RT_ICON0x2a9c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.2020746887966805
RT_ICON0x2cf700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.2976078799249531
RT_ICON0x2e0180x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.3421985815602837
RT_ICON0x2e4800x2ca8Device independent bitmap graphic, 96 x 192 x 8, image size 00.15789013296011198
RT_GROUP_ICON0x311280x94Atari 68xxx CPX file (version 7400)0.8175675675675675
RT_VERSION0x311c00x1ccdataEnglishUnited States0.5304347826086957

Imports

DLLImport
kernel32.dllLoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:19:29:44
Start date:26/04/2024
Path:C:\Users\user\Desktop\system.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\system.exe"
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:19:29:44
Start date:26/04/2024
Path:C:\Windows\userinit.exe
Wow64 process (32bit):true
Commandline:C:\Windows\userinit.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 100%, ReversingLabs
Reputation:low
Has exited:false

General

Target ID:3
Start time:19:29:46
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Antivirus matches:
  • Detection: 100%, ReversingLabs
Reputation:low
Has exited:true

General

Target ID:4
Start time:19:29:47
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:5
Start time:19:29:48
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:6
Start time:19:29:49
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:7
Start time:19:29:50
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:8
Start time:19:29:51
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:9
Start time:19:29:54
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:10
Start time:19:29:55
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:11
Start time:19:29:56
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:12
Start time:19:29:59
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:14
Start time:19:30:04
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:15
Start time:19:30:05
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:16
Start time:19:30:06
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:17
Start time:19:30:07
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:18
Start time:19:30:08
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:19
Start time:19:30:09
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:20
Start time:19:30:09
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:21
Start time:19:30:10
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:22
Start time:19:30:11
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:23
Start time:19:30:11
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:24
Start time:19:30:13
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:25
Start time:19:30:13
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:26
Start time:19:30:14
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:27
Start time:19:30:14
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:28
Start time:19:30:15
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:29
Start time:19:30:15
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:30
Start time:19:30:15
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:31
Start time:19:30:16
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:32
Start time:19:30:16
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:33
Start time:19:30:20
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:34
Start time:19:30:21
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:35
Start time:19:30:21
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:36
Start time:19:30:23
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:37
Start time:19:30:23
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:38
Start time:19:30:24
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

General

Target ID:39
Start time:19:30:24
Start date:26/04/2024
Path:C:\Windows\SysWOW64\system.exe
Wow64 process (32bit):true
Commandline:C:\Windows\system32\system.exe
Imagebase:0x400000
File size:69'632 bytes
MD5 hash:0017413629107FB8B1A300FE714798A7
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:9.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:18.9%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 765 530ad3 766 530add LoadLibraryA 765->766 767 530af5 766->767 767->766 768 530afb GetProcAddress 767->768 769 530b18 767->769 768->767 770 530db0 771 530dcd 770->771 773 530dc3 770->773 772 530ed3 773->772 775 530804 VirtualAlloc 773->775 778 53000d 775->778 779 530065 VirtualFree 778->779 779->773 808 531274 GetProcAddress 780 530909 782 530919 780->782 783 53094e 782->783 784 53097f VirtualAlloc 783->784 786 5309ac 784->786 785 530a4e MessageBoxA ExitProcess 786->785 789 530a68 786->789 796 531030 786->796 792 530aa8 VirtualFree 789->792 790 5309ed 791 5309fd wsprintfA 790->791 794 530a0d wsprintfA 790->794 795 530a48 791->795 794->795 795->785 797 53103c 796->797 799 5309e9 797->799 800 531086 797->800 799->789 799->790 802 531094 800->802 803 5310b6 802->803 804 5310cb 803->804 806 531252 LoadLibraryA 803->806 806->803 809 5311ed VirtualProtect 810 531228 809->810 811 53122c VirtualProtect 809->811 810->811 807 53129c VirtualProtect VirtualProtect

    Executed Functions

    Function 00530AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 530ad3-530ada 32 530add-530af3 LoadLibraryA 31->32 33 530af5-530af9 32->33 34 530b11-530b16 33->34 35 530afb-530b0f GetProcAddress 33->35 34->32 36 530b18-530b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00530AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00530B04
    Memory Dump Source
    • Source File: 00000000.00000002.1971861144.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 0a093189605a673dbffa1b25bb0367a39fc0151edcc3e60ab945cf82bfbfa69a
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 82F0EC73A00200DBCB10CF18CCC09AAF7B2FF943A5329883AE842A7304D239FD168A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00530919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005314CC), ref: 0053099A
    • wsprintfA.USER32 ref: 00530A23
    • wsprintfA.USER32 ref: 00530A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00530A5A
    • ExitProcess.KERNEL32(00000000), ref: 00530A62
    • VirtualFree.KERNELBASE(02070000,00000000,00008000,ED815D00,SWVU), ref: 00530AB5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1971861144.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: e7a63612c44e9b464ed0626caf4cc055dd79908460907cc4ec46273fdb124017
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 2841CD3260174A9BDB38DF64CC54BEF77A8FF49341F040229EE0697689DB70AA15CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 53129c-5312ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005312C7
    • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 005312E0
    Memory Dump Source
    • Source File: 00000000.00000002.1971861144.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00530804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 530804-53087f VirtualAlloc call 53000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0053084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00530876
    Memory Dump Source
    • Source File: 00000000.00000002.1971861144.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: f07d5b2ab2a59c7dd4d0af8ef1aef58e7b6f4c32d85bd13eb83519302b1303db
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: A101B9726002187FE7009F59CC45FEEB7BCEB44350F104026F554E72C1D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00531252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 531252-531266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0053125C
    Memory Dump Source
    • Source File: 00000000.00000002.1971861144.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000000.00000002.1971769073.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.1971757265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1971769073.0000000000428000.00000040.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1971769073.0000000000430000.00000040.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 0053000D Relevance: .7, Instructions: 702COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 111 53000d-530063 112 530070-53007f 111->112 113 530065-53006e 111->113 114 530080-530095 112->114 113->112 114->114 115 530097-53009a 114->115 116 5300a8-5300be 115->116 117 53009c-5300a2 115->117 118 5300c0-5300d4 116->118 119 5300d7-5300e4 116->119 118->119 120 5300ea-53012d 119->120 121 530269-530289 119->121 122 530133-530140 120->122 123 5301d2-5301dd 120->123 124 5302a2-5302af 121->124 125 53028b-53029f 121->125 126 530143-530164 122->126 129 5301f6-530203 123->129 130 5301df-5301f3 123->130 127 5302b1-5302d7 124->127 128 5302f4-530314 124->128 125->124 135 530166-53017a 126->135 136 53017d-53018a 126->136 137 5302d9-5302dd 127->137 138 5302df 127->138 131 530316-53032a 128->131 132 53032d-53033a 128->132 133 530205-530217 129->133 134 530219-530227 129->134 130->129 131->132 140 530340-530367 132->140 141 5303eb-53040b 132->141 139 53022b-530231 133->139 134->139 135->136 142 5301ab-5301c2 136->142 143 53018c-5301a3 136->143 144 5302e6-5302ef 137->144 138->144 139->123 146 530233-530246 139->146 147 530382-53038f 140->147 148 530369-53037f 140->148 149 530424-530431 141->149 150 53040d-530421 141->150 142->139 152 5301c4-5301ca 142->152 143->139 151 5301a9 143->151 145 5304e7-5304ec 144->145 155 530505-530512 145->155 156 5304ee-530502 145->156 153 530251-530255 146->153 154 530248-53024c 146->154 157 530391-5303a5 147->157 158 5303d8-5303e6 147->158 148->147 159 530433-530446 149->159 160 530448-530468 149->160 150->149 151->152 152->126 161 5301d0 152->161 163 530260-530264 153->163 164 530257-53025b 153->164 162 5307eb-5307f1 154->162 167 530514-530534 155->167 168 530539-53054c 155->168 156->155 165 5303ab-5303d3 157->165 166 5307fc-5307fe 157->166 169 5304cb-5304e1 158->169 170 5304c2-5304c8 159->170 171 530481-53048e 160->171 172 53046a-53047e 160->172 161->146 175 5307f7 162->175 176 5300a5 162->176 163->162 164->162 165->162 177 5305ba-5305c3 167->177 178 530565-530573 168->178 179 53054e-530562 168->179 169->145 170->169 173 530490-5304a3 171->173 174 5304a5-5304b9 171->174 172->171 181 5304bc-5304bf 173->181 174->181 175->166 176->116 180 5305ca-5305cf 177->180 182 530575-530599 178->182 183 53059b-5305b2 178->183 179->178 184 5305d1-5305e5 180->184 185 5305e8-5305f9 180->185 181->170 186 5305b9 182->186 183->186 184->185 187 530614-53062d 185->187 188 5305fb-530612 185->188 186->177 189 530630-530633 187->189 188->189 189->180 190 530635-530648 189->190 191 53064e-530656 190->191 192 5307bc-5307c5 190->192 194 530658-53065b 191->194 195 53065d-53065f 191->195 192->166 193 5307c7-5307ce 192->193 196 5307d0-5307e4 193->196 197 530660-53066d 194->197 195->197 196->162 198 5307e6-5307e9 196->198 199 530674-530679 197->199 198->162 198->196 200 530692-5306a0 199->200 201 53067b-53068f 199->201 202 5306a2-5306b5 200->202 203 5306b7-5306c9 200->203 201->200 204 5306cd-5306d0 202->204 203->204 204->199 205 5306d2-5306da 204->205 206 5307b2-5307b6 205->206 207 5306e0-5306f1 205->207 206->117 206->192 208 5306f3-530700 207->208 209 530702 207->209 210 530745-53074b 208->210 211 530705-53070a 209->211 214 53074e-530753 210->214 212 530723-53072a 211->212 213 53070c-530720 211->213 215 530732-530733 212->215 216 53072c-53072f 212->216 213->212 217 530755-530769 214->217 218 53076c-53077a 214->218 215->211 219 530735-53073e 215->219 216->215 217->218 220 530791-5307a6 218->220 221 53077c-53078f 218->221 219->210 222 5307aa-5307b0 220->222 221->222 222->206 222->214
    Memory Dump Source
    • Source File: 00000000.00000002.1971861144.0000000000530000.00000040.00001000.00020000.00000000.sdmp, Offset: 00530000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d32333b559d4a590a820417eb3e2af78739bf06cd756918fe05bff833f4e6337
    • Instruction ID: 38fb6e94d1567db83c5e9e69eca81201ba2efacde192566f336edf9bfedf04f7
    • Opcode Fuzzy Hash: d32333b559d4a590a820417eb3e2af78739bf06cd756918fe05bff833f4e6337
    • Instruction Fuzzy Hash: 1B526D72D042299BCB18CF69C4541ADBBB1FB88350F26D26AEC597B385C674AE41CFD0
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 808 551274 GetProcAddress 765 550db0 766 550dcd 765->766 767 550dc3 765->767 768 550ed3 767->768 770 550804 VirtualAlloc 767->770 773 55000d 770->773 774 550065 VirtualFree 773->774 774->767 775 550ad3 776 550add LoadLibraryA 775->776 777 550af5 776->777 777->776 778 550afb GetProcAddress 777->778 779 550b18 777->779 778->777 809 5511ed VirtualProtect 810 55122c VirtualProtect 809->810 811 551228 809->811 811->810 780 55129c VirtualProtect VirtualProtect 781 550909 783 550919 781->783 784 55094e 783->784 785 55097f VirtualAlloc 784->785 787 5509ac 785->787 786 550a4e MessageBoxA ExitProcess 787->786 790 550a68 787->790 797 551030 787->797 793 550aa8 VirtualFree 790->793 791 5509ed 792 5509fd wsprintfA 791->792 795 550a0d wsprintfA 791->795 796 550a48 792->796 795->796 796->786 799 55103c 797->799 800 5509e9 799->800 801 551086 799->801 800->790 800->791 803 551094 801->803 804 5510b6 803->804 805 5510cb 804->805 807 551252 LoadLibraryA 804->807 807->804

    Executed Functions

    Function 00550919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005514CC), ref: 0055099A
    • wsprintfA.USER32 ref: 00550A23
    • wsprintfA.USER32 ref: 00550A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00550A5A
    • ExitProcess.KERNEL32(00000000), ref: 00550A62
    • VirtualFree.KERNELBASE(005B0000,00000000,00008000,ED815D00,SWVU), ref: 00550AB5
    Strings
    Memory Dump Source
    • Source File: 00000003.00000002.1982682777.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_550000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: ccd06a35ca1833b0f811d20a2db040a8d17a875b276dd0f7c01afbe10bfd8d86
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 9A41BC326017469BDB38DF64CC64BEB77A8FF45342F04022AED0697689DB70A919CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00550AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 550ad3-550ada 32 550add-550af3 LoadLibraryA 31->32 33 550af5-550af9 32->33 34 550b11-550b16 33->34 35 550afb-550b0f GetProcAddress 33->35 34->32 36 550b18-550b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00550AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00550B04
    Memory Dump Source
    • Source File: 00000003.00000002.1982682777.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_550000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: a1fac159a87681035b9161352a629f81661255f4a9a67b9162f07b91ead5a411
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: D3F0E2776002009BCB10CF18CCC09AAB7B1FF94366329883ADC4297304D235FD198A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0055129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 55129c-5512ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005512C7
    • VirtualProtect.KERNEL32(?,00001000,?,?), ref: 005512E0
    Memory Dump Source
    • Source File: 00000003.00000002.1982682777.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_550000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00550804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 550804-55087f VirtualAlloc call 55000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0055084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00550876
    Memory Dump Source
    • Source File: 00000003.00000002.1982682777.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_550000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: 1095fd099c0d74f8ec32e7ddb05c2a207d7772a79982c84b196dd77a7ddf0a1e
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E501B9766002187FE7009F59CC45FEEB7BCEB44350F104026F554E72C1D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00551252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 551252-551266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0055125C
    Memory Dump Source
    • Source File: 00000003.00000002.1982682777.0000000000550000.00000040.00001000.00020000.00000000.sdmp, Offset: 00550000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_550000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000003.00000002.1982544314.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000003.00000002.1982532337.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1982544314.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000003.00000002.1982544314.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_3_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 765 510db0 766 510dcd 765->766 768 510dc3 765->768 767 510ed3 768->767 770 510804 VirtualAlloc 768->770 773 51000d 770->773 774 510065 VirtualFree 773->774 774->768 775 510ad3 776 510add LoadLibraryA 775->776 777 510af5 776->777 777->776 778 510afb GetProcAddress 777->778 779 510b18 777->779 778->777 808 511274 GetProcAddress 780 510909 782 510919 780->782 783 51094e 782->783 784 51097f VirtualAlloc 783->784 786 5109ac 784->786 785 510a4e MessageBoxA ExitProcess 786->785 789 510a68 786->789 796 511030 786->796 792 510aa8 VirtualFree 789->792 790 5109ed 791 5109fd wsprintfA 790->791 794 510a0d wsprintfA 790->794 795 510a48 791->795 794->795 795->785 797 51103c 796->797 799 5109e9 797->799 800 511086 797->800 799->789 799->790 802 511094 800->802 803 5110b6 802->803 804 5110cb 803->804 806 511252 LoadLibraryA 803->806 806->803 809 5111ed VirtualProtect 810 511228 809->810 811 51122c VirtualProtect 809->811 810->811 807 51129c VirtualProtect VirtualProtect

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(00690000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.1994064450.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000004.00000002.1994064450.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000004.00000002.1994064450.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000004.00000002.1994064450.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000004.00000002.1994064450.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000004.00000002.1994019255.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000004.00000002.1994006782.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000004.00000002.1994019255.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000004.00000002.1994019255.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 808 441274 GetProcAddress 765 440db0 766 440dcd 765->766 767 440dc3 765->767 768 440ed3 767->768 770 440804 VirtualAlloc 767->770 773 44000d 770->773 774 440065 VirtualFree 773->774 774->767 775 440ad3 776 440add LoadLibraryA 775->776 777 440af5 776->777 777->776 778 440afb GetProcAddress 777->778 779 440b18 777->779 778->777 780 44129c VirtualProtect VirtualProtect 809 4411ed VirtualProtect 810 44122c VirtualProtect 809->810 811 441228 809->811 811->810 781 440909 783 440919 781->783 784 44094e 783->784 785 44097f VirtualAlloc 784->785 787 4409ac 785->787 786 440a4e MessageBoxA ExitProcess 787->786 788 440a68 787->788 797 441030 787->797 795 440aa8 VirtualFree 788->795 791 4409ed 792 4409fd wsprintfA 791->792 794 440a0d wsprintfA 791->794 796 440a48 792->796 794->796 796->786 798 44103c 797->798 800 4409e9 798->800 801 441086 798->801 800->788 800->791 803 441094 801->803 804 4410b6 803->804 805 4410cb 804->805 807 441252 LoadLibraryA 804->807 807->804

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(004B0000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000005.00000002.2007340763.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000005.00000002.2007340763.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000005.00000002.2007340763.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000005.00000002.2007340763.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000005.00000002.2007340763.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000005.00000002.2006926435.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000005.00000002.2006844239.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000005.00000002.2006926435.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000005.00000002.2006926435.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_5_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 765 510db0 766 510dcd 765->766 768 510dc3 765->768 767 510ed3 768->767 770 510804 VirtualAlloc 768->770 773 51000d 770->773 774 510065 VirtualFree 773->774 774->768 775 510ad3 776 510add LoadLibraryA 775->776 777 510af5 776->777 777->776 778 510afb GetProcAddress 777->778 779 510b18 777->779 778->777 808 511274 GetProcAddress 780 510909 782 510919 780->782 783 51094e 782->783 784 51097f VirtualAlloc 783->784 786 5109ac 784->786 785 510a4e MessageBoxA ExitProcess 786->785 789 510a68 786->789 796 511030 786->796 794 510aa8 VirtualFree 789->794 790 5109ed 791 5109fd wsprintfA 790->791 793 510a0d wsprintfA 790->793 795 510a48 791->795 793->795 795->785 797 51103c 796->797 799 5109e9 797->799 800 511086 797->800 799->789 799->790 802 511094 800->802 803 5110b6 802->803 804 5110cb 803->804 806 511252 LoadLibraryA 803->806 806->803 809 5111ed VirtualProtect 810 511228 809->810 811 51122c VirtualProtect 809->811 810->811 807 51129c VirtualProtect VirtualProtect

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(005C0000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000006.00000002.2017906524.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000006.00000002.2017906524.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000006.00000002.2017906524.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000006.00000002.2017906524.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000006.00000002.2017906524.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000006.00000002.2017840118.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000006.00000002.2017818300.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000006.00000002.2017840118.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000006.00000002.2017840118.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_6_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 808 441274 GetProcAddress 765 440db0 766 440dcd 765->766 767 440dc3 765->767 768 440ed3 767->768 770 440804 VirtualAlloc 767->770 773 44000d 770->773 774 440065 VirtualFree 773->774 774->767 775 440ad3 776 440add LoadLibraryA 775->776 777 440af5 776->777 777->776 778 440afb GetProcAddress 777->778 779 440b18 777->779 778->777 780 44129c VirtualProtect VirtualProtect 809 4411ed VirtualProtect 810 44122c VirtualProtect 809->810 811 441228 809->811 811->810 781 440909 783 440919 781->783 784 44094e 783->784 785 44097f VirtualAlloc 784->785 787 4409ac 785->787 786 440a4e MessageBoxA ExitProcess 787->786 788 440a68 787->788 797 441030 787->797 795 440aa8 VirtualFree 788->795 791 4409ed 792 4409fd wsprintfA 791->792 794 440a0d wsprintfA 791->794 796 440a48 792->796 794->796 796->786 798 44103c 797->798 800 4409e9 798->800 801 441086 798->801 800->788 800->791 803 441094 801->803 804 4410b6 803->804 805 4410cb 804->805 807 441252 LoadLibraryA 804->807 807->804

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(00560000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000007.00000002.2029245024.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000007.00000002.2029245024.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000007.00000002.2029245024.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000007.00000002.2029245024.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000007.00000002.2029245024.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000007.00000002.2029152908.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000007.00000002.2029138100.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000007.00000002.2029152908.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000007.00000002.2029152908.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_7_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 765 510db0 766 510dcd 765->766 768 510dc3 765->768 767 510ed3 768->767 770 510804 VirtualAlloc 768->770 773 51000d 770->773 774 510065 VirtualFree 773->774 774->768 775 510ad3 776 510add LoadLibraryA 775->776 777 510af5 776->777 777->776 778 510afb GetProcAddress 777->778 779 510b18 777->779 778->777 808 511274 GetProcAddress 780 510909 782 510919 780->782 783 51094e 782->783 784 51097f VirtualAlloc 783->784 786 5109ac 784->786 785 510a4e MessageBoxA ExitProcess 786->785 789 510a68 786->789 796 511030 786->796 794 510aa8 VirtualFree 789->794 790 5109ed 791 5109fd wsprintfA 790->791 793 510a0d wsprintfA 790->793 795 510a48 791->795 793->795 795->785 797 51103c 796->797 799 5109e9 797->799 800 511086 797->800 799->789 799->790 802 511094 800->802 803 5110b6 802->803 804 5110cb 803->804 806 511252 LoadLibraryA 803->806 806->803 809 5111ed VirtualProtect 810 511228 809->810 811 51122c VirtualProtect 809->811 810->811 807 51129c VirtualProtect VirtualProtect

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(00690000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000008.00000002.2041419801.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000008.00000002.2041419801.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000008.00000002.2041419801.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000008.00000002.2041419801.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000008.00000002.2041419801.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000008.00000002.2041309022.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000008.00000002.2041214680.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000008.00000002.2041309022.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000008.00000002.2041309022.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_8_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 765 510db0 766 510dcd 765->766 768 510dc3 765->768 767 510ed3 768->767 770 510804 VirtualAlloc 768->770 773 51000d 770->773 774 510065 VirtualFree 773->774 774->768 775 510ad3 776 510add LoadLibraryA 775->776 777 510af5 776->777 777->776 778 510afb GetProcAddress 777->778 779 510b18 777->779 778->777 808 511274 GetProcAddress 780 510909 782 510919 780->782 783 51094e 782->783 784 51097f VirtualAlloc 783->784 786 5109ac 784->786 785 510a4e MessageBoxA ExitProcess 786->785 789 510a68 786->789 796 511030 786->796 792 510aa8 VirtualFree 789->792 790 5109ed 791 5109fd wsprintfA 790->791 794 510a0d wsprintfA 790->794 795 510a48 791->795 794->795 795->785 797 51103c 796->797 799 5109e9 797->799 800 511086 797->800 799->789 799->790 802 511094 800->802 803 5110b6 802->803 804 5110cb 803->804 806 511252 LoadLibraryA 803->806 806->803 809 5111ed VirtualProtect 810 511228 809->810 811 51122c VirtualProtect 809->811 810->811 807 51129c VirtualProtect VirtualProtect

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(00690000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000009.00000002.2063855265.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000009.00000002.2063855265.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000009.00000002.2063855265.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000009.00000002.2063855265.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000009.00000002.2063855265.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000009.00000002.2063809010.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000009.00000002.2063796866.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000009.00000002.2063809010.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000009.00000002.2063809010.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_9_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 808 441274 GetProcAddress 765 440db0 766 440dcd 765->766 767 440dc3 765->767 768 440ed3 767->768 770 440804 VirtualAlloc 767->770 773 44000d 770->773 774 440065 VirtualFree 773->774 774->767 775 440ad3 776 440add LoadLibraryA 775->776 777 440af5 776->777 777->776 778 440afb GetProcAddress 777->778 779 440b18 777->779 778->777 780 44129c VirtualProtect VirtualProtect 809 4411ed VirtualProtect 810 44122c VirtualProtect 809->810 811 441228 809->811 811->810 781 440909 783 440919 781->783 784 44094e 783->784 785 44097f VirtualAlloc 784->785 787 4409ac 785->787 786 440a4e MessageBoxA ExitProcess 787->786 788 440a68 787->788 797 441030 787->797 795 440aa8 VirtualFree 788->795 791 4409ed 792 4409fd wsprintfA 791->792 794 440a0d wsprintfA 791->794 796 440a48 792->796 794->796 796->786 799 44103c 797->799 800 4409e9 799->800 801 441086 799->801 800->788 800->791 803 441094 801->803 804 4410b6 803->804 805 4410cb 804->805 807 441252 LoadLibraryA 804->807 807->804

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(006E0000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 0000000A.00000002.2075314665.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 0000000A.00000002.2075314665.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 0000000A.00000002.2075314665.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 0000000A.00000002.2075314665.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 0000000A.00000002.2075314665.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000000A.00000002.2075254296.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000A.00000002.2075235974.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000A.00000002.2075254296.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000A.00000002.2075254296.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_10_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 808 441274 GetProcAddress 765 440db0 766 440dcd 765->766 767 440dc3 765->767 768 440ed3 767->768 770 440804 VirtualAlloc 767->770 773 44000d 770->773 774 440065 VirtualFree 773->774 774->767 775 440ad3 776 440add LoadLibraryA 775->776 777 440af5 776->777 777->776 778 440afb GetProcAddress 777->778 779 440b18 777->779 778->777 780 44129c VirtualProtect VirtualProtect 809 4411ed VirtualProtect 810 44122c VirtualProtect 809->810 811 441228 809->811 811->810 781 440909 783 440919 781->783 784 44094e 783->784 785 44097f VirtualAlloc 784->785 787 4409ac 785->787 786 440a4e MessageBoxA ExitProcess 787->786 788 440a68 787->788 797 441030 787->797 795 440aa8 VirtualFree 788->795 791 4409ed 792 4409fd wsprintfA 791->792 794 440a0d wsprintfA 791->794 796 440a48 792->796 794->796 796->786 799 44103c 797->799 800 4409e9 799->800 801 441086 799->801 800->788 800->791 803 441094 801->803 804 4410b6 803->804 805 4410cb 804->805 807 441252 LoadLibraryA 804->807 807->804

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(005C0000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 0000000B.00000002.2087154858.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_11_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 0000000B.00000002.2087154858.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_11_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 0000000B.00000002.2087154858.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_11_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 0000000B.00000002.2087154858.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_11_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 0000000B.00000002.2087154858.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_11_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000000B.00000002.2087102066.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000B.00000002.2087086707.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000B.00000002.2087102066.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000B.00000002.2087102066.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_11_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 765 510db0 766 510dcd 765->766 768 510dc3 765->768 767 510ed3 768->767 770 510804 VirtualAlloc 768->770 773 51000d 770->773 774 510065 VirtualFree 773->774 774->768 775 510ad3 776 510add LoadLibraryA 775->776 777 510af5 776->777 777->776 778 510afb GetProcAddress 777->778 779 510b18 777->779 778->777 808 511274 GetProcAddress 780 510909 782 510919 780->782 783 51094e 782->783 784 51097f VirtualAlloc 783->784 786 5109ac 784->786 785 510a4e MessageBoxA ExitProcess 786->785 789 510a68 786->789 796 511030 786->796 794 510aa8 VirtualFree 789->794 790 5109ed 791 5109fd wsprintfA 790->791 793 510a0d wsprintfA 790->793 795 510a48 791->795 793->795 795->785 797 51103c 796->797 799 5109e9 797->799 800 511086 797->800 799->789 799->790 802 511094 800->802 803 5110b6 802->803 804 5110cb 803->804 806 511252 LoadLibraryA 803->806 806->803 809 5111ed VirtualProtect 810 511228 809->810 811 51122c VirtualProtect 809->811 810->811 807 51129c VirtualProtect VirtualProtect

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(006D0000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 0000000C.00000002.2144664551.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 0000000C.00000002.2144664551.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 0000000C.00000002.2144664551.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 0000000C.00000002.2144664551.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 0000000C.00000002.2144664551.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000000C.00000002.2144589813.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000C.00000002.2144563372.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000C.00000002.2144589813.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000C.00000002.2144589813.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_12_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 765 510db0 766 510dcd 765->766 768 510dc3 765->768 767 510ed3 768->767 770 510804 VirtualAlloc 768->770 773 51000d 770->773 774 510065 VirtualFree 773->774 774->768 775 510ad3 776 510add LoadLibraryA 775->776 777 510af5 776->777 777->776 778 510afb GetProcAddress 777->778 779 510b18 777->779 778->777 808 511274 GetProcAddress 780 510909 782 510919 780->782 783 51094e 782->783 784 51097f VirtualAlloc 783->784 786 5109ac 784->786 785 510a4e MessageBoxA ExitProcess 786->785 789 510a68 786->789 796 511030 786->796 792 510aa8 VirtualFree 789->792 790 5109ed 791 5109fd wsprintfA 790->791 794 510a0d wsprintfA 790->794 795 510a48 791->795 794->795 795->785 797 51103c 796->797 799 5109e9 797->799 800 511086 797->800 799->789 799->790 802 511094 800->802 803 5110b6 802->803 804 5110cb 803->804 806 511252 LoadLibraryA 803->806 806->803 809 5111ed VirtualProtect 810 511228 809->810 811 51122c VirtualProtect 809->811 810->811 807 51129c VirtualProtect VirtualProtect

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(00580000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 0000000E.00000002.2172748426.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 0000000E.00000002.2172748426.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 0000000E.00000002.2172748426.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 0000000E.00000002.2172748426.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 0000000E.00000002.2172748426.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000000E.00000002.2172638469.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000E.00000002.2172564355.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000E.00000002.2172638469.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000E.00000002.2172638469.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_14_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:9.6%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:37
    Total number of Limit Nodes:5
    execution_graph 765 510db0 766 510dcd 765->766 768 510dc3 765->768 767 510ed3 768->767 770 510804 VirtualAlloc 768->770 773 51000d 770->773 774 510065 VirtualFree 773->774 774->768 775 510ad3 776 510add LoadLibraryA 775->776 777 510af5 776->777 777->776 778 510afb GetProcAddress 777->778 779 510b18 777->779 778->777 808 511274 GetProcAddress 780 510909 782 510919 780->782 783 51094e 782->783 784 51097f VirtualAlloc 783->784 786 5109ac 784->786 785 510a4e MessageBoxA ExitProcess 786->785 789 510a68 786->789 796 511030 786->796 794 510aa8 VirtualFree 789->794 790 5109ed 791 5109fd wsprintfA 790->791 793 510a0d wsprintfA 790->793 795 510a48 791->795 793->795 795->785 797 51103c 796->797 799 5109e9 797->799 800 511086 797->800 799->789 799->790 802 511094 800->802 803 5110b6 802->803 804 5110cb 803->804 806 511252 LoadLibraryA 803->806 806->803 809 5111ed VirtualProtect 810 511228 809->810 811 51122c VirtualProtect 809->811 810->811 807 51129c VirtualProtect VirtualProtect

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(006D0000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 0000000F.00000002.2183254616.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 0000000F.00000002.2183254616.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 0000000F.00000002.2183254616.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 0000000F.00000002.2183254616.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 0000000F.00000002.2183254616.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000000F.00000002.2183172587.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000000F.00000002.2183148280.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000F.00000002.2183172587.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000000F.00000002.2183172587.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_15_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(02070000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000010.00000002.2191874731.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000010.00000002.2191874731.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000010.00000002.2191874731.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000010.00000002.2191874731.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000010.00000002.2191874731.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000010.00000002.2191778811.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000010.00000002.2191751160.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000010.00000002.2191778811.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000010.00000002.2191778811.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_16_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(005D0000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000011.00000002.2203047986.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000011.00000002.2203047986.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000011.00000002.2203047986.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000011.00000002.2203047986.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000011.00000002.2203047986.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000011.00000002.2202956533.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000011.00000002.2202927095.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000011.00000002.2202956533.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000011.00000002.2202956533.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_17_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(00690000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000012.00000002.2207715512.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000012.00000002.2207715512.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000012.00000002.2207715512.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000012.00000002.2207715512.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000012.00000002.2207715512.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000012.00000002.2207609246.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000012.00000002.2207580259.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000012.00000002.2207609246.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000012.00000002.2207609246.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_18_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(006D0000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000013.00000002.2215275054.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000013.00000002.2215275054.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000013.00000002.2215275054.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000013.00000002.2215275054.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000013.00000002.2215275054.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000013.00000002.2215071617.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000013.00000002.2215036251.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000013.00000002.2215071617.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000013.00000002.2215071617.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_19_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(00600000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000014.00000002.2221415382.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000014.00000002.2221415382.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000014.00000002.2221415382.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000014.00000002.2221415382.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000014.00000002.2221415382.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000014.00000002.2221305446.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000014.00000002.2221273383.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000014.00000002.2221305446.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000014.00000002.2221305446.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_20_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(005F0000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000015.00000002.2227658201.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_21_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000015.00000002.2227658201.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_21_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000015.00000002.2227658201.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_21_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000015.00000002.2227658201.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_21_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000015.00000002.2227658201.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_21_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000015.00000002.2227494861.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000015.00000002.2227459337.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000015.00000002.2227494861.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000015.00000002.2227494861.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_21_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(00600000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000016.00000002.2234525501.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000016.00000002.2234525501.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000016.00000002.2234525501.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000016.00000002.2234525501.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000016.00000002.2234525501.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000016.00000002.2234419301.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000016.00000002.2234385727.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000016.00000002.2234419301.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000016.00000002.2234419301.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_22_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(005F0000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000017.00000002.2257482166.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000017.00000002.2257482166.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000017.00000002.2257482166.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000017.00000002.2257482166.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000017.00000002.2257482166.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000017.00000002.2257314126.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000017.00000002.2257277690.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000017.00000002.2257314126.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000017.00000002.2257314126.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_23_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00520919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005214CC), ref: 0052099A
    • wsprintfA.USER32 ref: 00520A23
    • wsprintfA.USER32 ref: 00520A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00520A5A
    • ExitProcess.KERNEL32(00000000), ref: 00520A62
    • VirtualFree.KERNELBASE(01F40000,00000000,00008000,ED815D00,SWVU), ref: 00520AB5
    Strings
    Memory Dump Source
    • Source File: 00000018.00000002.2257479907.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_520000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 41d90491af8c99a2912e75238901586d3a54d179d463eec4cd36eadf2f8979e1
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: D641CF326027569BDB38DF24CC44BEF77A8FF46341F040229ED0697686DB70A915CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00520AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 520ad3-520ada 32 520add-520af3 LoadLibraryA 31->32 33 520af5-520af9 32->33 34 520b11-520b16 33->34 35 520afb-520b0f GetProcAddress 33->35 34->32 36 520b18-520b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00520AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00520B04
    Memory Dump Source
    • Source File: 00000018.00000002.2257479907.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_520000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: ac671fd8cb1e3d44797065b3f654b27b8083125aa39b50b28b2d0c208dd0aeb1
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 14F0E2736012009BCB20CF18DCC09AAF7B1FF953653298839D84297345D335FD158A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0052129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 52129c-5212ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005212C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005212E0
    Memory Dump Source
    • Source File: 00000018.00000002.2257479907.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_520000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00520804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 520804-52087f VirtualAlloc call 52000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0052084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00520876
    Memory Dump Source
    • Source File: 00000018.00000002.2257479907.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_520000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: 13586288bd638891b2d04fd6f79ee3e627a4cff77d9cb1ca0d2dba955e47f66b
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B20196726002187FE7009E59DC45FAEB7ADEB44350F104026F554E62C1D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00521252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 521252-521266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0052125C
    Memory Dump Source
    • Source File: 00000018.00000002.2257479907.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_520000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000018.00000002.2257274752.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000018.00000002.2257193117.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000018.00000002.2257274752.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000018.00000002.2257274752.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_24_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00520919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005214CC), ref: 0052099A
    • wsprintfA.USER32 ref: 00520A23
    • wsprintfA.USER32 ref: 00520A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00520A5A
    • ExitProcess.KERNEL32(00000000), ref: 00520A62
    • VirtualFree.KERNELBASE(01F30000,00000000,00008000,ED815D00,SWVU), ref: 00520AB5
    Strings
    Memory Dump Source
    • Source File: 00000019.00000002.2266191183.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_25_2_520000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 41d90491af8c99a2912e75238901586d3a54d179d463eec4cd36eadf2f8979e1
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: D641CF326027569BDB38DF24CC44BEF77A8FF46341F040229ED0697686DB70A915CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00520AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 520ad3-520ada 32 520add-520af3 LoadLibraryA 31->32 33 520af5-520af9 32->33 34 520b11-520b16 33->34 35 520afb-520b0f GetProcAddress 33->35 34->32 36 520b18-520b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00520AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00520B04
    Memory Dump Source
    • Source File: 00000019.00000002.2266191183.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_25_2_520000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: ac671fd8cb1e3d44797065b3f654b27b8083125aa39b50b28b2d0c208dd0aeb1
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 14F0E2736012009BCB20CF18DCC09AAF7B1FF953653298839D84297345D335FD158A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0052129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 52129c-5212ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005212C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005212E0
    Memory Dump Source
    • Source File: 00000019.00000002.2266191183.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_25_2_520000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00520804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 520804-52087f VirtualAlloc call 52000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0052084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00520876
    Memory Dump Source
    • Source File: 00000019.00000002.2266191183.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_25_2_520000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: 13586288bd638891b2d04fd6f79ee3e627a4cff77d9cb1ca0d2dba955e47f66b
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B20196726002187FE7009E59DC45FAEB7ADEB44350F104026F554E62C1D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00521252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 521252-521266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0052125C
    Memory Dump Source
    • Source File: 00000019.00000002.2266191183.0000000000520000.00000040.00001000.00020000.00000000.sdmp, Offset: 00520000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_25_2_520000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000019.00000002.2266023677.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000019.00000002.2265984330.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000019.00000002.2266023677.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000019.00000002.2266023677.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_25_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(005E0000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 0000001A.00000002.2267571201.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_26_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 0000001A.00000002.2267571201.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_26_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 0000001A.00000002.2267571201.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_26_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 0000001A.00000002.2267571201.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_26_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 0000001A.00000002.2267571201.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_26_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000001A.00000002.2267496829.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000001A.00000002.2267475649.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001A.00000002.2267496829.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001A.00000002.2267496829.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_26_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(02080000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 0000001B.00000002.2273433349.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_27_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 0000001B.00000002.2273433349.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_27_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 0000001B.00000002.2273433349.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_27_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 0000001B.00000002.2273433349.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_27_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 0000001B.00000002.2273433349.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_27_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000001B.00000002.2273094305.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000001B.00000002.2272962201.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001B.00000002.2273094305.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001B.00000002.2273094305.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_27_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00450919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004514CC), ref: 0045099A
    • wsprintfA.USER32 ref: 00450A23
    • wsprintfA.USER32 ref: 00450A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00450A5A
    • ExitProcess.KERNEL32(00000000), ref: 00450A62
    • VirtualFree.KERNELBASE(02070000,00000000,00008000,ED815D00,SWVU), ref: 00450AB5
    Strings
    Memory Dump Source
    • Source File: 0000001C.00000002.2276473752.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_28_2_450000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: a68b9e4b470a4c4d7d6d1a9a22ef3059d8189f78a6167b784e13947708d59b53
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 2841AD366017469BDB38DF24CC44BEB73A8AF45342F00022EED069764ADB74AD19CB58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00450AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 450ad3-450ada 32 450add-450af3 LoadLibraryA 31->32 33 450af5-450af9 32->33 34 450b11-450b16 33->34 35 450afb-450b0f GetProcAddress 33->35 34->32 36 450b18-450b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00450AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00450B04
    Memory Dump Source
    • Source File: 0000001C.00000002.2276473752.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_28_2_450000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: c3a81a2d2ca1aec655e532447ef5a933ec4ee7638c291e49d404dccaf7f5da54
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: DEF0E27B6002009BCB10CF58CCC09AAB3B1EFA4366329883ADC4297305D239FD198A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0045129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 45129c-4512ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004512C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004512E0
    Memory Dump Source
    • Source File: 0000001C.00000002.2276473752.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_28_2_450000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00450804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 450804-45087f VirtualAlloc call 45000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0045084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00450876
    Memory Dump Source
    • Source File: 0000001C.00000002.2276473752.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_28_2_450000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: 04b4ee4dcd4e75d97ea7d44b4961b71730b0f39b06dc86596b597cbe1b53a709
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: 5601B576A00218BFEB009F59DC41FEEB7BCEB48754F108026F654E72C1D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00451252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 451252-451266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0045125C
    Memory Dump Source
    • Source File: 0000001C.00000002.2276473752.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_28_2_450000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000001C.00000002.2276168046.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000001C.00000002.2276115706.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001C.00000002.2276168046.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001C.00000002.2276168046.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_28_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(01F30000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 0000001D.00000002.2278226862.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_29_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 0000001D.00000002.2278226862.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_29_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 0000001D.00000002.2278226862.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_29_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 0000001D.00000002.2278226862.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_29_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 0000001D.00000002.2278226862.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_29_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000001D.00000002.2278109099.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000001D.00000002.2278072801.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001D.00000002.2278109099.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001D.00000002.2278109099.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_29_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(005D0000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 0000001E.00000002.2281525370.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_30_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 0000001E.00000002.2281525370.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_30_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 0000001E.00000002.2281525370.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_30_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 0000001E.00000002.2281525370.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_30_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 0000001E.00000002.2281525370.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_30_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000001E.00000002.2281374809.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000001E.00000002.2281347563.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001E.00000002.2281374809.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001E.00000002.2281374809.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_30_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(00500000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 0000001F.00000002.2285090466.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_31_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 0000001F.00000002.2285090466.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_31_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 0000001F.00000002.2285090466.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_31_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 0000001F.00000002.2285090466.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_31_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 0000001F.00000002.2285090466.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_31_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 0000001F.00000002.2284819530.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 0000001F.00000002.2284746857.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001F.00000002.2284819530.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 0000001F.00000002.2284819530.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_31_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(00500000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000020.00000002.2330158483.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_32_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000020.00000002.2330158483.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_32_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000020.00000002.2330158483.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_32_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000020.00000002.2330158483.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_32_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000020.00000002.2330158483.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_32_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000020.00000002.2330019391.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000020.00000002.2329981036.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000020.00000002.2330019391.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000020.00000002.2330019391.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_32_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(02080000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000021.00000002.2333139138.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_33_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000021.00000002.2333139138.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_33_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000021.00000002.2333139138.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_33_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000021.00000002.2333139138.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_33_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000021.00000002.2333139138.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_33_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000021.00000002.2333053122.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000021.00000002.2333025177.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000021.00000002.2333053122.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000021.00000002.2333053122.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_33_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(01F40000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000022.00000002.2353366848.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_34_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000022.00000002.2353366848.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_34_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000022.00000002.2353366848.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_34_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000022.00000002.2353366848.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_34_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000022.00000002.2353366848.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_34_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000022.00000002.2353072004.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000022.00000002.2352602698.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000022.00000002.2353072004.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000022.00000002.2353072004.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_34_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(004B0000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000023.00000002.2355039855.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_35_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000023.00000002.2355039855.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_35_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000023.00000002.2355039855.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_35_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000023.00000002.2355039855.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_35_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000023.00000002.2355039855.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_35_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000023.00000002.2354859970.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000023.00000002.2354803616.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000023.00000002.2354859970.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000023.00000002.2354859970.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_35_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(01F30000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000024.00000002.2363744705.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_36_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000024.00000002.2363744705.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_36_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000024.00000002.2363744705.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_36_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000024.00000002.2363744705.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_36_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000024.00000002.2363744705.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_36_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000024.00000002.2363593858.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000024.00000002.2363547379.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000024.00000002.2363593858.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000024.00000002.2363593858.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_36_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Callgraph

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(00580000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000025.00000002.2365835220.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_37_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000025.00000002.2365835220.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_37_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000025.00000002.2365835220.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_37_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000025.00000002.2365835220.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_37_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000025.00000002.2365835220.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_37_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00440919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,004414CC), ref: 0044099A
    • wsprintfA.USER32 ref: 00440A23
    • wsprintfA.USER32 ref: 00440A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00440A5A
    • ExitProcess.KERNEL32(00000000), ref: 00440A62
    • VirtualFree.KERNELBASE(005A0000,00000000,00008000,ED815D00,SWVU), ref: 00440AB5
    Strings
    Memory Dump Source
    • Source File: 00000026.00000002.2368932648.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_38_2_440000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: 51c51628a62a0dd4905d1a3b3950a110053ffc3e74ccb18cf1774a6ef616e593
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 0B41E0726017469BEB38DF24CC44BEF73A8EF05341F00022EEE06A7645DB74A925CB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 440ad3-440ada 32 440add-440af3 LoadLibraryA 31->32 33 440af5-440af9 32->33 34 440b11-440b16 33->34 35 440afb-440b0f GetProcAddress 33->35 34->32 36 440b18-440b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00440AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00440B04
    Memory Dump Source
    • Source File: 00000026.00000002.2368932648.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_38_2_440000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: 29a99d32adf733586bb9f7737fb7a0fa8047b9b90f9b7767e4316a0d785e0885
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 8DF0E2736002009BDB10CF58CCC09AAB3B2EFA43A5329883AD942A7304D239FD258A10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0044129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 44129c-4412ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 004412C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 004412E0
    Memory Dump Source
    • Source File: 00000026.00000002.2368932648.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_38_2_440000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00440804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 440804-44087f VirtualAlloc call 44000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0044084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00440876
    Memory Dump Source
    • Source File: 00000026.00000002.2368932648.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_38_2_440000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: de64503ae01c0b614475941a4fa6e34bc6353d39bc3a3e3524431cfa616e6788
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: E2017576A00218BFEB109F59DC41FEEB7BDEB48754F148426F655E7281D2B4EA108BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00441252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 441252-441266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0044125C
    Memory Dump Source
    • Source File: 00000026.00000002.2368932648.0000000000440000.00000040.00001000.00020000.00000000.sdmp, Offset: 00440000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_38_2_440000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000026.00000002.2368815443.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000026.00000002.2368779138.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000026.00000002.2368815443.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000026.00000002.2368815443.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_38_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%

    Executed Functions

    Function 00510919 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 170memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(00000000,AD10001F,00001000,00000040,005114CC), ref: 0051099A
    • wsprintfA.USER32 ref: 00510A23
    • wsprintfA.USER32 ref: 00510A42
    • MessageBoxA.USER32(00000000,Application corrupt.,Application error,00000010), ref: 00510A5A
    • ExitProcess.KERNEL32(00000000), ref: 00510A62
    • VirtualFree.KERNELBASE(006E0000,00000000,00008000,ED815D00,SWVU), ref: 00510AB5
    Strings
    Memory Dump Source
    • Source File: 00000027.00000002.2373587462.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_39_2_510000_system.jbxd
    Similarity
    • API ID: Virtualwsprintf$AllocExitFreeMessageProcess
    • String ID: Application corrupt.$Application error$SWVU$The ordinal %d could not be located in the DLL %s.$The procedure %s could not be located in the DLL %s.
    • API String ID: 81942880-1115488593
    • Opcode ID: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction ID: fad4141656490aaea3b2a1a9bab160ad707f438ac08887b89c852924daaadb9f
    • Opcode Fuzzy Hash: abfeb07af07d9cc012b4c8484b4d61b8429e721916685055bf0658c20c850080
    • Instruction Fuzzy Hash: 3D41CD326017469BEB38DF24CC44BEF77A8FF49341F044229EE0697689DBB0A995CB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510AD3 Relevance: 3.0, APIs: 2, Instructions: 33libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 31 510ad3-510ada 32 510add-510af3 LoadLibraryA 31->32 33 510af5-510af9 32->33 34 510b11-510b16 33->34 35 510afb-510b0f GetProcAddress 33->35 34->32 36 510b18-510b1c 34->36 35->33
    APIs
    • LoadLibraryA.KERNELBASE ref: 00510AE2
    • GetProcAddress.KERNEL32(?,00000000), ref: 00510B04
    Memory Dump Source
    • Source File: 00000027.00000002.2373587462.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_39_2_510000_system.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID:
    • API String ID: 2574300362-0
    • Opcode ID: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction ID: b3d2ac0fa8feefd9ff952fa27bae94fe164483ec6787a0248980fe79dbefa1b0
    • Opcode Fuzzy Hash: bfec523b0a34fb97738a06bdfbcae2ff6c25c63efdf5a5add7696fe588be8235
    • Instruction Fuzzy Hash: 7CF0E2776002009BDB10CF18CCC09EAB7B1FF943653298839D84297304D239FD958A50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0051129C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 37 51129c-5112ea VirtualProtect * 2
    APIs
    • VirtualProtect.KERNELBASE(?,00001000,00000004,?,?), ref: 005112C7
    • VirtualProtect.KERNELBASE(?,00001000,?,?), ref: 005112E0
    Memory Dump Source
    • Source File: 00000027.00000002.2373587462.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_39_2_510000_system.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID:
    • API String ID: 544645111-0
    • Opcode ID: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction ID: 0db10f7f7f2d54f55655ab94cb51b4411e090399127f33dd5203920eb90523f5
    • Opcode Fuzzy Hash: 559bbdefaf15e456d605dae105da3aef4e62acee13071953ca7ff870281ea4d7
    • Instruction Fuzzy Hash: 15F08276200305AFDB18CF40C844FDE77B9EB44390F10457AEE42AB684C6B0FA148B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00510804 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 38 510804-51087f VirtualAlloc call 51000d VirtualFree
    APIs
    • VirtualAlloc.KERNELBASE(00000000,-00000436,00001000,00000004), ref: 0051084E
    • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?,?,?,?), ref: 00510876
    Memory Dump Source
    • Source File: 00000027.00000002.2373587462.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_39_2_510000_system.jbxd
    Similarity
    • API ID: Virtual$AllocFree
    • String ID:
    • API String ID: 2087232378-0
    • Opcode ID: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction ID: e26db2c6196a6cf4f7ca0a68cab3914a7d27174a4e80449bdf25e9938d9527e4
    • Opcode Fuzzy Hash: 91c4b18e917097ba8b0e8e167865d387aac5b8634efb3374e61c419a10993ebd
    • Instruction Fuzzy Hash: B801B9726002187FE7009F59CC45FEEB7BCEB48350F104026F554E72C1D2B4EA508BA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00511252 Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 41 511252-511266 LoadLibraryA
    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 0051125C
    Memory Dump Source
    • Source File: 00000027.00000002.2373587462.0000000000510000.00000040.00001000.00020000.00000000.sdmp, Offset: 00510000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_39_2_510000_system.jbxd
    Similarity
    • API ID: LibraryLoad
    • String ID:
    • API String ID: 1029625771-0
    • Opcode ID: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction ID: 8f64b75de0c81256e1979021028c1f10525bd8a4958c5d9d15c0b9e525517119
    • Opcode Fuzzy Hash: a5954c49c222c1f3ec350f8a32cdbddcbdba2b08294a8bc0e7c3682721ad8435
    • Instruction Fuzzy Hash: A1B0923321020597DB015F68E5C88CD7B21DBA42E63104133EA02980589B76C0218650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00401220 Relevance: .1, Instructions: 99COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 80 401220-401225 call 401218 82 40122a-40125d 80->82 83 4012ce-4012e1 82->83 84 40125f-4012c6 82->84 85 4012e3-4012e6 83->85 86 4012e8-4012fc 83->86 84->83 85->86
    Memory Dump Source
    • Source File: 00000027.00000002.2373488440.0000000000401000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000027.00000002.2373455442.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000027.00000002.2373488440.0000000000428000.00000040.00000001.01000000.00000008.sdmpDownload File
    • Associated: 00000027.00000002.2373488440.0000000000430000.00000040.00000001.01000000.00000008.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_39_2_400000_system.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction ID: 71a7f9ea773be2043e0eca7542b2ea0fd32ecc4b7880b291fdc7b167fd858397
    • Opcode Fuzzy Hash: f99a34aee2ce719b24638825ecb38a45a6753ba4531c4e97bc7e7f99d56bb462
    • Instruction Fuzzy Hash: 4321A02108E7C05FC74387B04C296817FB0AA83224B0E82EBD0C1EF0E3C66D880AD362
    Uniqueness

    Uniqueness Score: -1.00%