Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AlphaDecrypter.exe

Overview

General Information

Sample name:AlphaDecrypter.exe
Analysis ID:1532908
MD5:61f559e667a8a8baa99aa9d81d2afbc0
SHA1:c0d3114ab855a79e4ad229b8a6e253e1b2db2e64
SHA256:05c1d10a8d9dd898f7e601a6032284814a640f5fa44e5fc380c17cbbe8940cd5
Tags:exeuser-bicboi
Infos:

Detection

Score:36
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Malicious sample detected (through community Yara rule)
Allocates memory with a write watch (potentially for evading sandboxes)
Detected potential crypto function
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • AlphaDecrypter.exe (PID: 6876 cmdline: "C:\Users\user\Desktop\AlphaDecrypter.exe" MD5: 61F559E667A8A8BAA99AA9D81D2AFBC0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3034885955.0000000005846000.00000004.08000000.00040000.00000000.sdmpRansom_AlphaRegla para detectar Ransom.Alpha (posibles falsos positivos)CCN-CERT
  • 0x6ffa:$a: 52 00 65 00 61 00 64 00 20 00 4D 00 65 00 20 00 28 00 48 00 6F 00 77 00 20 00 44 00 65 00 63
00000000.00000002.3033498403.00000000016E2000.00000004.00000020.00020000.00000000.sdmpRansom_AlphaRegla para detectar Ransom.Alpha (posibles falsos positivos)CCN-CERT
  • 0x112d2:$a: 52 00 65 00 61 00 64 00 20 00 4D 00 65 00 20 00 28 00 48 00 6F 00 77 00 20 00 44 00 65 00 63
00000000.00000002.3033902968.0000000003318000.00000004.00000800.00020000.00000000.sdmpRansom_AlphaRegla para detectar Ransom.Alpha (posibles falsos positivos)CCN-CERT
  • 0x6a67c:$a: 52 00 65 00 61 00 64 00 20 00 4D 00 65 00 20 00 28 00 48 00 6F 00 77 00 20 00 44 00 65 00 63
  • 0x6b0b2:$a: 52 00 65 00 61 00 64 00 20 00 4D 00 65 00 20 00 28 00 48 00 6F 00 77 00 20 00 44 00 65 00 63

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.AlphaDecrypter.exe.5830000.0.unpackRansom_AlphaRegla para detectar Ransom.Alpha (posibles falsos positivos)CCN-CERT
  • 0x1b1fa:$a: 52 00 65 00 61 00 64 00 20 00 4D 00 65 00 20 00 28 00 48 00 6F 00 77 00 20 00 44 00 65 00 63

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: AlphaDecrypter.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: AlphaDecrypter.exeStatic PE information: certificate valid
Source: AlphaDecrypter.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: AlphaDecrypter.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: AlphaDecrypter.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AlphaDecrypter.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: AlphaDecrypter.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: AlphaDecrypter.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AlphaDecrypter.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AlphaDecrypter.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AlphaDecrypter.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AlphaDecrypter.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: AlphaDecrypter.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: AlphaDecrypter.exeString found in binary or memory: http://ocsp.digicert.com0O
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: AlphaDecrypter.exe, 00000000.00000002.3033902968.0000000003318000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/demonslay335
Source: AlphaDecrypter.exe, 00000000.00000002.3034885955.0000000005846000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://twitter.com/demonslay335Ghttps://twitter.com/malwrhunterteam=https://twitter.com/hahn_katja9
Source: AlphaDecrypter.exe, 00000000.00000002.3033902968.0000000003318000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/hahn_katja
Source: AlphaDecrypter.exe, 00000000.00000002.3033902968.0000000003318000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/malwrhunterteam
Source: AlphaDecrypter.exe, 00000000.00000002.3033902968.0000000003318000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/siri_urz
Source: AlphaDecrypter.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: C:\Users\user\Desktop\AlphaDecrypter.exeCode function: 0_2_0A11D359 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0A11D359

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.AlphaDecrypter.exe.5830000.0.unpack, type: UNPACKEDPEMatched rule: Regla para detectar Ransom.Alpha (posibles falsos positivos) Author: CCN-CERT
Source: 00000000.00000002.3034885955.0000000005846000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Regla para detectar Ransom.Alpha (posibles falsos positivos) Author: CCN-CERT
Source: 00000000.00000002.3033498403.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Regla para detectar Ransom.Alpha (posibles falsos positivos) Author: CCN-CERT
Source: 00000000.00000002.3033902968.0000000003318000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Regla para detectar Ransom.Alpha (posibles falsos positivos) Author: CCN-CERT
Source: C:\Users\user\Desktop\AlphaDecrypter.exeCode function: 0_2_016608680_2_01660868
Source: C:\Users\user\Desktop\AlphaDecrypter.exeCode function: 0_2_016614E20_2_016614E2
Source: C:\Users\user\Desktop\AlphaDecrypter.exeCode function: 0_2_0A11A6D00_2_0A11A6D0
Source: C:\Users\user\Desktop\AlphaDecrypter.exeCode function: 0_2_0A11B5180_2_0A11B518
Source: C:\Users\user\Desktop\AlphaDecrypter.exeCode function: 0_2_0A11B5180_2_0A11B518
Source: C:\Users\user\Desktop\AlphaDecrypter.exeCode function: 0_2_0A11A6D00_2_0A11A6D0
Source: C:\Users\user\Desktop\AlphaDecrypter.exeCode function: 0_2_0A1106700_2_0A110670
Source: C:\Users\user\Desktop\AlphaDecrypter.exeCode function: 0_2_0A1106670_2_0A110667
Source: AlphaDecrypter.exe, 00000000.00000002.3033498403.000000000167E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs AlphaDecrypter.exe
Source: AlphaDecrypter.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: 0.2.AlphaDecrypter.exe.5830000.0.unpack, type: UNPACKEDPEMatched rule: Ransom_Alpha author = CCN-CERT, description = Regla para detectar Ransom.Alpha (posibles falsos positivos), version = 1.0
Source: 00000000.00000002.3034885955.0000000005846000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Ransom_Alpha author = CCN-CERT, description = Regla para detectar Ransom.Alpha (posibles falsos positivos), version = 1.0
Source: 00000000.00000002.3033498403.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Ransom_Alpha author = CCN-CERT, description = Regla para detectar Ransom.Alpha (posibles falsos positivos), version = 1.0
Source: 00000000.00000002.3033902968.0000000003318000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Ransom_Alpha author = CCN-CERT, description = Regla para detectar Ransom.Alpha (posibles falsos positivos), version = 1.0
Source: AlphaDecrypter.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: sus36.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\AlphaDecrypter.exeMutant created: NULL
Source: AlphaDecrypter.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AlphaDecrypter.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\AlphaDecrypter.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\AlphaDecrypter.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: AlphaDecrypter.exeStatic PE information: certificate valid
Source: AlphaDecrypter.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: AlphaDecrypter.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\AlphaDecrypter.exeCode function: 0_2_016669EA push ecx; retf FFEDh0_2_01666A0C
Source: AlphaDecrypter.exeStatic PE information: section name: .text entropy: 7.62629055697075
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeMemory allocated: 1640000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeMemory allocated: 3300000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeMemory allocated: 5300000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeMemory allocated: 5A50000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeMemory allocated: 6A50000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeMemory allocated: 6B80000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeMemory allocated: 7B80000 memory reserve | memory write watchJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\AlphaDecrypter.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Users\user\Desktop\AlphaDecrypter.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\AlphaDecrypter.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		1
Input Capture		1
Virtualization/Sandbox Evasion		Remote Services1
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory13
System Information Discovery		Remote Desktop Protocol1
Archive Collected Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Software Packing		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
AlphaDecrypter.exe11%ReversingLabs
AlphaDecrypter.exe3%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.fontbureau.com0%URL Reputationsafe
http://www.fontbureau.com0%URL Reputationsafe
http://www.fontbureau.com/designersG0%URL Reputationsafe
http://www.fontbureau.com/designers/?0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.fontbureau.com/designers?0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.fontbureau.com/designers0%URL Reputationsafe
http://www.fontbureau.com/designers0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.fontbureau.com/designers80%URL Reputationsafe
http://www.fonts.com0%URL Reputationsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
https://twitter.com/hahn_katja0%VirustotalBrowse
https://twitter.com/demonslay335Ghttps://twitter.com/malwrhunterteam=https://twitter.com/hahn_katja90%VirustotalBrowse
https://twitter.com/siri_urz0%VirustotalBrowse
https://twitter.com/demonslay3350%VirustotalBrowse
https://twitter.com/malwrhunterteam0%VirustotalBrowse
http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.apache.org/licenses/LICENSE-2.0AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://www.fontbureau.comAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designersGAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designers/?AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.founder.com.cn/cn/bTheAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designers?AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.tiro.comAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designersAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.goodfont.co.krAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://twitter.com/hahn_katjaAlphaDecrypter.exe, 00000000.00000002.3033902968.0000000003318000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://www.carterandcone.comlAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.sajatypeworks.comAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.typography.netDAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designers/cabarga.htmlNAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.founder.com.cn/cn/cTheAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.galapagosdesign.com/staff/dennis.htmAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.founder.com.cn/cnAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designers/frere-user.htmlAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://twitter.com/siri_urzAlphaDecrypter.exe, 00000000.00000002.3033902968.0000000003318000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://www.jiyu-kobo.co.jp/AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.galapagosdesign.com/DPleaseAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.fontbureau.com/designers8AlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.fonts.comAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.sandoll.co.krAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
http://www.urwpp.deDPleaseAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://twitter.com/malwrhunterteamAlphaDecrypter.exe, 00000000.00000002.3033902968.0000000003318000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://www.zhongyicts.com.cnAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://twitter.com/demonslay335AlphaDecrypter.exe, 00000000.00000002.3033902968.0000000003318000.00000004.00000800.00020000.00000000.sdmpfalseunknown
http://www.sakkal.comAlphaDecrypter.exe, 00000000.00000002.3037155283.0000000009A52000.00000004.00000800.00020000.00000000.sdmpfalse
  • URL Reputation: safe
unknown
https://twitter.com/demonslay335Ghttps://twitter.com/malwrhunterteam=https://twitter.com/hahn_katja9AlphaDecrypter.exe, 00000000.00000002.3034885955.0000000005846000.00000004.08000000.00040000.00000000.sdmpfalseunknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1532908
Start date and time:2024-10-14 07:15:07 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 21s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:AlphaDecrypter.exe
Detection:SUS
Classification:sus36.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 94%
  • Number of executed functions: 19
  • Number of non-executed functions: 3
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):4.186721945926943
TrID:
  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
  • Win32 Executable (generic) a (10002005/4) 49.97%
  • Generic Win/DOS Executable (2004/3) 0.01%
  • DOS Executable Generic (2002/1) 0.01%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:AlphaDecrypter.exe
File size:150'256 bytes
MD5:61f559e667a8a8baa99aa9d81d2afbc0
SHA1:c0d3114ab855a79e4ad229b8a6e253e1b2db2e64
SHA256:05c1d10a8d9dd898f7e601a6032284814a640f5fa44e5fc380c17cbbe8940cd5
SHA512:a7cd7b50bd2d61d84de86f6b20d654271dee18b41212c337a5fac6f1119800d507d0301f5b277e5f73c5135e4a409a0d6f37b858ab7c623ccad1ec3cb645ac05
SSDEEP:1536:pEyhsbhpFI+TiqWLYSWLC1G2+FBQZEhi:p81/I+TMLYWs2+FBOE
TLSH:24E35A427F88CC02DA761EFC89A9D6052BA17E252D52C29734B4F35FDBF23D12D08266
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......X.........."...................... ........@.. ..............................4.....`................................

File Icon

Icon Hash:1733334b12725084

Static PE Info

General

Entrypoint:0x40ac8e
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0x589516DB [Fri Feb 3 23:48:43 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:true
Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 03/02/2017 00:00:00 02/02/2019 23:59:59
Subject Chain
  • CN=Michael Gillespie, O=Michael Gillespie, POBox=61701, STREET=1201 W. Mill, L=Bloomington, S=Illinois, PostalCode=61701, C=US
Version:3
Thumbprint MD5:480439E4F9700E6AF3FEE9045C0B1A9B
Thumbprint SHA-1:3D9C456DA847F4EE640BAB501878523CF489C39E
Thumbprint SHA-256:5676FD435A970BDD6ACCA6ECCE204AC432DA8655B7B5B7A61F3D7B0369EEBBB8
Serial:00E6ADECD3E5B97C6E052F8F8B2CE88C3D

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0xac340x57.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x19a38.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x22e000x1cf0.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC0x260000xc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x20000x8c940x8e00ad84659eb809350cf5ee69568e5a36e5False0.8634738116197183data7.62629055697075IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc0xc0000x19a380x19c006625a392659991eebfa4b1f030c30071False0.07970835861650485data2.007278149984262IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x260000xc0x200758714ab684a7f517b5df2253d7989e0False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0xc2200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.2154255319148936
RT_ICON0xc6880xd2aPNG image data, 256 x 256, 8-bit gray+alpha, non-interlaced0.9617210682492582
RT_ICON0xd3b40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.0716804979253112
RT_ICON0xf95c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.10436210131332083
RT_ICON0x10a040x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.028628889151780433
RT_ICON0x2122c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.053200283419933866
RT_GROUP_ICON0x254540x5adata0.7555555555555555
RT_VERSION0x254b00x398OpenPGP Public Key0.40543478260869564
RT_MANIFEST0x258480x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

Imports

DLLImport
mscoree.dll_CorExeMain

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:01:16:10
Start date:14/10/2024
Path:C:\Users\user\Desktop\AlphaDecrypter.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\AlphaDecrypter.exe"
Imagebase:0xfe0000
File size:150'256 bytes
MD5 hash:61F559E667A8A8BAA99AA9D81D2AFBC0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Yara matches:
  • Rule: Ransom_Alpha, Description: Regla para detectar Ransom.Alpha (posibles falsos positivos), Source: 00000000.00000002.3034885955.0000000005846000.00000004.08000000.00040000.00000000.sdmp, Author: CCN-CERT
  • Rule: Ransom_Alpha, Description: Regla para detectar Ransom.Alpha (posibles falsos positivos), Source: 00000000.00000002.3033498403.00000000016E2000.00000004.00000020.00020000.00000000.sdmp, Author: CCN-CERT
  • Rule: Ransom_Alpha, Description: Regla para detectar Ransom.Alpha (posibles falsos positivos), Source: 00000000.00000002.3033902968.0000000003318000.00000004.00000800.00020000.00000000.sdmp, Author: CCN-CERT
Reputation:low
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:9.7%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:28
    Total number of Limit Nodes:4
    execution_graph 21866 166f620 21867 166f666 GetCurrentProcess 21866->21867 21869 166f6b1 21867->21869 21870 166f6b8 GetCurrentThread 21867->21870 21869->21870 21871 166f6f5 GetCurrentProcess 21870->21871 21872 166f6ee 21870->21872 21873 166f72b GetCurrentThreadId 21871->21873 21872->21871 21875 166f784 21873->21875 21882 1666280 21883 166628a 21882->21883 21885 1666778 21882->21885 21886 166679d 21885->21886 21890 1666888 21886->21890 21894 1666879 21886->21894 21892 16668af 21890->21892 21891 166698c 21892->21891 21898 166646c 21892->21898 21896 1666888 21894->21896 21895 166698c 21896->21895 21897 166646c CreateActCtxA 21896->21897 21897->21895 21899 1667918 CreateActCtxA 21898->21899 21901 16679db 21899->21901 21876 166f868 DuplicateHandle 21877 166f8fe 21876->21877 21878 166d578 21879 166d5c0 GetModuleHandleW 21878->21879 21880 166d5ba 21878->21880 21881 166d5ed 21879->21881 21880->21879

    Executed Functions

    Function 01660868 Relevance: 3.1, Strings: 2, Instructions: 637COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 848 1660868-16608af 973 16608b4 call 1660857 848->973 974 16608b4 call 1660868 848->974 852 16608ba-166096b 866 1660a41-1660a96 852->866 867 1660971-1660979 852->867 876 1660a99-1660ab1 866->876 867->866 868 166097f-166098c 867->868 868->866 870 1660992-166099f 868->870 870->866 871 16609a5-16609db 870->871 879 16609dd-16609e2 871->879 880 16609e9-16609f6 871->880 881 1660ab3-1660abb 876->881 882 1660abd-1660ad4 876->882 879->880 885 16609fc-1660a00 880->885 881->882 883 1660ada-1660b0d 882->883 884 1660f78-1660ffa call 166013c 882->884 883->884 895 1660b13-1660b1e 883->895 916 1660ffc-1661028 884->916 887 1660a12 885->887 888 1660a02-1660a10 885->888 890 1660a14-1660a16 887->890 888->890 893 1660a37-1660a40 890->893 894 1660a18-1660a1e 890->894 897 1660a20-1660a22 894->897 898 1660a2c-1660a36 894->898 895->876 899 1660b24-1660b2d 895->899 897->898 899->884 901 1660b33-1660b3f 899->901 901->884 902 1660b45-1660b5a 901->902 902->884 904 1660b60-1660b69 902->904 904->884 905 1660b6f-1660b85 904->905 905->884 907 1660b8b-1660b94 905->907 907->884 909 1660b9a-1660bb0 907->909 909->884 910 1660bb6-1660bbf 909->910 910->884 912 1660bc5-1660bda 910->912 912->884 913 1660be0-1660be9 912->913 913->884 915 1660bef-1660c05 913->915 915->884 917 1660c0b-1660c14 915->917 925 166102a-166106d call 166014c call 16614e2 916->925 917->884 918 1660c1a-1660c30 917->918 918->884 919 1660c36-1660c3f 918->919 919->884 921 1660c45-1660c5b 919->921 921->884 922 1660c61-1660c6a 921->922 922->884 924 1660c70-1660c86 922->924 924->884 926 1660c8c-1660c95 924->926 940 1661073-166107d 925->940 926->884 927 1660c9b-1660cb0 926->927 927->884 929 1660cb6-1660cbf 927->929 929->884 930 1660cc5-1660cdb 929->930 930->884 933 1660ce1-1660cea 930->933 933->884 935 1660cf0-1660d05 933->935 935->884 936 1660d0b-1660d14 935->936 936->884 938 1660d1a-1660d2f 936->938 938->884 939 1660d35-1660d3e 938->939 939->884 941 1660d44-1660d5a 939->941 941->884 942 1660d60-1660d69 941->942 942->884 943 1660d6f-1660d84 942->943 943->884 944 1660d8a-1660d93 943->944 944->884 945 1660d99-1660dae 944->945 945->884 946 1660db4-1660dbd 945->946 946->884 947 1660dc3-1660dd2 946->947 947->884 948 1660dd8-1660e0c 947->948 951 1660ec2-1660ece 948->951 952 1660e12 948->952 975 1660ed1 call 1660857 951->975 976 1660ed1 call 1660868 951->976 953 1660e15-1660e29 952->953 953->884 955 1660e2f-1660e44 953->955 955->884 956 1660e4a-1660e59 955->956 956->884 958 1660e5f-1660e71 956->958 957 1660ed7-1660f1a 965 1660f1c 957->965 966 1660f6d-1660f77 957->966 958->884 959 1660e77-1660e8a 958->959 959->884 961 1660e90-1660ea2 959->961 961->884 962 1660ea8-1660ebc 961->962 962->951 962->953 967 1660f1f-1660f32 965->967 968 1660f64-1660f6b 967->968 969 1660f34-1660f4c 967->969 968->966 968->967 971 1660f4e-1660f56 969->971 972 1660f58-1660f61 969->972 971->972 972->968 973->852 974->852 975->957 976->957
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3033478383.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1660000_AlphaDecrypter.jbxd
    Similarity
    • API ID:
    • String ID: Te^q$Te^q
    • API String ID: 0-3743469327
    • Opcode ID: 23d5ca219bcf39b7f35d72d570c411cdaf105110250d62abf00d5ccfcb5d0298
    • Instruction ID: 27152e201b54aba267f19eddb6bf81b4f4cf6fb121ad7a7e84b779a6ecb3dca0
    • Opcode Fuzzy Hash: 23d5ca219bcf39b7f35d72d570c411cdaf105110250d62abf00d5ccfcb5d0298
    • Instruction Fuzzy Hash: 2F423631E001199FCB54CFADD8849AEBBB6BF89300F558569F819AB365C730EC42CB91
    Function 0A11B518 Relevance: 1.8, Strings: 1, Instructions: 514COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3037643862.000000000A110000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A110000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a110000_AlphaDecrypter.jbxd
    Similarity
    • API ID:
    • String ID: !;#
    • API String ID: 0-2861042907
    • Opcode ID: bcd47a9bde7cda9b0d6ea1d28e24a3918b1df0863cd54848728bcb8177ad5700
    • Instruction ID: c36e3242f552afa1368e9c281cb4d87104943e3517630769ef25ad3e59685669
    • Opcode Fuzzy Hash: bcd47a9bde7cda9b0d6ea1d28e24a3918b1df0863cd54848728bcb8177ad5700
    • Instruction Fuzzy Hash: 98324835904619CFCB25DF64C984BD9B7F2FF89300F1585E9E809AB261EB71AA85CF40
    Function 0A11A6D0 Relevance: .6, Instructions: 635COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3037643862.000000000A110000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A110000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a110000_AlphaDecrypter.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 16f6d8d468c25230c779726cc55a46f86aa366105d3db5d5f2ecc1b5cb98305e
    • Instruction ID: 338f143e33c1d2710cac014f7c6b921ed91dfe7473b0d13899bb1d1cfa95442b
    • Opcode Fuzzy Hash: 16f6d8d468c25230c779726cc55a46f86aa366105d3db5d5f2ecc1b5cb98305e
    • Instruction Fuzzy Hash: D3526A35911619DFCB25DF64C880AE9BBB1FF49340F1585E9E449AB261EB31EAC2CF40
    Function 016614E2 Relevance: .6, Instructions: 630COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3033478383.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1660000_AlphaDecrypter.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8295fd502f6cfa8cc375aa08758b49468ee699c2edc3b4058a52f1bebf7e5019
    • Instruction ID: c594c1e3deb7bc9a458bc65794bf91426b17508924c7f5c3445f8d1f0daa6ff5
    • Opcode Fuzzy Hash: 8295fd502f6cfa8cc375aa08758b49468ee699c2edc3b4058a52f1bebf7e5019
    • Instruction Fuzzy Hash: 5A527A74A00605CFCB15CF58C9849AEBBF6FF89310B2A8A69D456AB355D730F846CF90
    Function 0166F620 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 528 166f620-166f6af GetCurrentProcess 532 166f6b1-166f6b7 528->532 533 166f6b8-166f6ec GetCurrentThread 528->533 532->533 534 166f6f5-166f729 GetCurrentProcess 533->534 535 166f6ee-166f6f4 533->535 536 166f732-166f74a 534->536 537 166f72b-166f731 534->537 535->534 541 166f753-166f782 GetCurrentThreadId 536->541 537->536 542 166f784-166f78a 541->542 543 166f78b-166f7ed 541->543 542->543
    APIs
    • GetCurrentProcess.KERNEL32 ref: 0166F69E
    • GetCurrentThread.KERNEL32 ref: 0166F6DB
    • GetCurrentProcess.KERNEL32 ref: 0166F718
    • GetCurrentThreadId.KERNEL32 ref: 0166F771
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3033478383.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1660000_AlphaDecrypter.jbxd
    Similarity
    • API ID: Current$ProcessThread
    • String ID: !;#
    • API String ID: 2063062207-2861042907
    • Opcode ID: ae1d3cf29fca70b1a377ee79170e8dfd6d42240c275355c70fc5e0ed7f4a0a3d
    • Instruction ID: 0f52a34c2d2b4b0749c040086981499f8dfaf9196c09ae4e1b5cc27dbdf4fe8b
    • Opcode Fuzzy Hash: ae1d3cf29fca70b1a377ee79170e8dfd6d42240c275355c70fc5e0ed7f4a0a3d
    • Instruction Fuzzy Hash: 1D5147B09102098FDB14CFA9E948BAEBFF5FF48314F208469E419A7360DB349985CF65
    Function 0166790C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 609 166790c-16679d9 CreateActCtxA 611 16679e2-1667a3c 609->611 612 16679db-16679e1 609->612 619 1667a3e-1667a41 611->619 620 1667a4b-1667a4f 611->620 612->611 619->620 621 1667a60 620->621 622 1667a51-1667a5d 620->622 624 1667a61 621->624 622->621 624->624
    APIs
    • CreateActCtxA.KERNEL32(?), ref: 016679C9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3033478383.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1660000_AlphaDecrypter.jbxd
    Similarity
    • API ID: Create
    • String ID: !;#
    • API String ID: 2289755597-2861042907
    • Opcode ID: ff4878bf25943ab98f18869d5b6ea4575e2d7854eb642b655213cdc8eeabdd62
    • Instruction ID: 9c03c9858b745bf86b48881ed6b604e1e3a7748517d0616a31bee3ed4995b7d8
    • Opcode Fuzzy Hash: ff4878bf25943ab98f18869d5b6ea4575e2d7854eb642b655213cdc8eeabdd62
    • Instruction Fuzzy Hash: 0B41E2B0C00719CEDB24CFA9C844BCEBBF5BF48308F24816AD408AB255DB755986CF90
    Function 0166646C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 625 166646c-16679d9 CreateActCtxA 628 16679e2-1667a3c 625->628 629 16679db-16679e1 625->629 636 1667a3e-1667a41 628->636 637 1667a4b-1667a4f 628->637 629->628 636->637 638 1667a60 637->638 639 1667a51-1667a5d 637->639 641 1667a61 638->641 639->638 641->641
    APIs
    • CreateActCtxA.KERNEL32(?), ref: 016679C9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3033478383.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1660000_AlphaDecrypter.jbxd
    Similarity
    • API ID: Create
    • String ID: !;#
    • API String ID: 2289755597-2861042907
    • Opcode ID: 1e9a9fad76f0f43ece26e774c92c9b266a0114d3bc075465f0152fee7a7db616
    • Instruction ID: b09092a8c54297a68ed1cf4319659ea7b67fd73e3eceac481453cd523ddb9adf
    • Opcode Fuzzy Hash: 1e9a9fad76f0f43ece26e774c92c9b266a0114d3bc075465f0152fee7a7db616
    • Instruction Fuzzy Hash: FA41C1B0C0071DDBDB24DFA9C844B9EBBF5BF48308F24816AD408AB255DB756945CF90
    Function 0166F868 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 642 166f868-166f8fc DuplicateHandle 643 166f905-166f922 642->643 644 166f8fe-166f904 642->644 644->643
    APIs
    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0166F8EF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3033478383.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1660000_AlphaDecrypter.jbxd
    Similarity
    • API ID: DuplicateHandle
    • String ID: !;#
    • API String ID: 3793708945-2861042907
    • Opcode ID: e567a5a45722cfe3ca140a55ed40ab734f0a1d0e1aee9856115b5ca0da42ea7b
    • Instruction ID: b7dde72c7bb596388835ad8ee942d85a5d2e6d23d76ee1b6d4318ded6c99a121
    • Opcode Fuzzy Hash: e567a5a45722cfe3ca140a55ed40ab734f0a1d0e1aee9856115b5ca0da42ea7b
    • Instruction Fuzzy Hash: 7B21E4B5D002589FDB10CF9AD984ADEBFF8FB48310F14845AE914A3310D374A954CFA4
    Function 0166D578 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 647 166d578-166d5b8 648 166d5c0-166d5eb GetModuleHandleW 647->648 649 166d5ba-166d5bd 647->649 650 166d5f4-166d608 648->650 651 166d5ed-166d5f3 648->651 649->648 651->650
    APIs
    • GetModuleHandleW.KERNELBASE(00000000), ref: 0166D5DE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3033478383.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1660000_AlphaDecrypter.jbxd
    Similarity
    • API ID: HandleModule
    • String ID: !;#
    • API String ID: 4139908857-2861042907
    • Opcode ID: c8f4fbfdcf56c811f1da2c012916e26fd85acd7bf02a0c60170c8c1eb43151cb
    • Instruction ID: e9bb73500268cf0cd1c3c1dd5946f80a3f8a7bf6bc3f151e820b7f317e826d48
    • Opcode Fuzzy Hash: c8f4fbfdcf56c811f1da2c012916e26fd85acd7bf02a0c60170c8c1eb43151cb
    • Instruction Fuzzy Hash: 2A1110B5D002498FDB10CF9AC844ADEFBF8AB88324F10842AD869A7610D375A545CFA1
    Function 0154D3D8 Relevance: .1, Instructions: 75COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3033117893.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_154d000_AlphaDecrypter.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d3c355b6ee2cb420e7b75a0d70d3bf5fc2c7ad0f229530427d71f6c0cc7cea90
    • Instruction ID: 66569b888b756832e19c32c2231f1121db5974fe60eb6b77ba8f88d25fa87d38
    • Opcode Fuzzy Hash: d3c355b6ee2cb420e7b75a0d70d3bf5fc2c7ad0f229530427d71f6c0cc7cea90
    • Instruction Fuzzy Hash: EB214571500200DFDB05DF58C9C0B6ABFB5FBA8328F20C56DE9090F25AC37AE456CAA1
    Function 0154D4C4 Relevance: .1, Instructions: 75COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3033117893.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_154d000_AlphaDecrypter.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7265e9ed2f9e5f36fe46def7fddce9ef97a982c4a7fdfd0902fcd4c8194a722a
    • Instruction ID: 202b4970524d0c0fadc485d66d299a560ebd867b51f2e4c62764f6ffaff2bc4c
    • Opcode Fuzzy Hash: 7265e9ed2f9e5f36fe46def7fddce9ef97a982c4a7fdfd0902fcd4c8194a722a
    • Instruction Fuzzy Hash: B2210071600240DFDB05DF58D9C0B6ABFB5FBA831CF20C669E9094F25AC736D456CAA2
    Function 015ED01C Relevance: .1, Instructions: 72COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3033262170.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_15ed000_AlphaDecrypter.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 44a623a336e53ca1e716349d161cd8ccc818f75b7c910b7cf7fc8c703bd8d0d7
    • Instruction ID: 229e1e58534fc43a5691f11dbe20dadf5c6892678ba01baeea269dcd479dbe09
    • Opcode Fuzzy Hash: 44a623a336e53ca1e716349d161cd8ccc818f75b7c910b7cf7fc8c703bd8d0d7
    • Instruction Fuzzy Hash: 0F210071A04200DFCB19DF58D988B2ABFF5FB84314F28C969D80A4F256D33AD446CA61
    Function 015ED1D4 Relevance: .1, Instructions: 72COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3033262170.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_15ed000_AlphaDecrypter.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e6428ec5b9f6846f36be8f9a902f921bc5b5894ae9cfc13cdb039d0cb98307ff
    • Instruction ID: c019297017bbe0e2b46b7f3fc742cd01e60653d686fb9792b9c55b888201bd51
    • Opcode Fuzzy Hash: e6428ec5b9f6846f36be8f9a902f921bc5b5894ae9cfc13cdb039d0cb98307ff
    • Instruction Fuzzy Hash: C8210775904200DFDB09DF98D5C8B2ABBF5FB84324F20C9ADD9494F296C33AD446CA61
    Function 015ED2D4 Relevance: .1, Instructions: 72COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3033262170.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_15ed000_AlphaDecrypter.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f4bfe1365334ff1862eae8b1e69f7234ab0710e80fdf9258c148c8c2e33d9f14
    • Instruction ID: 4b1756fa9f6f0ddc989a9d3a59140890c4890614072ce43070eacf179085ac47
    • Opcode Fuzzy Hash: f4bfe1365334ff1862eae8b1e69f7234ab0710e80fdf9258c148c8c2e33d9f14
    • Instruction Fuzzy Hash: 46212675904200DFDB09DF58D5C8B2EBBF5FB88324F24CA69D8494F246C33AD446C6A1
    Function 015ED006 Relevance: .1, Instructions: 62COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3033262170.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_15ed000_AlphaDecrypter.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9bdc5a824239b9923495965f02a2e176570f9fee3bb4052382dcda8c21f9d12b
    • Instruction ID: 6f0424496060c4706102e01591a8a5aecba412e0d2977a4b18cbe2d1a7bbf707
    • Opcode Fuzzy Hash: 9bdc5a824239b9923495965f02a2e176570f9fee3bb4052382dcda8c21f9d12b
    • Instruction Fuzzy Hash: 69219F755093808FDB07CF24D994715BFB1FB46214F28C5EAD8498F2A7C33A980ACB62
    Function 0154D3D3 Relevance: .1, Instructions: 56COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3033117893.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_154d000_AlphaDecrypter.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
    • Instruction ID: 478d2beca2383007fe13e7f2049c16d4f3d9b82d30ca13f9c9486cfcebbfaeff
    • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
    • Instruction Fuzzy Hash: EC11DF76404240CFDB02CF54D5C4B5ABF71FB94328F24C2A9D9090F256C33AE45ACBA1
    Function 0154D4BF Relevance: .1, Instructions: 56COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3033117893.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_154d000_AlphaDecrypter.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
    • Instruction ID: aeeecc561b938a3bd4d62aed1bd439bff2c1b0f30534f5c778e5624f403df045
    • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
    • Instruction Fuzzy Hash: 0211E172504280CFCB02CF54D5C4B5ABF71FB94318F24C6A9D8090F256C33AD45ACBA1
    Function 015ED1CF Relevance: .1, Instructions: 53COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3033262170.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_15ed000_AlphaDecrypter.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
    • Instruction ID: a570c9cd2bee0fa4d5ae8d94bbd9a5307726d85d150342f19139aa2894bfdb13
    • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
    • Instruction Fuzzy Hash: FE118B75904280DFDB16CF54D5C8B19BFB1FB84224F24C6AAD8494F696C33AD44ACB61
    Function 015ED2CF Relevance: .1, Instructions: 53COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.3033262170.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_15ed000_AlphaDecrypter.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
    • Instruction ID: 1080a755d4c6bc9a67a368e09ece4b05e4a5afda7f30d10201b1f329612f2b82
    • Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
    • Instruction Fuzzy Hash: 94119076904280DFDB16CF14D5C4B1AFFB1FB88324F24C6AAD8494B656C33AD40ACBA1

    Non-executed Functions

    Function 0A11D359 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113keyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyState.USER32(00000001), ref: 0A11D3B5
    • GetKeyState.USER32(00000002), ref: 0A11D3FA
    • GetKeyState.USER32(00000004), ref: 0A11D43F
    • GetKeyState.USER32(00000005), ref: 0A11D484
    • GetKeyState.USER32(00000006), ref: 0A11D4C9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3037643862.000000000A110000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A110000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a110000_AlphaDecrypter.jbxd
    Similarity
    • API ID: State
    • String ID: !;#
    • API String ID: 1649606143-2861042907
    • Opcode ID: 66fb044e9610c74d8129196526b68b42998d66bb314e5fe36ad0d532d676f15f
    • Instruction ID: 56e969ab7cbe0673517ccbbd7e0d475f2be4bce62c48e409606c338ceef6628c
    • Opcode Fuzzy Hash: 66fb044e9610c74d8129196526b68b42998d66bb314e5fe36ad0d532d676f15f
    • Instruction Fuzzy Hash: 6E4194B0D11745DEDB11CF59D5897AFBFF4AB04708F20846AD048A7A90C77CA185CF95
    Function 0A110670 Relevance: 1.9, Strings: 1, Instructions: 693COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3037643862.000000000A110000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A110000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a110000_AlphaDecrypter.jbxd
    Similarity
    • API ID:
    • String ID: fff?
    • API String ID: 0-4136771917
    • Opcode ID: 85ee7bc7f4f8f592efa3ba834262de9e2d9c6459e34abfcfb26d7f081fe37dff
    • Instruction ID: 5f7a821a5ab9f4db18e0ffdf041e4a41f658700abea7981312b3930af0ea5489
    • Opcode Fuzzy Hash: 85ee7bc7f4f8f592efa3ba834262de9e2d9c6459e34abfcfb26d7f081fe37dff
    • Instruction Fuzzy Hash: 6F62283681061ADFCF11DF60C884AD9BBB2FF99304F1586D5E9086B125EB71AAD5CF80
    Function 0A110667 Relevance: 1.7, Strings: 1, Instructions: 452COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.3037643862.000000000A110000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A110000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_a110000_AlphaDecrypter.jbxd
    Similarity
    • API ID:
    • String ID: fff?
    • API String ID: 0-4136771917
    • Opcode ID: 24d21513579f4092e9c730f5e297397ef8f5b5cee39f2882b45657ba4d89d822
    • Instruction ID: 8f6f1e0f63dfa9945c18f53ab8b1213c808181a726269926f9253194e038dade
    • Opcode Fuzzy Hash: 24d21513579f4092e9c730f5e297397ef8f5b5cee39f2882b45657ba4d89d822
    • Instruction Fuzzy Hash: C712293580065ADFCF11DF50C884AD9BBB2FF49304F1585E5E9086F266DB72AA96CF80