Edit tour

Windows Analysis Report
uctgkfb7.exe

Overview

General Information

Sample name:	uctgkfb7.exe
Analysis ID:	1577363
MD5:	775f4c7210df898b94567787f91821f8
SHA1:	3b07503249ae0460ca0cb8cd892ca0a9fe6da2bf
SHA256:	1733612a98edf009c2b9154063a21de71129ba2a5574f7a1df6f82ce4111ae9f
Tags:	18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

uctgkfb7.exe (PID: 7724 cmdline: "C:\Users\user\Desktop\uctgkfb7.exe" MD5: 775F4C7210DF898B94567787F91821F8)

schtasks.exe (PID: 7864 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\user\Windows.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)

conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Windows.exe (PID: 7976 cmdline: C:\Users\user\Windows.exe MD5: 775F4C7210DF898B94567787F91821F8)

Windows.exe (PID: 8128 cmdline: "C:\Users\user\Windows.exe" MD5: 775F4C7210DF898B94567787F91821F8)

Windows.exe (PID: 5948 cmdline: "C:\Users\user\Windows.exe" MD5: 775F4C7210DF898B94567787F91821F8)

Windows.exe (PID: 2472 cmdline: C:\Users\user\Windows.exe MD5: 775F4C7210DF898B94567787F91821F8)

Windows.exe (PID: 3068 cmdline: C:\Users\user\Windows.exe MD5: 775F4C7210DF898B94567787F91821F8)

Windows.exe (PID: 6100 cmdline: C:\Users\user\Windows.exe MD5: 775F4C7210DF898B94567787F91821F8)

Windows.exe (PID: 5652 cmdline: C:\Users\user\Windows.exe MD5: 775F4C7210DF898B94567787F91821F8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["rondtimes.top"], "Port": 1940, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
uctgkfb7.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
uctgkfb7.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc661:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc6fe:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc813:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc251:$cnc4: POST / HTTP/1.1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Windows.exe	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
C:\Users\user\Windows.exe	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc661:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc6fe:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc813:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc251:$cnc4: POST / HTTP/1.1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1289073487.00000000009F2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000000.1289073487.00000000009F2000.00000002.00000001.01000000.00000003.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc461:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc4fe:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc613:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc051:$cnc4: POST / HTTP/1.1
Process Memory Space: uctgkfb7.exe PID: 7724	JoeSecurity_XWorm	Yara detected XWorm	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.uctgkfb7.exe.9f0000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.0.uctgkfb7.exe.9f0000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc661:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xc6fe:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xc813:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xc251:$cnc4: POST / HTTP/1.1

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Windows.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\uctgkfb7.exe, ProcessId: 7724, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\uctgkfb7.exe, ProcessId: 7724, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T12:37:13.739297+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.10	49981	192.210.175.202	1940	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: uctgkfb7.exe

Avira: detected

Antivirus detection for URL or domain

Source: rondtimes.top

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\Windows.exe

Avira: detection malicious, Label: HEUR/AGEN.1305769

Found malware configuration

Source: uctgkfb7.exe

Malware Configuration Extractor: Xworm {"C2 url": ["rondtimes.top"], "Port": 1940, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Windows.exe

ReversingLabs: Detection: 84%

Multi AV Scanner detection for submitted file

Source: uctgkfb7.exe

ReversingLabs: Detection: 84%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Windows.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: uctgkfb7.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: uctgkfb7.exe	String decryptor: rondtimes.top
Source: uctgkfb7.exe	String decryptor: 1940
Source: uctgkfb7.exe	String decryptor: <123456789>
Source: uctgkfb7.exe	String decryptor: <Xwormmm>
Source: uctgkfb7.exe	String decryptor: MentorBots
Source: uctgkfb7.exe	String decryptor: USB.exe
Source: uctgkfb7.exe	String decryptor: %Userprofile%
Source: uctgkfb7.exe	String decryptor: Windows.exe

Source: uctgkfb7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: uctgkfb7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.10:49708 -> 192.210.175.202:1940
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.10:49981 -> 192.210.175.202:1940

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: rondtimes.top

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: rondtimes.top

Source: uctgkfb7.exe, 00000000.00000002.3729848794.0000000002D31000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

System Summary

Malicious sample detected (through community Yara rule)

Source: uctgkfb7.exe, type: SAMPLE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.uctgkfb7.exe.9f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1289073487.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\Windows.exe, type: DROPPED	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\uctgkfb7.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\uctgkfb7.exe	Code function: 0_2_00007FF7C0E273F6	0_2_00007FF7C0E273F6
Source: C:\Users\user\Desktop\uctgkfb7.exe	Code function: 0_2_00007FF7C0E281A2	0_2_00007FF7C0E281A2
Source: C:\Users\user\Desktop\uctgkfb7.exe	Code function: 0_2_00007FF7C0E21291	0_2_00007FF7C0E21291
Source: C:\Users\user\Desktop\uctgkfb7.exe	Code function: 0_2_00007FF7C0E21B99	0_2_00007FF7C0E21B99
Source: C:\Users\user\Desktop\uctgkfb7.exe	Code function: 0_2_00007FF7C0E20E3A	0_2_00007FF7C0E20E3A
Source: C:\Users\user\Windows.exe	Code function: 4_2_00007FF7C0E3128C	4_2_00007FF7C0E3128C
Source: C:\Users\user\Windows.exe	Code function: 4_2_00007FF7C0E30DFA	4_2_00007FF7C0E30DFA
Source: C:\Users\user\Windows.exe	Code function: 4_2_00007FF7C0E31B99	4_2_00007FF7C0E31B99
Source: C:\Users\user\Windows.exe	Code function: 6_2_00007FF7C0E50DFA	6_2_00007FF7C0E50DFA
Source: C:\Users\user\Windows.exe	Code function: 6_2_00007FF7C0E51058	6_2_00007FF7C0E51058
Source: C:\Users\user\Windows.exe	Code function: 6_2_00007FF7C0E51B99	6_2_00007FF7C0E51B99
Source: C:\Users\user\Windows.exe	Code function: 7_2_00007FF7C0E40DFA	7_2_00007FF7C0E40DFA
Source: C:\Users\user\Windows.exe	Code function: 7_2_00007FF7C0E41058	7_2_00007FF7C0E41058
Source: C:\Users\user\Windows.exe	Code function: 7_2_00007FF7C0E41B99	7_2_00007FF7C0E41B99
Source: C:\Users\user\Windows.exe	Code function: 8_2_00007FF7C0E3128C	8_2_00007FF7C0E3128C
Source: C:\Users\user\Windows.exe	Code function: 8_2_00007FF7C0E30DFA	8_2_00007FF7C0E30DFA
Source: C:\Users\user\Windows.exe	Code function: 8_2_00007FF7C0E31B99	8_2_00007FF7C0E31B99
Source: C:\Users\user\Windows.exe	Code function: 11_2_00007FF7C0E3128C	11_2_00007FF7C0E3128C
Source: C:\Users\user\Windows.exe	Code function: 11_2_00007FF7C0E30DFA	11_2_00007FF7C0E30DFA
Source: C:\Users\user\Windows.exe	Code function: 11_2_00007FF7C0E31B99	11_2_00007FF7C0E31B99
Source: C:\Users\user\Windows.exe	Code function: 13_2_00007FF7C0E60DFA	13_2_00007FF7C0E60DFA
Source: C:\Users\user\Windows.exe	Code function: 13_2_00007FF7C0E61058	13_2_00007FF7C0E61058
Source: C:\Users\user\Windows.exe	Code function: 13_2_00007FF7C0E61B99	13_2_00007FF7C0E61B99
Source: C:\Users\user\Windows.exe	Code function: 14_2_00007FF7C0E60DFA	14_2_00007FF7C0E60DFA
Source: C:\Users\user\Windows.exe	Code function: 14_2_00007FF7C0E61058	14_2_00007FF7C0E61058
Source: C:\Users\user\Windows.exe	Code function: 14_2_00007FF7C0E61B99	14_2_00007FF7C0E61B99

Source: uctgkfb7.exe, 00000000.00000000.1289073487.00000000009F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNeubuild.exe4 vs uctgkfb7.exe
Source: uctgkfb7.exe	Binary or memory string: OriginalFilenameNeubuild.exe4 vs uctgkfb7.exe

Source: uctgkfb7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: uctgkfb7.exe, type: SAMPLE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.uctgkfb7.exe.9f0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1289073487.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\Windows.exe, type: DROPPED	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: uctgkfb7.exe, Ex9KeX0nrfdGbXoaAAHG8uoR2V0kBgpl0K8UF940BjTbz5BPe30LDU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: uctgkfb7.exe, Ex9KeX0nrfdGbXoaAAHG8uoR2V0kBgpl0K8UF940BjTbz5BPe30LDU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: uctgkfb7.exe, lxUbHczFnv6JSzKMq3FhKwN9ddv0T4pAQGhM965iwc6TSU5dTF47oJ.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows.exe.0.dr, Ex9KeX0nrfdGbXoaAAHG8uoR2V0kBgpl0K8UF940BjTbz5BPe30LDU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows.exe.0.dr, Ex9KeX0nrfdGbXoaAAHG8uoR2V0kBgpl0K8UF940BjTbz5BPe30LDU.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Windows.exe.0.dr, lxUbHczFnv6JSzKMq3FhKwN9ddv0T4pAQGhM965iwc6TSU5dTF47oJ.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: uctgkfb7.exe, 1PH82pcS9YCbgPm9JRxN2C3CxYUEOymxXnjMbI8HbGcIQiDmSTyGPj.cs	Base64 encoded string: 'PZaTxaZFxDIuk421vyFhXI83ncHTPYuHuunpYcysn0g4AbJsDOcuOe6b8ClzF2HCPz82UkZi'
Source: uctgkfb7.exe, Ex9KeX0nrfdGbXoaAAHG8uoR2V0kBgpl0K8UF940BjTbz5BPe30LDU.cs	Base64 encoded string: 'rSuz6yoHSTbNvS33ciZuz1KX1gdKVA47MgGFjDawKM61TKRWCqMFVQbS7EJCxS0VrqJQ2TSh'
Source: uctgkfb7.exe, lxUbHczFnv6JSzKMq3FhKwN9ddv0T4pAQGhM965iwc6TSU5dTF47oJ.cs	Base64 encoded string: 'JXFSPXcvNZifKT7b6H6CfSXIG5Uq1wEJgTZQ2UdfhEHxJMWgnkfTpbOcyCmIlbtxpqazJdCY'
Source: uctgkfb7.exe, jPUlF2QgEO8DirrM8D442v.cs	Base64 encoded string: 'LsCMCPtEetpQTwFPq3vla2q39Q1Cgdm5kg9yxQcjwEuuOpsVHHwJ4cx5Yo6Xy8qb3uwtoxNw', 'HFU0LTD49rGioJ6v15lW9YtcdjilJVXC3gdPRhW4DbO1tTvkFQuhZEiySD0tB2j5OP6QNO3n', 'p0JVb3QBMHGkzPCdC5O6UwYQPiPq8DeE7Zj8ZyHed7k0zDFmu9hoozPw024FQRTS5sHVywKM', 'r0rjZ93aoJ8eShzQLcq8VL5NMzIm4Ak1g6tAEHQcJNPhEgUQAn1dLgMe876ToyFhxFo4jdmN', 'wpoQayNAaZuTqaHF5Kjh0A4LZKQobOHaFY1Wn4yc1ASXmwQlyQbGVjvZtppwXTTDq0UOTz2P', 'JlWapRYhrpCJiUQkLio0CIkYYTR9nb7IZHDcOkl6DpbLJMKU6nqs5UHb0snseYE8AZZk8KQo', 'H1MftccS1irkh00DQ2F3nSPEu0EexZJ2ZvfNjbdJP6HP6T0hbflpuZpk2IXYsN9uwhsFVDPe', 'rukTb5uLHPmrUJiGOqr0HClV7al3y2FrbD1ZfmCNrJD8kFLO96zyCLarQaIKway3MvvU0hNG'
Source: Windows.exe.0.dr, 1PH82pcS9YCbgPm9JRxN2C3CxYUEOymxXnjMbI8HbGcIQiDmSTyGPj.cs	Base64 encoded string: 'PZaTxaZFxDIuk421vyFhXI83ncHTPYuHuunpYcysn0g4AbJsDOcuOe6b8ClzF2HCPz82UkZi'
Source: Windows.exe.0.dr, Ex9KeX0nrfdGbXoaAAHG8uoR2V0kBgpl0K8UF940BjTbz5BPe30LDU.cs	Base64 encoded string: 'rSuz6yoHSTbNvS33ciZuz1KX1gdKVA47MgGFjDawKM61TKRWCqMFVQbS7EJCxS0VrqJQ2TSh'
Source: Windows.exe.0.dr, lxUbHczFnv6JSzKMq3FhKwN9ddv0T4pAQGhM965iwc6TSU5dTF47oJ.cs	Base64 encoded string: 'JXFSPXcvNZifKT7b6H6CfSXIG5Uq1wEJgTZQ2UdfhEHxJMWgnkfTpbOcyCmIlbtxpqazJdCY'
Source: Windows.exe.0.dr, jPUlF2QgEO8DirrM8D442v.cs	Base64 encoded string: 'LsCMCPtEetpQTwFPq3vla2q39Q1Cgdm5kg9yxQcjwEuuOpsVHHwJ4cx5Yo6Xy8qb3uwtoxNw', 'HFU0LTD49rGioJ6v15lW9YtcdjilJVXC3gdPRhW4DbO1tTvkFQuhZEiySD0tB2j5OP6QNO3n', 'p0JVb3QBMHGkzPCdC5O6UwYQPiPq8DeE7Zj8ZyHed7k0zDFmu9hoozPw024FQRTS5sHVywKM', 'r0rjZ93aoJ8eShzQLcq8VL5NMzIm4Ak1g6tAEHQcJNPhEgUQAn1dLgMe876ToyFhxFo4jdmN', 'wpoQayNAaZuTqaHF5Kjh0A4LZKQobOHaFY1Wn4yc1ASXmwQlyQbGVjvZtppwXTTDq0UOTz2P', 'JlWapRYhrpCJiUQkLio0CIkYYTR9nb7IZHDcOkl6DpbLJMKU6nqs5UHb0snseYE8AZZk8KQo', 'H1MftccS1irkh00DQ2F3nSPEu0EexZJ2ZvfNjbdJP6HP6T0hbflpuZpk2IXYsN9uwhsFVDPe', 'rukTb5uLHPmrUJiGOqr0HClV7al3y2FrbD1ZfmCNrJD8kFLO96zyCLarQaIKway3MvvU0hNG'

Source: Windows.exe.0.dr, K2BD4VkwuldG1qwfBRT1cK.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Windows.exe.0.dr, K2BD4VkwuldG1qwfBRT1cK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: uctgkfb7.exe, K2BD4VkwuldG1qwfBRT1cK.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: uctgkfb7.exe, K2BD4VkwuldG1qwfBRT1cK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/3@1/1

Source: C:\Users\user\Desktop\uctgkfb7.exe

File created: C:\Users\user\Windows.exe

Jump to behavior

Source: C:\Users\user\Windows.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\uctgkfb7.exe	Mutant created: \Sessions\1\BaseNamedObjects\KOaIe77ZDnhdHyqP
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03

Source: uctgkfb7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: uctgkfb7.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\uctgkfb7.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\uctgkfb7.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: uctgkfb7.exe

ReversingLabs: Detection: 84%

Source: C:\Users\user\Desktop\uctgkfb7.exe

File read: C:\Users\user\Desktop\uctgkfb7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\uctgkfb7.exe "C:\Users\user\Desktop\uctgkfb7.exe"
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\user\Windows.exe"
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Windows.exe C:\Users\user\Windows.exe
Source: unknown	Process created: C:\Users\user\Windows.exe "C:\Users\user\Windows.exe"
Source: unknown	Process created: C:\Users\user\Windows.exe "C:\Users\user\Windows.exe"
Source: unknown	Process created: C:\Users\user\Windows.exe C:\Users\user\Windows.exe
Source: unknown	Process created: C:\Users\user\Windows.exe C:\Users\user\Windows.exe
Source: unknown	Process created: C:\Users\user\Windows.exe C:\Users\user\Windows.exe
Source: unknown	Process created: C:\Users\user\Windows.exe C:\Users\user\Windows.exe
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\user\Windows.exe"	Jump to behavior

Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Windows.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\uctgkfb7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: Windows.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\Windows.exe

Source: uctgkfb7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: uctgkfb7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: uctgkfb7.exe, jPUlF2QgEO8DirrM8D442v.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{yTtLI2xFrZoOqJqinkMlrV.fCRNlXo8npryyn3XZEc1MH,yTtLI2xFrZoOqJqinkMlrV._7IUTQeolyfKcPxFnsJuyZ0,yTtLI2xFrZoOqJqinkMlrV.iK5EowgmBAHCHmlSnX51Nr,yTtLI2xFrZoOqJqinkMlrV.HFnxhK4AxxUrvqENRgS2PP,Ex9KeX0nrfdGbXoaAAHG8uoR2V0kBgpl0K8UF940BjTbz5BPe30LDU.TRhdD1VqPeDVbYb5e0AlN6nVvxlh1WBuXJ2jI0VT4KZuXsOu1XLiFr()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: uctgkfb7.exe, jPUlF2QgEO8DirrM8D442v.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_1qWsx4LRtrkorWbCGTHqmb9hCHIWGvbeI9bhN4xFXGEtUqkIOsp7F3[2],Ex9KeX0nrfdGbXoaAAHG8uoR2V0kBgpl0K8UF940BjTbz5BPe30LDU.rNI0ydGIjbCnDCyNaqD865vZlFs2AfGgbpb0DVJbu72LpjT0OfSOcA(Convert.FromBase64String(_1qWsx4LRtrkorWbCGTHqmb9hCHIWGvbeI9bhN4xFXGEtUqkIOsp7F3[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: uctgkfb7.exe, jPUlF2QgEO8DirrM8D442v.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _1qWsx4LRtrkorWbCGTHqmb9hCHIWGvbeI9bhN4xFXGEtUqkIOsp7F3[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows.exe.0.dr, jPUlF2QgEO8DirrM8D442v.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{yTtLI2xFrZoOqJqinkMlrV.fCRNlXo8npryyn3XZEc1MH,yTtLI2xFrZoOqJqinkMlrV._7IUTQeolyfKcPxFnsJuyZ0,yTtLI2xFrZoOqJqinkMlrV.iK5EowgmBAHCHmlSnX51Nr,yTtLI2xFrZoOqJqinkMlrV.HFnxhK4AxxUrvqENRgS2PP,Ex9KeX0nrfdGbXoaAAHG8uoR2V0kBgpl0K8UF940BjTbz5BPe30LDU.TRhdD1VqPeDVbYb5e0AlN6nVvxlh1WBuXJ2jI0VT4KZuXsOu1XLiFr()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows.exe.0.dr, jPUlF2QgEO8DirrM8D442v.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_1qWsx4LRtrkorWbCGTHqmb9hCHIWGvbeI9bhN4xFXGEtUqkIOsp7F3[2],Ex9KeX0nrfdGbXoaAAHG8uoR2V0kBgpl0K8UF940BjTbz5BPe30LDU.rNI0ydGIjbCnDCyNaqD865vZlFs2AfGgbpb0DVJbu72LpjT0OfSOcA(Convert.FromBase64String(_1qWsx4LRtrkorWbCGTHqmb9hCHIWGvbeI9bhN4xFXGEtUqkIOsp7F3[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: Windows.exe.0.dr, jPUlF2QgEO8DirrM8D442v.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _1qWsx4LRtrkorWbCGTHqmb9hCHIWGvbeI9bhN4xFXGEtUqkIOsp7F3[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: uctgkfb7.exe, jPUlF2QgEO8DirrM8D442v.cs	.Net Code: PSEzO17P7vxMQWBtYDlZbc System.AppDomain.Load(byte[])
Source: uctgkfb7.exe, jPUlF2QgEO8DirrM8D442v.cs	.Net Code: JZKLpjc1HCKzPA3E0zCLoOwuHeHnfrdpek0O4RvrqzqdbJumqW1IWd System.AppDomain.Load(byte[])
Source: uctgkfb7.exe, jPUlF2QgEO8DirrM8D442v.cs	.Net Code: JZKLpjc1HCKzPA3E0zCLoOwuHeHnfrdpek0O4RvrqzqdbJumqW1IWd
Source: Windows.exe.0.dr, jPUlF2QgEO8DirrM8D442v.cs	.Net Code: PSEzO17P7vxMQWBtYDlZbc System.AppDomain.Load(byte[])
Source: Windows.exe.0.dr, jPUlF2QgEO8DirrM8D442v.cs	.Net Code: JZKLpjc1HCKzPA3E0zCLoOwuHeHnfrdpek0O4RvrqzqdbJumqW1IWd System.AppDomain.Load(byte[])
Source: Windows.exe.0.dr, jPUlF2QgEO8DirrM8D442v.cs	.Net Code: JZKLpjc1HCKzPA3E0zCLoOwuHeHnfrdpek0O4RvrqzqdbJumqW1IWd

Source: C:\Users\user\Windows.exe

Code function: 6_2_00007FF7C0E500BD pushad ; iretd

6_2_00007FF7C0E500C1

Source: uctgkfb7.exe, sWFCyZBloO2qwHg6AqqFgvGpZUjJ8MgyUV2WYxuu.cs	High entropy of concatenated method names: 'EzL4uI0oppWRsBiPEPAQzdaRZ9LXMAhoYSYffNsH', 'QStXy8DhHhGXZueiyAnh7dmldotOvxMP2CZcFk3z', '_9dci1nmL710epjtcuxk8dxzIAQ6Wwi3SoMRhUoTT', '_2Tm8qFwImiXroc', 'BSWJDFI2aBC8wo', 'GEs0uUeQjSJXTN', 'HwNLkRF51PNFVw', 'CNYcKOMhqblyKz', 'b5d1i5U5MUP50z', 'xYclXH6S9Rt0xQ'
Source: uctgkfb7.exe, yTtLI2xFrZoOqJqinkMlrV.cs	High entropy of concatenated method names: '_8a50JnSf0w52YrdxHAjUyfXpfejMpSbiSIrvxo8h', 'U9UagrhpXGceCBMVJOMK1MfuSuzPeHcNjLvZGQkX', 'UMmGacBA47ciyLxrleLNj4FG5MMxQ9QTyXgULPL1', 'qVg93PHT8Z0ec4LRGm5iLzGLZSaZRyWmspINV3dd'
Source: uctgkfb7.exe, Fh0OvwfTZgkG4WhO2Tr4Bm.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'sbUFf2bMNAgn6jOlMLOL2epUvyifKXgHj1u1EHDd', 'NbGNfvTC4widNEGgxKxFXiSNsaivTTQpXZjQfOle', 'K5lTffvQgZIzvOakqasBh52Ui7MFiygc8iidQwBv', 'LQA9P15XgBdMTw8WRTJDzyA4u71WPFia8XGLvXWX'
Source: uctgkfb7.exe, K2BD4VkwuldG1qwfBRT1cK.cs	High entropy of concatenated method names: '_33Diw4ZgLrQBhREESzv6NW', '_5ww4TEgBBIElzVa2WBMNGe', 'CFI9YCGNR6rWMjq4pSafRl', 'xvV7JWv5i52Lrq7UDQYlFv', 'g4TbJI7e5hwZxcmoFhiMUc', 'Qlaj1doGzAiYD3II7wFG0X', 'i6zK6p9D7t0f8Wab4grVGy', 'mGRW4wpCFHOUgheAm65ivF', 'foqJwkqKXxWQHhIAPfptbJ', 'wll7prrwQEXdwcIxbTSCOH'
Source: uctgkfb7.exe, 1PH82pcS9YCbgPm9JRxN2C3CxYUEOymxXnjMbI8HbGcIQiDmSTyGPj.cs	High entropy of concatenated method names: 'ZOFTszbFtr4JIFMAFt4sgyM4DLqjjAteHZA79aBpBf68YGYISk1oEI', 'SFrz6GsEQOjORxlv0Gb9CwwI6GDWKhBjF4SXwN1rF9z09iEffHLeMeuXgQ4HHkDnUSYNKLEI', 'hZdvSTkWU4mhOiCGqYytn1aLtGvV1GzK9FddT5MqRnKL8pQzCG8srLBuDd58ZZmmmnw4hy0p', 'j7wVz3DSTZ3NCtZ4urwCiVVBwm3C2yWUvZ1EVR9dgWAlieTiZSY2ppWopCLreewILvskIFMm', 'g9BWvZANImBBVNbt1UcCI7apN8YtP5tg00EMQqPnzO13BsxOxxliLttvVqpTsUnfNAzpL30g'
Source: uctgkfb7.exe, bYGvLmBhdxtIyhqc7F2edR.cs	High entropy of concatenated method names: 'TZUzfgi68os3PzWzQLn39x', 'GXEuCUTW6VBXGwxcjYoLRU', 'KYxCAttYFTBCiVnNHix9X3', 'kuqvbqcMOZZuweB6Qj3gM21BW6RTVBXkA1VTmDRK', 'XLKRAKoocgCBJiNcFROQyCMa0DD2KyUI2ApRfdcF', 'Z5YqNnsAmMEVQ2qt9f7xDaMm2q9G7E20reTNLimr', 'EwiHEocfqR76rs5AE0brPCezSw1zjGS1CNEs4AOs', 'B2MDYGkzyL16DrokzAgcxWkOlqSw3D3QsZNkI5CZ', 'bjaOcjek6PPDj6K7itDApsb8N66qLMVRXenrpYBR', 'ZzRHIvm5sq2kw9072FD2lBU9Kxr6qsfS4LFrPZ2C'
Source: uctgkfb7.exe, Ex9KeX0nrfdGbXoaAAHG8uoR2V0kBgpl0K8UF940BjTbz5BPe30LDU.cs	High entropy of concatenated method names: 'ayffU1d6fs1QLoiW6gwUlAQAg25lynhJyxTB28Gaqp4Qcm2ZmC2EgM', 'kRNyQv1usjYckbu2vSsXzSHXQgYjXWAIZoBg7x7uhqfafWyb9mmR8e', 'DBoSBKob4SVwyaUFlzZk9NggABsBPDE4MiCsflQeXSgsvn6OG1vgfi', 'mmyp5LeUnrwmog7BQQ3KiElRWEY6qrxOoBjH3nqicCgm8b5UAeTe6j', 'HkQlltJK19fgC53uVUFjVHUI7nZwG1d8L7j5EEn4W1PIvtJpZNnoAo', 'JdUzuRjoVb6zoA5FgUPmdlGNOmY9e6hMs08NdIlmR4xPEQ743vo0nU', '_2neWKc1vkerwSgHFBapu4bDmMsHDDgYUddUJSOS8vUh7cYgcoTdGUh', 'h2tpdmxDbVcFqP97JeVK8eUtPAlypimlSzC3jBrqRX0vt265Hmqi8I', '_1IwvCqJdIWQY4XytxIolvoy11qhetjNGh22BM7LJTwezBb1zEyI7VE', 'mJ1IPY6W1XaV3ldBX1cyR2pGDBonwF68ljCayqp6xfPo3Aur7jqGri'
Source: uctgkfb7.exe, lxUbHczFnv6JSzKMq3FhKwN9ddv0T4pAQGhM965iwc6TSU5dTF47oJ.cs	High entropy of concatenated method names: 'pxRPjWFoxugLopYBLJUfnwIc0yUbHRp4wQAOVIxyFSBWvUPauklbgK', 'TSVOwmRVajfh0KS16j0EhJXln6jwOkuKEgDIFyDVOoBWVgIXyuQcGhdaftSIEpfZocNxHVOh', 'sfQowGjCgw0DMqLkiAxYM32RxPnCb18US7xuU2zpcpXOa8iuNjv1nywfTXTreIKPDyxAULkc', 'pcKnNhkyHRqBC5WZzmp9NS3ENMVGksgSFU4K4jq1GOXlddjdswLkBfoQlJq7NdR6caOjPz7c', '_4nqez5nUA0YKcZUxtsJBvzgVH7Sjgnt4sQOGGKcFAOxSb6vo7qeuFAQb80mT6uXiSWGVFbXY'
Source: uctgkfb7.exe, jPUlF2QgEO8DirrM8D442v.cs	High entropy of concatenated method names: '_6I5VYvu3Dplq8fDaiscBuj', 'PSEzO17P7vxMQWBtYDlZbc', '_5fW8oTTuHVzEn23DHvvMw6', 'Iv1fynZPQKanwb6ErJ0tJj', 'ECvFbMdi8zF9Ex6UwJUoEU', 'NTvh5XelGAoB7yXVG9ve0S', 'OjskcAcup3xBIvtO2GUIGG', 'dJjMW9d3KrIkXH1hAnNsKS', 'zCcTGPNWGhb1khMIAw4sTG2z0TeBgvkUZpmONmUJlC7jxUwiSXkWcv', 'BGw6f2KdicJPmsFkYMKQYneQAD0FO1fEHvBPybLxoyVczA7jj57LYb'
Source: Windows.exe.0.dr, sWFCyZBloO2qwHg6AqqFgvGpZUjJ8MgyUV2WYxuu.cs	High entropy of concatenated method names: 'EzL4uI0oppWRsBiPEPAQzdaRZ9LXMAhoYSYffNsH', 'QStXy8DhHhGXZueiyAnh7dmldotOvxMP2CZcFk3z', '_9dci1nmL710epjtcuxk8dxzIAQ6Wwi3SoMRhUoTT', '_2Tm8qFwImiXroc', 'BSWJDFI2aBC8wo', 'GEs0uUeQjSJXTN', 'HwNLkRF51PNFVw', 'CNYcKOMhqblyKz', 'b5d1i5U5MUP50z', 'xYclXH6S9Rt0xQ'
Source: Windows.exe.0.dr, yTtLI2xFrZoOqJqinkMlrV.cs	High entropy of concatenated method names: '_8a50JnSf0w52YrdxHAjUyfXpfejMpSbiSIrvxo8h', 'U9UagrhpXGceCBMVJOMK1MfuSuzPeHcNjLvZGQkX', 'UMmGacBA47ciyLxrleLNj4FG5MMxQ9QTyXgULPL1', 'qVg93PHT8Z0ec4LRGm5iLzGLZSaZRyWmspINV3dd'
Source: Windows.exe.0.dr, Fh0OvwfTZgkG4WhO2Tr4Bm.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'sbUFf2bMNAgn6jOlMLOL2epUvyifKXgHj1u1EHDd', 'NbGNfvTC4widNEGgxKxFXiSNsaivTTQpXZjQfOle', 'K5lTffvQgZIzvOakqasBh52Ui7MFiygc8iidQwBv', 'LQA9P15XgBdMTw8WRTJDzyA4u71WPFia8XGLvXWX'
Source: Windows.exe.0.dr, K2BD4VkwuldG1qwfBRT1cK.cs	High entropy of concatenated method names: '_33Diw4ZgLrQBhREESzv6NW', '_5ww4TEgBBIElzVa2WBMNGe', 'CFI9YCGNR6rWMjq4pSafRl', 'xvV7JWv5i52Lrq7UDQYlFv', 'g4TbJI7e5hwZxcmoFhiMUc', 'Qlaj1doGzAiYD3II7wFG0X', 'i6zK6p9D7t0f8Wab4grVGy', 'mGRW4wpCFHOUgheAm65ivF', 'foqJwkqKXxWQHhIAPfptbJ', 'wll7prrwQEXdwcIxbTSCOH'
Source: Windows.exe.0.dr, 1PH82pcS9YCbgPm9JRxN2C3CxYUEOymxXnjMbI8HbGcIQiDmSTyGPj.cs	High entropy of concatenated method names: 'ZOFTszbFtr4JIFMAFt4sgyM4DLqjjAteHZA79aBpBf68YGYISk1oEI', 'SFrz6GsEQOjORxlv0Gb9CwwI6GDWKhBjF4SXwN1rF9z09iEffHLeMeuXgQ4HHkDnUSYNKLEI', 'hZdvSTkWU4mhOiCGqYytn1aLtGvV1GzK9FddT5MqRnKL8pQzCG8srLBuDd58ZZmmmnw4hy0p', 'j7wVz3DSTZ3NCtZ4urwCiVVBwm3C2yWUvZ1EVR9dgWAlieTiZSY2ppWopCLreewILvskIFMm', 'g9BWvZANImBBVNbt1UcCI7apN8YtP5tg00EMQqPnzO13BsxOxxliLttvVqpTsUnfNAzpL30g'
Source: Windows.exe.0.dr, bYGvLmBhdxtIyhqc7F2edR.cs	High entropy of concatenated method names: 'TZUzfgi68os3PzWzQLn39x', 'GXEuCUTW6VBXGwxcjYoLRU', 'KYxCAttYFTBCiVnNHix9X3', 'kuqvbqcMOZZuweB6Qj3gM21BW6RTVBXkA1VTmDRK', 'XLKRAKoocgCBJiNcFROQyCMa0DD2KyUI2ApRfdcF', 'Z5YqNnsAmMEVQ2qt9f7xDaMm2q9G7E20reTNLimr', 'EwiHEocfqR76rs5AE0brPCezSw1zjGS1CNEs4AOs', 'B2MDYGkzyL16DrokzAgcxWkOlqSw3D3QsZNkI5CZ', 'bjaOcjek6PPDj6K7itDApsb8N66qLMVRXenrpYBR', 'ZzRHIvm5sq2kw9072FD2lBU9Kxr6qsfS4LFrPZ2C'
Source: Windows.exe.0.dr, Ex9KeX0nrfdGbXoaAAHG8uoR2V0kBgpl0K8UF940BjTbz5BPe30LDU.cs	High entropy of concatenated method names: 'ayffU1d6fs1QLoiW6gwUlAQAg25lynhJyxTB28Gaqp4Qcm2ZmC2EgM', 'kRNyQv1usjYckbu2vSsXzSHXQgYjXWAIZoBg7x7uhqfafWyb9mmR8e', 'DBoSBKob4SVwyaUFlzZk9NggABsBPDE4MiCsflQeXSgsvn6OG1vgfi', 'mmyp5LeUnrwmog7BQQ3KiElRWEY6qrxOoBjH3nqicCgm8b5UAeTe6j', 'HkQlltJK19fgC53uVUFjVHUI7nZwG1d8L7j5EEn4W1PIvtJpZNnoAo', 'JdUzuRjoVb6zoA5FgUPmdlGNOmY9e6hMs08NdIlmR4xPEQ743vo0nU', '_2neWKc1vkerwSgHFBapu4bDmMsHDDgYUddUJSOS8vUh7cYgcoTdGUh', 'h2tpdmxDbVcFqP97JeVK8eUtPAlypimlSzC3jBrqRX0vt265Hmqi8I', '_1IwvCqJdIWQY4XytxIolvoy11qhetjNGh22BM7LJTwezBb1zEyI7VE', 'mJ1IPY6W1XaV3ldBX1cyR2pGDBonwF68ljCayqp6xfPo3Aur7jqGri'
Source: Windows.exe.0.dr, lxUbHczFnv6JSzKMq3FhKwN9ddv0T4pAQGhM965iwc6TSU5dTF47oJ.cs	High entropy of concatenated method names: 'pxRPjWFoxugLopYBLJUfnwIc0yUbHRp4wQAOVIxyFSBWvUPauklbgK', 'TSVOwmRVajfh0KS16j0EhJXln6jwOkuKEgDIFyDVOoBWVgIXyuQcGhdaftSIEpfZocNxHVOh', 'sfQowGjCgw0DMqLkiAxYM32RxPnCb18US7xuU2zpcpXOa8iuNjv1nywfTXTreIKPDyxAULkc', 'pcKnNhkyHRqBC5WZzmp9NS3ENMVGksgSFU4K4jq1GOXlddjdswLkBfoQlJq7NdR6caOjPz7c', '_4nqez5nUA0YKcZUxtsJBvzgVH7Sjgnt4sQOGGKcFAOxSb6vo7qeuFAQb80mT6uXiSWGVFbXY'
Source: Windows.exe.0.dr, jPUlF2QgEO8DirrM8D442v.cs	High entropy of concatenated method names: '_6I5VYvu3Dplq8fDaiscBuj', 'PSEzO17P7vxMQWBtYDlZbc', '_5fW8oTTuHVzEn23DHvvMw6', 'Iv1fynZPQKanwb6ErJ0tJj', 'ECvFbMdi8zF9Ex6UwJUoEU', 'NTvh5XelGAoB7yXVG9ve0S', 'OjskcAcup3xBIvtO2GUIGG', 'dJjMW9d3KrIkXH1hAnNsKS', 'zCcTGPNWGhb1khMIAw4sTG2z0TeBgvkUZpmONmUJlC7jxUwiSXkWcv', 'BGw6f2KdicJPmsFkYMKQYneQAD0FO1fEHvBPybLxoyVczA7jj57LYb'

Source: C:\Users\user\Desktop\uctgkfb7.exe

File created: C:\Users\user\Windows.exe

Jump to dropped file

Source: C:\Users\user\Desktop\uctgkfb7.exe

File created: C:\Users\user\Windows.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\uctgkfb7.exe

File created: C:\Users\user\Windows.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\uctgkfb7.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\user\Windows.exe"

Source: C:\Users\user\Desktop\uctgkfb7.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Jump to behavior

Source: C:\Users\user\Desktop\uctgkfb7.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Jump to behavior

Source: C:\Users\user\Desktop\uctgkfb7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows			Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows			Jump to behavior

Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Windows.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\uctgkfb7.exe	Memory allocated: 1030000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Memory allocated: 1AD30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Windows.exe	Memory allocated: 1350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Windows.exe	Memory allocated: 1AEE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Windows.exe	Memory allocated: 11E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Windows.exe	Memory allocated: 1ACB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Windows.exe	Memory allocated: 2FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Windows.exe	Memory allocated: 1B1C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Windows.exe	Memory allocated: 1130000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Windows.exe	Memory allocated: 1AF40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Windows.exe	Memory allocated: 25C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Windows.exe	Memory allocated: 1A890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Windows.exe	Memory allocated: AD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Windows.exe	Memory allocated: 1A5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Windows.exe	Memory allocated: 9A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Windows.exe	Memory allocated: 1A750000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\uctgkfb7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Windows.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Windows.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Windows.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Windows.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Windows.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Windows.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Windows.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\uctgkfb7.exe	Window / User API: threadDelayed 4134			Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Window / User API: threadDelayed 5657			Jump to behavior

Source: C:\Users\user\Desktop\uctgkfb7.exe TID: 7960	Thread sleep time: -23980767295822402s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe TID: 7968	Thread sleep count: 4134 > 30	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe TID: 7968	Thread sleep count: 5657 > 30	Jump to behavior
Source: C:\Users\user\Windows.exe TID: 8004	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Windows.exe TID: 8148	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Windows.exe TID: 5128	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Windows.exe TID: 6444	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Windows.exe TID: 6972	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Windows.exe TID: 3964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Windows.exe TID: 3604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\uctgkfb7.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Windows.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Windows.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Windows.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Windows.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Windows.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Windows.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Windows.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\uctgkfb7.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Windows.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Windows.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Windows.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Windows.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Windows.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Windows.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Windows.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: uctgkfb7.exe, 00000000.00000002.3732431926.000000001BCB0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAWrs%SystemRoot%\system32\mswsock.dll <add name="AspNetSqlMembershipProvider"

Source: C:\Users\user\Desktop\uctgkfb7.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Windows.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Windows.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Windows.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Windows.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Windows.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\uctgkfb7.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\uctgkfb7.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\user\Windows.exe"

Jump to behavior

Source: uctgkfb7.exe, 00000000.00000002.3729848794.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: uctgkfb7.exe, 00000000.00000002.3729848794.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: uctgkfb7.exe, 00000000.00000002.3729848794.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: uctgkfb7.exe, 00000000.00000002.3729848794.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
Source: uctgkfb7.exe, 00000000.00000002.3729848794.0000000002F66000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager2

Source: C:\Users\user\Desktop\uctgkfb7.exe	Queries volume information: C:\Users\user\Desktop\uctgkfb7.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\uctgkfb7.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Windows.exe	Queries volume information: C:\Users\user\Windows.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Windows.exe	Queries volume information: C:\Users\user\Windows.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Windows.exe	Queries volume information: C:\Users\user\Windows.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Windows.exe	Queries volume information: C:\Users\user\Windows.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Windows.exe	Queries volume information: C:\Users\user\Windows.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Windows.exe	Queries volume information: C:\Users\user\Windows.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Windows.exe	Queries volume information: C:\Users\user\Windows.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\uctgkfb7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: uctgkfb7.exe, 00000000.00000002.3732431926.000000001BCFE000.00000004.00000020.00020000.00000000.sdmp, uctgkfb7.exe, 00000000.00000002.3732431926.000000001BD4E000.00000004.00000020.00020000.00000000.sdmp, uctgkfb7.exe, 00000000.00000002.3732431926.000000001BCB0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\uctgkfb7.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: uctgkfb7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.uctgkfb7.exe.9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1289073487.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uctgkfb7.exe PID: 7724, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Windows.exe, type: DROPPED

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: uctgkfb7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.uctgkfb7.exe.9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1289073487.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: uctgkfb7.exe PID: 7724, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\Windows.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	12 Process Injection	111 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	12 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
uctgkfb7.exe	84%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT
uctgkfb7.exe	100%	Avira	HEUR/AGEN.1305769
uctgkfb7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Windows.exe	100%	Avira	HEUR/AGEN.1305769
C:\Users\user\Windows.exe	100%	Joe Sandbox ML
C:\Users\user\Windows.exe	84%	ReversingLabs	ByteCode-MSIL.Spyware.AsyncRAT

Source	Detection	Scanner	Label	Link
rondtimes.top	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rondtimes.top	192.210.175.202	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
rondtimes.top	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	uctgkfb7.exe, 00000000.00000002.3729848794.0000000002D31000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.210.175.202	rondtimes.top	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577363
Start date and time:	2024-12-18 12:32:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	uctgkfb7.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/3@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 99% Number of executed functions: 133 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Windows.exe, PID 2472 because it is empty
Execution Graph export aborted for target Windows.exe, PID 3068 because it is empty
Execution Graph export aborted for target Windows.exe, PID 5652 because it is empty
Execution Graph export aborted for target Windows.exe, PID 5948 because it is empty
Execution Graph export aborted for target Windows.exe, PID 6100 because it is empty
Execution Graph export aborted for target Windows.exe, PID 7976 because it is empty
Execution Graph export aborted for target Windows.exe, PID 8128 because it is empty
Execution Graph export aborted for target uctgkfb7.exe, PID 7724 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: uctgkfb7.exe

Simulations

Behavior and APIs

Time	Type	Description
06:33:17	API Interceptor	13284701x Sleep call for process: uctgkfb7.exe modified
12:33:18	Task Scheduler	Run new task: Windows path: C:\Users\user\Windows.exe
12:33:21	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows C:\Users\user\Windows.exe
12:33:29	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows C:\Users\user\Windows.exe
12:33:37	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	file.exe	Get hash	malicious	Remcos	Browse	107.173.4.16
	SwiftCopy_PaymtRecpt121228.exe	Get hash	malicious	Remcos	Browse	192.210.150.17
	Document.xla	Get hash	malicious	Unknown	Browse	172.245.123.12
	greatnicefeatureswithsupercodebnaturalthingsinlineforgiven.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	23.95.235.29
	sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	23.95.235.29
	createdbetterthingswithgreatnressgivenmebackwithnice.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	172.245.123.12
	ORDER-24171200967.XLS..js	Get hash	malicious	WSHRat, Caesium Obfuscator, STRRAT	Browse	192.3.220.6
	newthingswithgreatupdateiongivenbestthingswithme.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	107.173.4.16
	crreatedbestthingswithgreatattitudeneedforthat.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	107.173.4.16
	Smple_Order-048576744759475945.xls	Get hash	malicious	Unknown	Browse	192.3.179.166

Process:	C:\Users\user\Windows.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	654
Entropy (8bit):	5.380476433908377
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
MD5:	30E4BDFC34907D0E4D11152CAEBE27FA
SHA1:	825402D6B151041BA01C5117387228EC9B7168BF
SHA-256:	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
SHA-512:	89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Download File

Process:	C:\Users\user\Desktop\uctgkfb7.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Dec 18 10:33:16 2024, mtime=Wed Dec 18 10:33:16 2024, atime=Wed Dec 18 10:33:16 2024, length=57856, window=hide
Category:	dropped
Size (bytes):	772
Entropy (8bit):	5.084361151518897
Encrypted:	false
SSDEEP:	12:8al8/4hmoHrJC5Ur5MjA+3lK7bW+1gUNwuLA7l244t2YZ/elFlSJmkmV:8qZHrJl5IAKK76+17g52wqygm
MD5:	5149D0AE75234048665F76235B620D12
SHA1:	C8BAC7CD455B5707C3ABA44BE1DF6D911C511F03
SHA-256:	49E573B19880EFFC377F9BAE7E2168C459D6C28248C49E015352CFBB9D541A3B
SHA-512:	274C7EE73C0BF3FE843525B62C01A10DC889CA6C4F4498A05B1B3CEE5A90EC4E88E8605E9D3A25D25A9F472ABBAABDBF363516311B4A756E54460B2AF0AFEA22
Malicious:	false
Reputation:	low
Preview:	L..................F.... .....\.@Q....\.@Q....\.@Q............................:..DG..Yr?.D..U..k0.&...&.........5q.....\.@Q..G~..@Q......t. .CFSF..2......Y)\ .Windows.exe...t.Y^...H.g.3..(.....gVA.G..k...H......Y)\.Y)\.............................W.i.n.d.o.w.s...e.x.e...F...H...............-.......G............ny......C:\Users\user\Windows.exe.. .....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s...e.x.e.............:...........\|....I.J.H..K..:...`.......X.......936905...........hT..CrF.f4... .S...jc...+...E...hT..CrF.f4... .S...jc...+...E..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\Windows.exe

Download File

Process:	C:\Users\user\Desktop\uctgkfb7.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	57856
Entropy (8bit):	5.934885873938917
Encrypted:	false
SSDEEP:	1536:MUQ5SkVGKOuZFlPvHgnAb1587R9OX+qOPc:MUQncKOO3gnAb15qEX+qOPc
MD5:	775F4C7210DF898B94567787F91821F8
SHA1:	3B07503249AE0460CA0CB8CD892CA0A9FE6DA2BF
SHA-256:	1733612A98EDF009C2B9154063A21DE71129BA2A5574F7A1DF6F82CE4111AE9F
SHA-512:	A093486792FF12D6511BC03329909C6CC3B52E8FE2E0B556641F6025E89C8FCA794DB8CCBE8E1B65AB4016155AAA9FCD0CF40F82682CE2DE9FC9FEE370C185F0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\Windows.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\Windows.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ........@.. .......................@............@.................................`...K............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........X..T.......&.....................................................(.....r...p. .O....(.....rS..p. ..[..s.........s.........s.........s..........r...p.r...p. .x...rI..p. .....r...p. `...r...p. .\|3...((....r...p. S....rC..p. `...&(....&+..+5sR... .... .'..oS...(...~....-.(A...(3...~....oT...&.-..rK..p. ~.H..r...p.r...p. .I...rA..p. .i...............j..................sU..............~........."(C...+.:.t....(>...+..r...p. .;...r...p

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.934885873938917
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	uctgkfb7.exe
File size:	57'856 bytes
MD5:	775f4c7210df898b94567787f91821f8
SHA1:	3b07503249ae0460ca0cb8cd892ca0a9fe6da2bf
SHA256:	1733612a98edf009c2b9154063a21de71129ba2a5574f7a1df6f82ce4111ae9f
SHA512:	a093486792ff12d6511bc03329909c6cc3b52e8fe2e0b556641f6025e89c8fca794db8ccbe8e1b65ab4016155aaa9fcd0cf40f82682ce2de9fc9fee370c185f0
SSDEEP:	1536:MUQ5SkVGKOuZFlPvHgnAb1587R9OX+qOPc:MUQncKOO3gnAb15qEX+qOPc
TLSH:	A8437D5877E68226E2FE5FF669F27063C679F1231C03965F24D9008B5B23A85CD807E6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ........@.. .......................@............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40f6ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x672EA093 [Fri Nov 8 23:36:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf660	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x4d6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd6b4	0xd800	6e03debce771a7b7d8129b0f81b3ce67	False	0.6013093171296297	data	6.031154093365925	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x10000	0x4d6	0x600	db200c354f643d7e877dc5314be85f80	False	0.3743489583333333	data	3.718671543928007	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12000	0xc	0x200	f9e5d10342c566ee6175dd6e4817b9e5	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x100a0	0x24c	data			0.4710884353741497
RT_MANIFEST	0x102ec	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T12:33:32.487800+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.10	49708	192.210.175.202	1940	TCP
2024-12-18T12:37:13.739297+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.10	49981	192.210.175.202	1940	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 12:33:18.516278982 CET	49708	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:33:18.674179077 CET	1940	49708	192.210.175.202	192.168.2.10
Dec 18, 2024 12:33:18.674276114 CET	49708	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:33:18.841059923 CET	49708	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:33:19.025693893 CET	1940	49708	192.210.175.202	192.168.2.10
Dec 18, 2024 12:33:32.487799883 CET	49708	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:33:32.608067989 CET	1940	49708	192.210.175.202	192.168.2.10
Dec 18, 2024 12:33:40.584327936 CET	1940	49708	192.210.175.202	192.168.2.10
Dec 18, 2024 12:33:40.584395885 CET	49708	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:33:40.816623926 CET	49708	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:33:40.818386078 CET	49762	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:33:40.936249018 CET	1940	49708	192.210.175.202	192.168.2.10
Dec 18, 2024 12:33:40.938390017 CET	1940	49762	192.210.175.202	192.168.2.10
Dec 18, 2024 12:33:40.938668966 CET	49762	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:33:40.996279955 CET	49762	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:33:41.116102934 CET	1940	49762	192.210.175.202	192.168.2.10
Dec 18, 2024 12:33:54.535752058 CET	49762	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:33:54.655379057 CET	1940	49762	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:02.834434032 CET	1940	49762	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:02.837038994 CET	49762	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:03.895502090 CET	49762	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:03.897286892 CET	49814	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:04.015094042 CET	1940	49762	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:04.016801119 CET	1940	49814	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:04.016968966 CET	49814	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:04.056303978 CET	49814	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:04.175957918 CET	1940	49814	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:14.082794905 CET	49814	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:14.202301979 CET	1940	49814	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:22.863609076 CET	49814	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:22.983226061 CET	1940	49814	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:24.271918058 CET	49814	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:24.475975990 CET	1940	49814	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:25.928569078 CET	1940	49814	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:25.928642988 CET	49814	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:26.379753113 CET	49814	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:26.381042957 CET	49865	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:26.499356031 CET	1940	49814	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:26.500562906 CET	1940	49865	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:26.500715017 CET	49865	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:26.609966040 CET	49865	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:26.729631901 CET	1940	49865	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:31.957432032 CET	49865	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:32.076971054 CET	1940	49865	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:32.079905987 CET	49865	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:32.199390888 CET	1940	49865	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:32.287756920 CET	49865	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:32.407380104 CET	1940	49865	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:32.407764912 CET	49865	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:32.527357101 CET	1940	49865	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:37.411262989 CET	49865	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:37.530894995 CET	1940	49865	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:37.530953884 CET	49865	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:37.651122093 CET	1940	49865	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:40.725850105 CET	49865	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:40.845383883 CET	1940	49865	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:44.785536051 CET	49865	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:44.907387972 CET	1940	49865	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:47.348050117 CET	49865	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:47.467544079 CET	1940	49865	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:48.413420916 CET	1940	49865	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:48.413506985 CET	49865	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:52.597790956 CET	49865	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:52.601568937 CET	49924	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:52.717420101 CET	1940	49865	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:52.721115112 CET	1940	49924	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:52.721209049 CET	49924	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:52.766812086 CET	49924	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:52.886773109 CET	1940	49924	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:52.895453930 CET	49924	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:53.015095949 CET	1940	49924	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:53.015153885 CET	49924	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:53.134645939 CET	1940	49924	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:53.134767056 CET	49924	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:53.254241943 CET	1940	49924	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:57.957457066 CET	49924	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:58.077088118 CET	1940	49924	192.210.175.202	192.168.2.10
Dec 18, 2024 12:34:58.144990921 CET	49924	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:34:58.265708923 CET	1940	49924	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:05.302542925 CET	49924	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:05.422152996 CET	1940	49924	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:08.333096027 CET	49924	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:08.452820063 CET	1940	49924	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:08.520183086 CET	49924	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:08.640043974 CET	1940	49924	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:08.640095949 CET	49924	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:08.759826899 CET	1940	49924	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:08.863809109 CET	49924	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:08.983546019 CET	1940	49924	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:11.692024946 CET	49924	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:11.811788082 CET	1940	49924	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:14.664973021 CET	1940	49924	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:14.665038109 CET	49924	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:18.895103931 CET	49924	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:18.897193909 CET	49977	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:19.014672041 CET	1940	49924	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:19.017066956 CET	1940	49977	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:19.017160892 CET	49977	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:19.063384056 CET	49977	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:19.183037043 CET	1940	49977	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:19.223848104 CET	49977	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:19.343609095 CET	1940	49977	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:22.801445007 CET	49977	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:22.921175003 CET	1940	49977	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:24.395212889 CET	49977	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:24.514869928 CET	1940	49977	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:24.514944077 CET	49977	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:24.637984037 CET	1940	49977	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:34.348355055 CET	49977	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:34.467961073 CET	1940	49977	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:34.723275900 CET	49977	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:34.842958927 CET	1940	49977	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:34.843205929 CET	49977	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:34.962666035 CET	1940	49977	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:38.582730055 CET	49977	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:38.702342033 CET	1940	49977	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:40.898650885 CET	1940	49977	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:40.898721933 CET	49977	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:44.910577059 CET	49977	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:44.925688028 CET	49978	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:45.030231953 CET	1940	49977	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:45.045233965 CET	1940	49978	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:45.045329094 CET	49978	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:45.082071066 CET	49978	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:45.201917887 CET	1940	49978	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:45.203973055 CET	49978	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:45.323714018 CET	1940	49978	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:45.426330090 CET	49978	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:45.545768023 CET	1940	49978	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:47.755889893 CET	49978	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:47.875529051 CET	1940	49978	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:48.863224983 CET	49978	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:49.002525091 CET	1940	49978	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:50.160809994 CET	49978	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:50.280322075 CET	1940	49978	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:50.280396938 CET	49978	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:50.400069952 CET	1940	49978	192.210.175.202	192.168.2.10
Dec 18, 2024 12:35:50.400170088 CET	49978	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:35:50.520003080 CET	1940	49978	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:01.410813093 CET	49978	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:01.530592918 CET	1940	49978	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:06.930375099 CET	1940	49978	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:06.930437088 CET	49978	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:11.035868883 CET	49978	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:11.040924072 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:11.155363083 CET	1940	49978	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:11.160393000 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:11.160459042 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:11.194926023 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:11.314460993 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:11.314573050 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:11.434061050 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:11.434134007 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:11.553705931 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:11.553774118 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:11.673501015 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:16.551403046 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:16.670989037 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:20.083101988 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:20.203181028 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:23.926609993 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:24.048507929 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:25.473160982 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:25.593741894 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:26.613934994 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:26.733575106 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:26.738806963 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:26.858347893 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:26.858412981 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:26.978018045 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:26.978095055 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:27.097621918 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:32.020153046 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:32.140520096 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:32.140656948 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:32.260813951 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:33.118769884 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:33.118849993 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:37.129396915 CET	49979	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:37.132626057 CET	49980	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:37.250324011 CET	1940	49979	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:37.252748013 CET	1940	49980	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:37.256155968 CET	49980	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:37.400403023 CET	49980	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:37.520262957 CET	1940	49980	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:37.522439003 CET	49980	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:37.642152071 CET	1940	49980	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:42.739022970 CET	49980	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:42.858596087 CET	1940	49980	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:42.858648062 CET	49980	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:42.978473902 CET	1940	49980	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:47.832891941 CET	49980	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:47.952472925 CET	1940	49980	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:50.301457882 CET	49980	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:50.421282053 CET	1940	49980	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:51.428004026 CET	49980	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:51.547671080 CET	1940	49980	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:52.348718882 CET	49980	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:52.468203068 CET	1940	49980	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:52.989208937 CET	49980	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:53.108943939 CET	1940	49980	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:53.109030008 CET	49980	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:36:53.228763103 CET	1940	49980	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:59.150177002 CET	1940	49980	192.210.175.202	192.168.2.10
Dec 18, 2024 12:36:59.150264978 CET	49980	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:03.160573959 CET	49980	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:03.163063049 CET	49981	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:03.299370050 CET	1940	49980	192.210.175.202	192.168.2.10
Dec 18, 2024 12:37:03.299420118 CET	1940	49981	192.210.175.202	192.168.2.10
Dec 18, 2024 12:37:03.299866915 CET	49981	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:03.409104109 CET	49981	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:03.528611898 CET	1940	49981	192.210.175.202	192.168.2.10
Dec 18, 2024 12:37:03.926393986 CET	49981	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:04.045896053 CET	1940	49981	192.210.175.202	192.168.2.10
Dec 18, 2024 12:37:08.504868031 CET	49981	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:08.624602079 CET	1940	49981	192.210.175.202	192.168.2.10
Dec 18, 2024 12:37:09.523094893 CET	49981	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:09.642859936 CET	1940	49981	192.210.175.202	192.168.2.10
Dec 18, 2024 12:37:13.739296913 CET	49981	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:13.859095097 CET	1940	49981	192.210.175.202	192.168.2.10
Dec 18, 2024 12:37:14.504595995 CET	49981	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:14.624218941 CET	1940	49981	192.210.175.202	192.168.2.10
Dec 18, 2024 12:37:16.426526070 CET	49981	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:16.546892881 CET	1940	49981	192.210.175.202	192.168.2.10
Dec 18, 2024 12:37:16.942257881 CET	49981	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:17.061958075 CET	1940	49981	192.210.175.202	192.168.2.10
Dec 18, 2024 12:37:25.197834015 CET	1940	49981	192.210.175.202	192.168.2.10
Dec 18, 2024 12:37:25.197937012 CET	49981	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:28.785890102 CET	49981	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:28.787003040 CET	49982	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:28.905728102 CET	1940	49981	192.210.175.202	192.168.2.10
Dec 18, 2024 12:37:28.906615973 CET	1940	49982	192.210.175.202	192.168.2.10
Dec 18, 2024 12:37:28.906833887 CET	49982	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:28.934376955 CET	49982	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:29.054390907 CET	1940	49982	192.210.175.202	192.168.2.10
Dec 18, 2024 12:37:39.754672050 CET	49982	1940	192.168.2.10	192.210.175.202
Dec 18, 2024 12:37:39.874404907 CET	1940	49982	192.210.175.202	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 12:33:18.063843012 CET	52065	53	192.168.2.10	1.1.1.1
Dec 18, 2024 12:33:18.489492893 CET	53	52065	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 12:33:18.063843012 CET	192.168.2.10	1.1.1.1	0xec79	Standard query (0)	rondtimes.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 12:33:18.489492893 CET	1.1.1.1	192.168.2.10	0xec79	No error (0)	rondtimes.top		192.210.175.202	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	06:33:11
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\uctgkfb7.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\uctgkfb7.exe"
Imagebase:	0x9f0000
File size:	57'856 bytes
MD5 hash:	775F4C7210DF898B94567787F91821F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1289073487.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1289073487.00000000009F2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	06:33:16
Start date:	18/12/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\user\Windows.exe"
Imagebase:	0x7ff666160000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:33:16
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:33:18
Start date:	18/12/2024
Path:	C:\Users\user\Windows.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Windows.exe
Imagebase:	0xc10000
File size:	57'856 bytes
MD5 hash:	775F4C7210DF898B94567787F91821F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\Windows.exe, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\Windows.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 84%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:33:29
Start date:	18/12/2024
Path:	C:\Users\user\Windows.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Windows.exe"
Imagebase:	0xaa0000
File size:	57'856 bytes
MD5 hash:	775F4C7210DF898B94567787F91821F8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:33:37
Start date:	18/12/2024
Path:	C:\Users\user\Windows.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Windows.exe"
Imagebase:	0xfc0000
File size:	57'856 bytes
MD5 hash:	775F4C7210DF898B94567787F91821F8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:34:01
Start date:	18/12/2024
Path:	C:\Users\user\Windows.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Windows.exe
Imagebase:	0xcc0000
File size:	57'856 bytes
MD5 hash:	775F4C7210DF898B94567787F91821F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:35:00
Start date:	18/12/2024
Path:	C:\Users\user\Windows.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Windows.exe
Imagebase:	0x5c0000
File size:	57'856 bytes
MD5 hash:	775F4C7210DF898B94567787F91821F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:36:01
Start date:	18/12/2024
Path:	C:\Users\user\Windows.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Windows.exe
Imagebase:	0x280000
File size:	57'856 bytes
MD5 hash:	775F4C7210DF898B94567787F91821F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:37:00
Start date:	18/12/2024
Path:	C:\Users\user\Windows.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Windows.exe
Imagebase:	0x260000
File size:	57'856 bytes
MD5 hash:	775F4C7210DF898B94567787F91821F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00007FF7C0E21291 Relevance: 2.0, Strings: 1, Instructions: 720COMMON

Download Yara Rule

Strings

SAP_^, xrefs: 00007FF7C0E214D1

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID: SAP_^
API String ID: 0-3471593181
Opcode ID: ba126f8939d215141d32a01bc8adba963e2fb098fa860db603ab26b282620794
Instruction ID: 4ae6c79e116733ebf7e53755e163c2057da7d470d444ca48fac58d33fd716fa9
Opcode Fuzzy Hash: ba126f8939d215141d32a01bc8adba963e2fb098fa860db603ab26b282620794
Instruction Fuzzy Hash: 0E227F61A58A494FE798FB38D4997B9B7D2FF98750F84457DE00EC3382DE28B8418781

Function 00007FF7C0E273F6 Relevance: .5, Instructions: 488COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38ae91dfa7d2c889f27d9975ae79fba3fd1dca498ac398761f424d4c9782385
Instruction ID: 8fd0b988f4006d8cccaad91124497dd5d1a6c2b6e92e4c9e0350f8d82eb6062e
Opcode Fuzzy Hash: b38ae91dfa7d2c889f27d9975ae79fba3fd1dca498ac398761f424d4c9782385
Instruction Fuzzy Hash: ABF1A130908A8E8FEBA8EF28C8557E977E1FF55310F44426EE84DC7391CB74A9418B91

Function 00007FF7C0E281A2 Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f672395594d71a0ea7d36e6d74b2b185ae8c458eee72d3ac079528ce367c8407
Instruction ID: c32231e1f2bbfb35db4e6e0fd199058a3a0ed28f95e576b2ab39d2003255723e
Opcode Fuzzy Hash: f672395594d71a0ea7d36e6d74b2b185ae8c458eee72d3ac079528ce367c8407
Instruction Fuzzy Hash: FFE19F30909A8E8FEBA8EF28C8557E977D1FF54320F54426ED84DC7291DB78A9418BC1

Function 00007FF7C0E21B99 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16eb515f81774b29bd35e753cbef8e73c6a2ae43444b1431eb3575fb831bf6fc
Instruction ID: 936f64d69f7daeac2c8083e96b2dae852e42b6b8ffe6a7b8dd2c2f16f7fec468
Opcode Fuzzy Hash: 16eb515f81774b29bd35e753cbef8e73c6a2ae43444b1431eb3575fb831bf6fc
Instruction Fuzzy Hash: 44513724A4D6C54FD786BB385865275BFE1EF97225B0805FFE08DC7293DD186806C392

Function 00007FF7C0E28A81 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

d, xrefs: 00007FF7C0E28AE3

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: b3dcf9b83ba5e45c149c5cfe20b583d7356e505546a53d2337a390b66d5a24b7
Instruction ID: 179ec5ab15b33c81bb477c8430ac5a15e9b81c31b8fd6c9c2bc3b85650e33687
Opcode Fuzzy Hash: b3dcf9b83ba5e45c149c5cfe20b583d7356e505546a53d2337a390b66d5a24b7
Instruction Fuzzy Hash: 6811E171E492594FEB44BF7488092FEBBA0EF55314F49017FC949DB392DB28684087A1

Function 00007FF7C0E228D1 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

SAP_^, xrefs: 00007FF7C0E228F6

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID: SAP_^
API String ID: 0-3471593181
Opcode ID: a35fe6bc6fcf7344954eafd7012ee2c96e99a8ad027be4338380883555cc94d1
Instruction ID: c66762afdf3e17d4ab486101b354bc9106d7b362411901cdb790cb01cc6e92cf
Opcode Fuzzy Hash: a35fe6bc6fcf7344954eafd7012ee2c96e99a8ad027be4338380883555cc94d1
Instruction Fuzzy Hash: B1018020E4C2825AF769BB3888526B9A6A29FC5370FC4017DE009C73C7DF2CB84583E1

Function 00007FF7C0E22918 Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

SAP_^, xrefs: 00007FF7C0E228F6

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID: SAP_^
API String ID: 0-3471593181
Opcode ID: f34fda7ffa76d765c255121d09321d0f41f314804e16fc8bc168f26423b6d829
Instruction ID: 9e2861a7c0d2a57f8d87c1535e9c6b37532a2d7851659090b8720675a4f0a79e
Opcode Fuzzy Hash: f34fda7ffa76d765c255121d09321d0f41f314804e16fc8bc168f26423b6d829
Instruction Fuzzy Hash: 88F06D21D8C6465BE365FF38C4406B9A3A1AF99370FD0467CD109C23D2CF28B4818790

Function 00007FF7C0E20DB8 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5fcfadbe93653c60678626d4edfe33783aa9fde0ebbecad93c21e0936c86b0
Instruction ID: 4219146221bc310b77ac1a6e2d0499c8f6dac9f28c4149ab5d2f5e9682c5919d
Opcode Fuzzy Hash: 7c5fcfadbe93653c60678626d4edfe33783aa9fde0ebbecad93c21e0936c86b0
Instruction Fuzzy Hash: 8FA1B3A1F1C9494FE758BB3894597B9A7D2FB98360F94067ED00EC33C6DE286C424791

Function 00007FF7C0E27DB6 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27ded186678e549f2fc761900a7fea6e506402a3ab7e795279f5bbc36d5dc614
Instruction ID: f277b41553c21252b0797410f78a66d4589622951c6a7b54c245d38f4dca7834
Opcode Fuzzy Hash: 27ded186678e549f2fc761900a7fea6e506402a3ab7e795279f5bbc36d5dc614
Instruction Fuzzy Hash: 3BB1B33060CA494FEB69EF28C8557F97BD1FF55350F44826EE88DC7292CB34A9458B82

Function 00007FF7C0E2341F Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8f47d2ec37f2c07e34df562f06ec3642a539dd765e439765534b67f3bc26b0
Instruction ID: c22e6220d0dd72e974fe1beb126c68805a43c228dbf66bb274b68eae60a19438
Opcode Fuzzy Hash: 3d8f47d2ec37f2c07e34df562f06ec3642a539dd765e439765534b67f3bc26b0
Instruction Fuzzy Hash: E091B4A1F1C9494FE758BB3894597B9A7D2FB98360F94067ED00EC37C6DE286C428781

Function 00007FF7C0E23805 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 752ea58b06a1967a72b902a891d46acd52557e8beccf1bad04a54c270aeda3ab
Instruction ID: 0a756028f8a3fa5b21480130cb43c1fd7538e14be05284ceafb5276114274b0a
Opcode Fuzzy Hash: 752ea58b06a1967a72b902a891d46acd52557e8beccf1bad04a54c270aeda3ab
Instruction Fuzzy Hash: 84816E60768A454FE288B77CD8AA7B9B3D2EF98351F90457AE00DC33D3DD58BC418652

Function 00007FF7C0E2954D Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a79116221ffe2b0882ff236df2c6d1d4f7a21e21104447265703207196234b16
Instruction ID: 0ade4bee26cabd38102a08f01693137c181d35b10123fe7fb2b55fb6c4c0a45e
Opcode Fuzzy Hash: a79116221ffe2b0882ff236df2c6d1d4f7a21e21104447265703207196234b16
Instruction Fuzzy Hash: C671C431A589484FDB59FF38D899AF9B7E1EF59320F44017AE00ED7292CE28B841C791

Function 00007FF7C0E217C7 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c4237c055b44b3cd6b0e0a5f114dea6cc4ebe0362f06f9c22080e00f160c8c
Instruction ID: 5daf0ff791e5ab057c8627800369031d2e5dc84b99f05123cea232d01f0e2b37
Opcode Fuzzy Hash: 05c4237c055b44b3cd6b0e0a5f114dea6cc4ebe0362f06f9c22080e00f160c8c
Instruction Fuzzy Hash: B561B761F1CE494FE798FB3C94952B9A7D1FF98660F84467ED00DC3386DE28A9414781

Function 00007FF7C0E20DC0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344c04d00469ff93ecde42b19074af01a446c6919865f65672aaa59895acd68b
Instruction ID: 161f1eff8d84bada662ed9fc9539715d53ba5b3244ede5b40fa682d08a2cce3c
Opcode Fuzzy Hash: 344c04d00469ff93ecde42b19074af01a446c6919865f65672aaa59895acd68b
Instruction Fuzzy Hash: 586111607289094FE688B77CD89A7B9B3D2EF98351F90457AE00EC37D3DD68BC818651

Function 00007FF7C0E295A0 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6101d685018403cff7b19eb48d3ce9ebb9323a90f9e97c1e61de5cea0f2b0f70
Instruction ID: c261e64153024e791e0167bff6beb61e78f709fb34f113ecda464b84f2a0e0be
Opcode Fuzzy Hash: 6101d685018403cff7b19eb48d3ce9ebb9323a90f9e97c1e61de5cea0f2b0f70
Instruction Fuzzy Hash: CB615F71A189198FEB98FB38D499AA9B7E1FF58320F54057AD00ED3292CE24BC418791

Function 00007FF7C0E28B5D Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c95630981d531ec30cc7ed1e94d3d06a1abb9e77007324d871dd5f551f46ced8
Instruction ID: 50c3a79f10280c2c61d3d34eb64eace6b0c26fff9f80d7a12acfee4562be5b60
Opcode Fuzzy Hash: c95630981d531ec30cc7ed1e94d3d06a1abb9e77007324d871dd5f551f46ced8
Instruction Fuzzy Hash: 33517230A08A1C4FEB58EF68D845BE9B7F1FF59310F10426ED44DD7252CA34A8468B81

Function 00007FF7C0E29B3A Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d2249a7620b0d40ff5261187e5ce0033dab1aac6505ea811bc798e451df573
Instruction ID: 94a38bb790461008f612f2b8a5ad5758c93183900cd06ada0bc36d808f8bada4
Opcode Fuzzy Hash: f9d2249a7620b0d40ff5261187e5ce0033dab1aac6505ea811bc798e451df573
Instruction Fuzzy Hash: 3351227094CA488FD718EF68D8556F9BBE0EF55320F4441BED04DC7292DB78A846CB91

Function 00007FF7C0E24901 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8829cfdeef0f198d47fed22c46f45e0ac1bc7f09e22eb8be897f6c78d4cfcec7
Instruction ID: d4e89f78013d5d9a7c85167b113cbacbd4021e030d4d5d8538be0e5caa48f7e4
Opcode Fuzzy Hash: 8829cfdeef0f198d47fed22c46f45e0ac1bc7f09e22eb8be897f6c78d4cfcec7
Instruction Fuzzy Hash: BF513A71918A1C8FDBA8EF58D845BE9B7F1FB58310F1082AAD40DE3351DE34A9858F81

Function 00007FF7C0E20DE0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ba4bf6992dc13e595abf5dd6099310e93b2d5943bb0f77351e7c1b9117b616
Instruction ID: 003a711e67b1d3e18ba38629c0e11e2302db6875e478cd3770903e288bd6ff7d
Opcode Fuzzy Hash: 03ba4bf6992dc13e595abf5dd6099310e93b2d5943bb0f77351e7c1b9117b616
Instruction Fuzzy Hash: BF513030E589198FEB98FB28D8956BDB3E1FF98355F901579E00DD3392DE28B8418790

Function 00007FF7C0E20608 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4f8d662e684842284592acab78d27a7e63075a9cf8cc5773fadb7a56ed0af6
Instruction ID: ccde39cb58272835f4a26a974feb4f36780bae1272386842681b29653d360814
Opcode Fuzzy Hash: 2b4f8d662e684842284592acab78d27a7e63075a9cf8cc5773fadb7a56ed0af6
Instruction Fuzzy Hash: 3041F721B1DA4A0FE355BB3C9856279B7D2EF8A270B4802BED44DC3293DD18BC428391

Function 00007FF7C0E20BEE Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e5857102295873539c8144a23cb26019565c1000b7d06312fdef330d8698a4
Instruction ID: be2b3a5f255e1c1016a086ea7cf872a52bbda06a1141e24356f00806fa20a0c4
Opcode Fuzzy Hash: 10e5857102295873539c8144a23cb26019565c1000b7d06312fdef330d8698a4
Instruction Fuzzy Hash: 1F414821A0DA8A0FE796BB3C985A2757BD2DF8A230B4901BED44DC7293DD5CBC428351

Function 00007FF7C0E20E20 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3b5c7e6b77fa04cd7feb9f2e99f2008cb0c96528402a7836ecceeb533420c6
Instruction ID: be2f5a30d7eefbfd0968e3c979370ae4975c58d0a3973eec9ad58ce9922a1afa
Opcode Fuzzy Hash: 5e3b5c7e6b77fa04cd7feb9f2e99f2008cb0c96528402a7836ecceeb533420c6
Instruction Fuzzy Hash: E541607094891D8FDB98EF68D499BB977E0FF68311F40057ED00AD3692CB75A841CB51

Function 00007FF7C0E28EC1 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f8ec6824ae9bdc2d41a0f784cc121f44ba7fa38a60030aa42a449f106702c1
Instruction ID: 02c3113a5607792df078bf272a1e07dd5ad71bace97a0fa3973793c71ec889e6
Opcode Fuzzy Hash: 75f8ec6824ae9bdc2d41a0f784cc121f44ba7fa38a60030aa42a449f106702c1
Instruction Fuzzy Hash: 75417D71A499098FEB84FF78C5596BDB7E2FF99311B44017AD409D3292DF28A8418790

Function 00007FF7C0E20528 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056046ac4b05ca05c4ce763ac4159fd038d9d9729284dc0dc5d5585539fc4dcd
Instruction ID: 34f1ecbbff752c02bc38586d1b5dd88eb0b71d7f6769d6f3424123f4c053d38c
Opcode Fuzzy Hash: 056046ac4b05ca05c4ce763ac4159fd038d9d9729284dc0dc5d5585539fc4dcd
Instruction Fuzzy Hash: 3331B531B189494FE798FB2D945A379B7D2EF99361F4406BEE00EC3293CD68AC418381

Function 00007FF7C0E20DB0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b4e0b338c8c4570cd2e5af95937cc617437374d1beece83a9f09e1eceb954ec
Instruction ID: 889db5e145804139d5320c016c976488a0abf3dbb9d3df4ec58f52911ebb8e90
Opcode Fuzzy Hash: 5b4e0b338c8c4570cd2e5af95937cc617437374d1beece83a9f09e1eceb954ec
Instruction Fuzzy Hash: 7E417D30A5890A9BEB99FF6884556B9B3E1FF58320F94027DD11ED7382DF68B8418790

Function 00007FF7C0E20DE5 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc079b26de40f4fd864713935e7fed09089f3af7f93655f6b401b8891abce9a5
Instruction ID: a40dfe308f6980f38519ee88dfe4a06e96e7ef2c051e7a0eb6830f938229fd53
Opcode Fuzzy Hash: dc079b26de40f4fd864713935e7fed09089f3af7f93655f6b401b8891abce9a5
Instruction Fuzzy Hash: 64314671A4891D8FEB94FF68C5596BDB7E2EF98311B90053AD409E3392DE38A8418790

Function 00007FF7C0E20949 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5a4b2e32b65c21a2e48f28ca597e2ae559594d0e733307ecd9c2027ec929e2a
Instruction ID: 7f9cfa057ae2cd6507c9c4a8f9fcbb249c6e1668e6d5a12f5b309161bd2bc437
Opcode Fuzzy Hash: e5a4b2e32b65c21a2e48f28ca597e2ae559594d0e733307ecd9c2027ec929e2a
Instruction Fuzzy Hash: 16315070E58A0A9FDB84FB68D8956EEB7A1FF88310F90457AD009D3387CE3878418790

Function 00007FF7C0E28D89 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915bdded93e2832b52296368247988efd10121a483562ae712f5303e89f5666a
Instruction ID: 3bf8fd64b173a7d0a1ba62bab0dace33f7e456d9ee8f1b9d8ee507e5214bb6b1
Opcode Fuzzy Hash: 915bdded93e2832b52296368247988efd10121a483562ae712f5303e89f5666a
Instruction Fuzzy Hash: E131F870649A959FD792FB38C8416B977E1FF56311B8401AAD048C3393DF38B841C791

Function 00007FF7C0E25470 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b37ef3395d09907880eeb54162c70ff3512837d3c6fe72a099a09689bedc1977
Instruction ID: 1e10e4805c68ff2fcfbb263f78d8f7a085284da830e09728deddc70cdc882df9
Opcode Fuzzy Hash: b37ef3395d09907880eeb54162c70ff3512837d3c6fe72a099a09689bedc1977
Instruction Fuzzy Hash: 0731B47190CA488FDB18DF68D8497FABBF0EB65321F00412FD08AC3652CB746845CB91

Function 00007FF7C0E298E1 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da72821340b43c731741f87607c81b64b5692036ca565f2ae035e5336f0fe50
Instruction ID: 093abb8d1313035093696595dca6ba76902650a93fb54f974a97f155d4a1f956
Opcode Fuzzy Hash: 5da72821340b43c731741f87607c81b64b5692036ca565f2ae035e5336f0fe50
Instruction Fuzzy Hash: 6F218071B18D494FEB84FB6C9499AB9B7E1FF99360B44057EE40EC3292DE24AC418780

Function 00007FF7C0E21155 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9523e8891832f36d5fed6cacc2469dad50ed5f9ed72946677e3db4dace4a795
Instruction ID: 0a061adff5fd4d41770f40b6c52800cea3ae7a238c053cffafcff304584c0184
Opcode Fuzzy Hash: b9523e8891832f36d5fed6cacc2469dad50ed5f9ed72946677e3db4dace4a795
Instruction Fuzzy Hash: 4C31047190898E8FCB45EB68D8A16EDBB71FF88350F4002B6C00AE3397CE3079458790

Function 00007FF7C0E23AF5 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62c6b1ff4567e74955af86c7191fdcf8709e6e88a41287188a668b05638e57ba
Instruction ID: decd279d85288b22e4f6c9d3727af6645087b9bf336350fbbf50dc31ee584714
Opcode Fuzzy Hash: 62c6b1ff4567e74955af86c7191fdcf8709e6e88a41287188a668b05638e57ba
Instruction Fuzzy Hash: 0A21C9107649094BF644B6ACD8AA7B8E2C6DFA8360FD4817AE50AC37E7CC587C819652

Function 00007FF7C0E20AA0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cbb012f48f5e7538e5d9a07327750defba91988dff5d54b54001de23be87649
Instruction ID: 48a6418a7d246dee44a6cb8e50c5ab4d2db150d657e3562f6138237023f341c9
Opcode Fuzzy Hash: 3cbb012f48f5e7538e5d9a07327750defba91988dff5d54b54001de23be87649
Instruction Fuzzy Hash: DB119021E18E094FE688B679585D77DB6D2EF98B61F80427EE00DC33C3DD28AC414791

Function 00007FF7C0E29D11 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087f4b94c470f7869c4c1e3147cf62bb86bbefe26375fe49fab2c8ac395165dd
Instruction ID: 47542ba78214d5cfe9ef6cf88bf8b05c0c0d7abdcff1b874705284e4e6f40a2a
Opcode Fuzzy Hash: 087f4b94c470f7869c4c1e3147cf62bb86bbefe26375fe49fab2c8ac395165dd
Instruction Fuzzy Hash: FE21AE60A6C9594FE746BB7898667B9B7C1EF98760F8441BAE00CC33C3DD18784187A2

Function 00007FF7C0E28900 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2cc7e9ed0afc02b51d15f4f282bc300aa7aa414672aaac85cab5f8f7becb49
Instruction ID: 0b63b7705f39242795dfb71d936fe7467157a33d870876daff68343690d6fc56
Opcode Fuzzy Hash: 8e2cc7e9ed0afc02b51d15f4f282bc300aa7aa414672aaac85cab5f8f7becb49
Instruction Fuzzy Hash: DA110471E4C9594FEB55FB7C94062EDB7A1EF89260F0402A6E40CC3292CE24685647D2

Function 00007FF7C0E221E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2651b3725e714005092b2c0a2784c4e731d78f8575d40d9f781102256bb8b277
Instruction ID: 13a73d0f2183492368f2c04506510365bd6efb0f56ca5a21c471c22262056821
Opcode Fuzzy Hash: 2651b3725e714005092b2c0a2784c4e731d78f8575d40d9f781102256bb8b277
Instruction Fuzzy Hash: F4F03C32E0491E8EDB54FFA894095FEBBE4EB58351F40026BE50DE2255DE34694547C0

Function 00007FF7C0E29E69 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17922b04dabe9bb82291e1fd6d792766c4a499a77aeb7b0f0b03528620d2f3a
Instruction ID: 00095d8095569e4206b6671b0168187851d5ecc3a9593248ac4205aa5a5628c8
Opcode Fuzzy Hash: b17922b04dabe9bb82291e1fd6d792766c4a499a77aeb7b0f0b03528620d2f3a
Instruction Fuzzy Hash: B3F04430F5C91A4AE798FA7884566B9E2C1FF88365FD1513DD45EC3382DF28B8914291

Function 00007FF7C0E21DC1 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685dc9f4e3d6d7cce4d9d94453c87b7acf8065ea372f5d58be12025df68b6357
Instruction ID: 87997d17e81a8781b1d73a35cbd79804eaac9bb7b18b10366cafb04f99a4c8bf
Opcode Fuzzy Hash: 685dc9f4e3d6d7cce4d9d94453c87b7acf8065ea372f5d58be12025df68b6357
Instruction Fuzzy Hash: B301F45090E7C14FD353A7309C624A9BFB09F63610B8D01EBD485CA1E3D90CA94AC3A3

Function 00007FF7C0E21D6B Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62a281ed86ff21b45bbbb3a775b7801afc35ed83b03e1998c0c09af915e8796e
Instruction ID: 18fa60cc00f3cc4eb9c7da2970285da34ee4eed4394a9621c86460be799b8052
Opcode Fuzzy Hash: 62a281ed86ff21b45bbbb3a775b7801afc35ed83b03e1998c0c09af915e8796e
Instruction Fuzzy Hash: B9F02761E08A194BE384F938B885AB977C1DBA8764F84057AE80DC739ADD14AA8143C2

Function 00007FF7C0E22A41 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3aef066dc2a1a6ce89b06bfd76eb3fba35955ec1e03330fc808c1a776ece27e
Instruction ID: e34ec6cc341a2575713f30329256f9b7d1f97cecb321fdb8fa271414824aa504
Opcode Fuzzy Hash: a3aef066dc2a1a6ce89b06bfd76eb3fba35955ec1e03330fc808c1a776ece27e
Instruction Fuzzy Hash: 6AF05E51E5C9064AF6A87A7894653BD92D1AF98360F90057DE00DC37C7DF2CBC4286E1

Function 00007FF7C0E20B68 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52bb186fd521211bde738554e9ce10b9564148389710809d1b45c2e73ccb0edf
Instruction ID: f62f65c48d5c55f0fbd085a014c18a12448677b70bda3759091515b3fdcb235e
Opcode Fuzzy Hash: 52bb186fd521211bde738554e9ce10b9564148389710809d1b45c2e73ccb0edf
Instruction Fuzzy Hash: EFE01221B14D1D4FEF80FFACA4492FDB2D6EB9C221F504177D50DD3292DE2868518791

Function 00007FF7C0E294A0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f804d7b0244e5e03d28a1d067b88c3218185c45f718312744f95bcd885979928
Instruction ID: 88371659c1677c01642c50c9893c734b25c8db6eed42638891e63aea000dd8b8
Opcode Fuzzy Hash: f804d7b0244e5e03d28a1d067b88c3218185c45f718312744f95bcd885979928
Instruction Fuzzy Hash: 0DE0D87450894C9FDB15BB69E855A95BBA4FF89318F0000A9E41CC3191C7315596C795

Function 00007FF7C0E22751 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be4bccbd647c8b36feafc262edde1ab5529595d42f1ae07b53807d1bbb931b38
Instruction ID: d72d9d5c12f214466c2b8ee0ddae381f5c0ae206df1f3e1534aec59c05cbb8db
Opcode Fuzzy Hash: be4bccbd647c8b36feafc262edde1ab5529595d42f1ae07b53807d1bbb931b38
Instruction Fuzzy Hash: 32C08C368A8A4E9BEF01BF6458021EAF3A0FB44204FC0064EF82DC3160DB31732846C3

Function 00007FF7C0E29D01 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85f7633d9c175ad49d0ae27a17029fcb3e90f3f803e6067d19a8003aa62e34be
Instruction ID: a21f50badf254cecfbf648332ddb422dd0ab4d3cafa24d1f8bf3148f9088746b
Opcode Fuzzy Hash: 85f7633d9c175ad49d0ae27a17029fcb3e90f3f803e6067d19a8003aa62e34be
Instruction Fuzzy Hash: 30A00204CD750609980836AA1D934A4B8515B89120FC61964D80880287A98E25E942E3

Function 00007FF7C0E228A1 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d558e12aef23f18b74ab72165c83ea1aee8ed4bdb3f02a5d2e6f544d8a5640b7
Instruction ID: c2f3278b7e555c1f0b282589a792001770da6361c24b031aceae8d0e3d250772
Opcode Fuzzy Hash: d558e12aef23f18b74ab72165c83ea1aee8ed4bdb3f02a5d2e6f544d8a5640b7
Instruction Fuzzy Hash: 2FA00204CC740601945835AA1D83094B4505F89120FC52564D808802C7B98E25E906E3

Non-executed Functions

Function 00007FF7C0E20E3A Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3733440453.00007FF7C0E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7c0e20000_uctgkfb7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fca9d7c2a0fdbb08c65d1787b9b40b5fe8cc63ead3ebb02163ba82249e5e846
Instruction ID: 6e1817a33c73e1336e3b2711b47df2a781320802d461bd014d241e552d7de4c4
Opcode Fuzzy Hash: 1fca9d7c2a0fdbb08c65d1787b9b40b5fe8cc63ead3ebb02163ba82249e5e846
Instruction Fuzzy Hash: FD71C567E0C1621FE611B7BDF8996E93754DF41378B48817BD1CCCA293DD1838468AE4

Analysis Process: Windows.exePID: 7976, Parent PID: 1040COMMON

Executed Functions

Function 00007FF7C0E3128C Relevance: .7, Instructions: 721COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1397486280.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10eb31a35eb320055c85040c1314eb3295fe9bd0a2c5b427f0d3aeb6926b67e0
Instruction ID: cb5152746dd30bc5447f975b7b31ad43fb74062c9852f2c21fdf7dfad2272545
Opcode Fuzzy Hash: 10eb31a35eb320055c85040c1314eb3295fe9bd0a2c5b427f0d3aeb6926b67e0
Instruction Fuzzy Hash: 8A228570B58A099FE754FB3894A97B9B7D2FF88750F844579E00EC3386DE28B8418781

Function 00007FF7C0E31B99 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1397486280.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b14256ebc2e47fcb523b51836ef377a8130391520b4a6c9ee103ff25da3a3b7
Instruction ID: 1a1bcd74d6de483ecc2a487942e4e8cd68454dd0c1afc99bb85b9d3f5d08f257
Opcode Fuzzy Hash: 0b14256ebc2e47fcb523b51836ef377a8130391520b4a6c9ee103ff25da3a3b7
Instruction Fuzzy Hash: 5F511660A5DAC54FD786BB385868275BFE1EF87225B0805FFE08DC7293DE186846C352

Function 00007FF7C0E31065 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1397486280.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ef6df6dc3a9833382b4b8adc8f1910085d724640305bfd91336a0b51e96f5d
Instruction ID: 50f6a9860f7aca6726a34b3ce2f9b79d7641f30d946c28da5ce8088b2885a530
Opcode Fuzzy Hash: 66ef6df6dc3a9833382b4b8adc8f1910085d724640305bfd91336a0b51e96f5d
Instruction Fuzzy Hash: EB41C07290868A4FDB05FB6CE8A52E9BB70FF85364F4541BBC049D7293DE2478468B90

Function 00007FF7C0E310D0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1397486280.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aa882f78c025c359346c20fe65e09dfd216860051bd08ac1f21ec6eda69a0f6
Instruction ID: b823fbc071d7c87ff83a473b4930f2d28b0cbefd1551fed38873efd6ea5adf41
Opcode Fuzzy Hash: 4aa882f78c025c359346c20fe65e09dfd216860051bd08ac1f21ec6eda69a0f6
Instruction Fuzzy Hash: 0031AD7190898A8FDB45EB68D8A52EDBF71FF49350F4501AAC00AE3297CF347945CBA0

Function 00007FF7C0E30BEE Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1397486280.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c5c61c4e352e6d100846c9a43e4142359cba307f1e3d8ce5f76b842aa74aa4
Instruction ID: 2f8dd9a30b6fad2bc2018fe6d3234860bc78e9065c8247bb7b290a0543d41fc5
Opcode Fuzzy Hash: f5c5c61c4e352e6d100846c9a43e4142359cba307f1e3d8ce5f76b842aa74aa4
Instruction Fuzzy Hash: C7511520A0DA860FE356BB3858262757FE2EF87660B4901FAD489C7293DD1C6C468362

Function 00007FF7C0E30528 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1397486280.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac7d4ff77b6a3fb33177a7c71432b8cc5268c6c47725605d434c078c08ca340
Instruction ID: 63b440d3c84865331e4ddb3de288e055dd11fd032e2cbc2fc7c927d5b8ca45a3
Opcode Fuzzy Hash: 5ac7d4ff77b6a3fb33177a7c71432b8cc5268c6c47725605d434c078c08ca340
Instruction Fuzzy Hash: 7C31D521B18D494FE788FB2D9459379B6D2EF89761F4406BEE00EC3293DE68AC418381

Function 00007FF7C0E30949 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1397486280.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a97775d6339566fefde3c9899e86e50e7413384dfc6ae8a13a23cdd1ba317b6
Instruction ID: 7df7db4d10a6ac70d83ff3b13b04c76cf5036305cf6d451e49669b75a6010475
Opcode Fuzzy Hash: 2a97775d6339566fefde3c9899e86e50e7413384dfc6ae8a13a23cdd1ba317b6
Instruction Fuzzy Hash: 2B315470E5890A9FDB44FB68D8A96FDBBA1FF89310F904576D009D3386DE3878418750

Function 00007FF7C0E30A89 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1397486280.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355c693873a8ff2cb63720a75e0be3c17dec5d96983621e40d4c747c4f7bf40f
Instruction ID: 3611af5ea4f4254528161f98bdc4a954ee670ecbbd535e3bb7120a45165e4379
Opcode Fuzzy Hash: 355c693873a8ff2cb63720a75e0be3c17dec5d96983621e40d4c747c4f7bf40f
Instruction Fuzzy Hash: FC21C721E18E454FE344BB785869779BBD1EF54B60F44427AE008C3383DE18AC414791

Function 00007FF7C0E3116C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1397486280.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e9781d9d2ad62c8d03113404c52b153992493ef9926dea126e65bfb98669ab
Instruction ID: 4ad99e1fb205c5978ad8f24dcf310f295cc399bfde422a4e4c094e56b2c3023b
Opcode Fuzzy Hash: 67e9781d9d2ad62c8d03113404c52b153992493ef9926dea126e65bfb98669ab
Instruction Fuzzy Hash: 88213E71A1480E9FDB48EB68D8A56EDBB71FF88355F404129C00AE3696CF3479958B90

Function 00007FF7C0E31D51 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1397486280.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68339c9ba80c6d549c742467508d0af2f8ff1a9456f816c22ac0a65427b68425
Instruction ID: 187b48d94eab55c79c0ccfa3a5f1f63e6a5be1b2a6e7a5bf2b49fbaf20308aab
Opcode Fuzzy Hash: 68339c9ba80c6d549c742467508d0af2f8ff1a9456f816c22ac0a65427b68425
Instruction Fuzzy Hash: 23F0EC6590D6D94FE352F738A811570BFB0DF4763275A01E7D088C71A3E55AAC05C3D2

Function 00007FF7C0E31D6C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1397486280.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6956a365601b096695ba164d662ab3f9a7ca56e0ffdf924de066c3ca3abd1ad
Instruction ID: 23753cb44e3e4307074d098bd083831606b8c62e6d07a8ea10af59afea930fc8
Opcode Fuzzy Hash: b6956a365601b096695ba164d662ab3f9a7ca56e0ffdf924de066c3ca3abd1ad
Instruction Fuzzy Hash: C4F02760A08A154BE384FA3C7895579BBD1EB94A64B84056EE80DC6295DD14AA8147C1

Function 00007FF7C0E30B68 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1397486280.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83167d742ef314c4a1540d342d1c0ae35692174c26e75be9c0cdb0c5c5a3bebb
Instruction ID: 1a56b8ef8044839c1a0815514b4c385a7f0993eb3e31fa86a56cc37983d9adb1
Opcode Fuzzy Hash: 83167d742ef314c4a1540d342d1c0ae35692174c26e75be9c0cdb0c5c5a3bebb
Instruction Fuzzy Hash: 2EE0ED21B14D194FAF80FFACA4592FCB2D1EB9C221F504177D60DD3296DE2868558791

Analysis Process: Windows.exePID: 8128, Parent PID: 3968COMMON

Executed Functions

Function 00007FF7C0E51058 Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1499395186.00007FF7C0E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff7c0e50000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae65e1f4b47ba2023cc27895b0b084e235e41499ef3b79adc0e6e068863364de
Instruction ID: e1bec266daec19dd3d874c45f024bfc3b80d0a3bb4c0d2e40d47147d632cb7f3
Opcode Fuzzy Hash: ae65e1f4b47ba2023cc27895b0b084e235e41499ef3b79adc0e6e068863364de
Instruction Fuzzy Hash: EF22B830B58E454FE794FB3894996B9B7D1FF98750F440AB9E40EC3392DE28B8418781

Function 00007FF7C0E50DFA Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1499395186.00007FF7C0E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff7c0e50000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8be578ecce9667366242609c478f3eb276aeb72c98c1e8338572cae9613f54
Instruction ID: 99e560f4efb590bdca17ffd0a0cc5a84898c47ce25b81c0735504e93d4a747bc
Opcode Fuzzy Hash: 3a8be578ecce9667366242609c478f3eb276aeb72c98c1e8338572cae9613f54
Instruction Fuzzy Hash: A4710727E0D5664FE21177BEF8992E97750DF413B9F0887B7D18C8A2939D0838468AE4

Function 00007FF7C0E51B99 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1499395186.00007FF7C0E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff7c0e50000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c72b80e7aac6159fc91c2dc3bcfa7dc337ea27c7a2d302e7efce6a0faaca90e
Instruction ID: 5c6c7a7abb30d88e835b080e0868b49d70a2aad0ba7d1c898457ce31b0876bf1
Opcode Fuzzy Hash: 4c72b80e7aac6159fc91c2dc3bcfa7dc337ea27c7a2d302e7efce6a0faaca90e
Instruction Fuzzy Hash: A2510620A5DAC54FD786BB785868275BFD1EF87225B0805FFE08DC7293DE186846C352

Function 00007FF7C0E51060 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1499395186.00007FF7C0E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff7c0e50000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27008a975465b492b2596108da15e52a91a4a61deddcef65bb41b4ea75df5b04
Instruction ID: b14a4d52e32cc4e6476a4c6472682f65b3ca9cfb93b9bc1ea6cb1a933e43c152
Opcode Fuzzy Hash: 27008a975465b492b2596108da15e52a91a4a61deddcef65bb41b4ea75df5b04
Instruction Fuzzy Hash: 1DF16330A589194FEB94FB7894997B9B7D2FF98790F4009B9E40EC3392DE2878418791

Function 00007FF7C0E51239 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1499395186.00007FF7C0E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff7c0e50000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101a063e0dfc4131e1013e9f07521a48511bbddcbca291ccfa4e1d4e8675b298
Instruction ID: e88d944ac928a96371d835468bd194f08d17d495d5fb42b1326e4338446e0cc9
Opcode Fuzzy Hash: 101a063e0dfc4131e1013e9f07521a48511bbddcbca291ccfa4e1d4e8675b298
Instruction Fuzzy Hash: 3CE18330A589554FE794FB3894997B9B7E1FF98790F8009B9E40EC33D2DE2878418791

Function 00007FF7C0E50BEE Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1499395186.00007FF7C0E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff7c0e50000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48370df4c8d314988e2ca4228ac836e20f1c4cb0af802b450f34a14fe20e09a3
Instruction ID: 5630e9868a13fc1f8bbb6661a27dd5615b80e26b0b608d326a53682faa3b6885
Opcode Fuzzy Hash: 48370df4c8d314988e2ca4228ac836e20f1c4cb0af802b450f34a14fe20e09a3
Instruction Fuzzy Hash: AD512821A1DA8A0FE356AB3858162757BE1DF87270B4906FAD489C7293DD1C7C468352

Function 00007FF7C0E50528 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1499395186.00007FF7C0E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff7c0e50000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cb1e1b45cbf5168701a7169d230bb5ba8879d16de88f9165427dda7dd2ff80
Instruction ID: 6b527ea55dc7ef921b2e53a764688d6bb9bcbdd3d7805942cb7ef878a47bc1e4
Opcode Fuzzy Hash: 59cb1e1b45cbf5168701a7169d230bb5ba8879d16de88f9165427dda7dd2ff80
Instruction Fuzzy Hash: EB31A321B18D494FE798EB2D9459279B6D2EB99361F4406BEE00EC3293CD64AC458341

Function 00007FF7C0E50949 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1499395186.00007FF7C0E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff7c0e50000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adc0623e1c22b3e7d9705dd90ca42454b61413a95faa585d0bba90caeec78795
Instruction ID: 4575a6fba6afdc28a93a3a75ab579b0a97184ce761fe299e1b910879d45e2ea4
Opcode Fuzzy Hash: adc0623e1c22b3e7d9705dd90ca42454b61413a95faa585d0bba90caeec78795
Instruction Fuzzy Hash: 3A317E30E58A1A9FEB84FB6898956EDB7A1FF98350F9045BAD109D3386CE3878418750

Function 00007FF7C0E510D0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1499395186.00007FF7C0E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff7c0e50000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae8ac28abf1e27405131b2b68c4f2e6345899a9e9ac2ab366d3e14cc617f532
Instruction ID: 9e42c67ea2cdc2c3851a971f9f49cdf4b7329ee8c978dfb8fb4d412ddeb29e05
Opcode Fuzzy Hash: 7ae8ac28abf1e27405131b2b68c4f2e6345899a9e9ac2ab366d3e14cc617f532
Instruction Fuzzy Hash: 19F0496180D7C95FD703A7748C642A97F70EF57354F0A05EBD085CB2E3DA686908C762

Function 00007FF7C0E50A89 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1499395186.00007FF7C0E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff7c0e50000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb91d28ce81c8da969780274e9499c44a8f2efff7562c2490331324831997533
Instruction ID: 7aa37332e84f04296deca80e108ea0a7e3f30f713f2f88e1b1e0408b345955d2
Opcode Fuzzy Hash: eb91d28ce81c8da969780274e9499c44a8f2efff7562c2490331324831997533
Instruction Fuzzy Hash: 9B21C421E18E494FE784BB784C597BAB7D2EF54760F4442BAF409C3383DE28AC414792

Function 00007FF7C0E51168 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1499395186.00007FF7C0E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff7c0e50000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 887c05b4e9d3468f24e29cb74a835ec7944dc890d851d851202450c5736bde44
Instruction ID: bca79280e2ebaa7e381cfeebfa96860833153a9e070bbc6f13e2c7af878a7dac
Opcode Fuzzy Hash: 887c05b4e9d3468f24e29cb74a835ec7944dc890d851d851202450c5736bde44
Instruction Fuzzy Hash: 97215C71A5480E8FDB44FBA8D8A52FEB7B1FF98390F400165D40AE3386CE3479468B90

Function 00007FF7C0E51D51 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1499395186.00007FF7C0E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff7c0e50000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 460d5083c0d54f03855708a018e60229d9a01ad4b0060ebabe1a605ce7d09747
Instruction ID: 9c98495760822581163bb9b490c2f8f1b5130fa77271928ff26bbb533efe4479
Opcode Fuzzy Hash: 460d5083c0d54f03855708a018e60229d9a01ad4b0060ebabe1a605ce7d09747
Instruction Fuzzy Hash: 9D014410D0CB854FD742F6386C545757FF09F96791F4805E7E488C71D7D904694583D2

Function 00007FF7C0E50B67 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1499395186.00007FF7C0E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff7c0e50000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027783c8957d4600bfeea5b4de2f18a961c2a14c6d33f7f37f8ed3681db44a7e
Instruction ID: 738e74ac601b6c04c406f15e0f700c86b389724c320dfd5dde3bccd1ee33a1e2
Opcode Fuzzy Hash: 027783c8957d4600bfeea5b4de2f18a961c2a14c6d33f7f37f8ed3681db44a7e
Instruction Fuzzy Hash: 58E03920B14D098FAF80FFAC94892FCB2E1EF9C221F50013BE50ED3292CE2868518791

Analysis Process: Windows.exePID: 5948, Parent PID: 3968COMMON

Executed Functions

Function 00007FF7C0E41058 Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1581092656.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0e40000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1040a2b1c8610d9ef5dda14d92002dc6dc17ef913abd01fccdcd1e8d24714aa4
Instruction ID: b027ae7078b558a192c0284fe6ac85fde9595a216bf3ecff1245c7045c4ccf5f
Opcode Fuzzy Hash: 1040a2b1c8610d9ef5dda14d92002dc6dc17ef913abd01fccdcd1e8d24714aa4
Instruction Fuzzy Hash: 3222B730B18A494FE798FBB884997B9B7D2FF98754F800579D40EC3396DE28B8418791

Function 00007FF7C0E40DFA Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1581092656.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0e40000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c0d8a1d5c53926197023644b8bf830ed323843542c9bb3039317ce65c284982
Instruction ID: 92e58800c2caabcba63dda5d09a7b4d5f1585ae17b93a0a81de2eb236a48e52a
Opcode Fuzzy Hash: 1c0d8a1d5c53926197023644b8bf830ed323843542c9bb3039317ce65c284982
Instruction Fuzzy Hash: 90817727E0C5620FE61177FEF8992E97B50DF413B9B4881B7D2CCCA2939D18344A8AD5

Function 00007FF7C0E41B99 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1581092656.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0e40000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d86a8ae16aae8ce0cca3359e3c6d7a71304366b4aeef3e1967f88d42f17c1eee
Instruction ID: e0510956a8a0c81985fd5533031f32dbc27fdd4a5f29642095fa870bcaf643de
Opcode Fuzzy Hash: d86a8ae16aae8ce0cca3359e3c6d7a71304366b4aeef3e1967f88d42f17c1eee
Instruction Fuzzy Hash: 5E511820A5DAC54FD786BBB85864275BFD1DF87225B0805FFE08DC7293DE586806C352

Function 00007FF7C0E41060 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1581092656.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0e40000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c99c08d26a0dfccd12325d6d5e1ed12ebde41324167ec1c9dd3400dd9a706560
Instruction ID: 86b5b9ba8bfda7d1d50f9d0ec9fbfc62e1bd94da1040f03f3d48efbe99e413d5
Opcode Fuzzy Hash: c99c08d26a0dfccd12325d6d5e1ed12ebde41324167ec1c9dd3400dd9a706560
Instruction Fuzzy Hash: DDF17420A189598FEB98FBB884997B9B7D2FF98750F400579D40EC3396DE28BC418791

Function 00007FF7C0E41239 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1581092656.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0e40000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0dcd64a102f7d3fa663fc5e3c0d9b884d2d489a104147edf81ac5a160d2d5cd
Instruction ID: 0e088169288dbc85cb84758e71364f8bc75c15428261656e33f478eee557ac18
Opcode Fuzzy Hash: d0dcd64a102f7d3fa663fc5e3c0d9b884d2d489a104147edf81ac5a160d2d5cd
Instruction Fuzzy Hash: 6DE16520A189594FE798FBB884997B9BBD2FF98750F800579D40EC3396DE2C78418791

Function 00007FF7C0E40BEE Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1581092656.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0e40000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 580509d1a3f1e40d964df099d260089acfeb4e159363d5ae58f84d306b462cda
Instruction ID: e44dfc6e8c355d862c3af3431fa0eaafdd95c52364ef1adecc0d29130a90a9d9
Opcode Fuzzy Hash: 580509d1a3f1e40d964df099d260089acfeb4e159363d5ae58f84d306b462cda
Instruction Fuzzy Hash: 61512520A0DB860FE396BB7858562757FE2DF87260B4901FAD489C7293DD1C6C468362

Function 00007FF7C0E40528 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1581092656.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0e40000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6db866d02988f71e8447c57c9fa118bba76d9d1c8533d6e25f82ab5d1637b0
Instruction ID: cf528699b6315fa577f3cf8f3715beb3d4d99e20ba535829071ec4bdfa0d4007
Opcode Fuzzy Hash: 4d6db866d02988f71e8447c57c9fa118bba76d9d1c8533d6e25f82ab5d1637b0
Instruction Fuzzy Hash: 5231B621B189494FE798FB6D9899379B6D2EF99361F4406BEE00EC3293CD64AC418341

Function 00007FF7C0E40949 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1581092656.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0e40000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e8c31e2c92d1ee186c396b0f1a2fe1daeb4aecc7cac49efa616ac95f277c5e
Instruction ID: b05efda2b5581785d3ea5fc07da4f0d3569baac36c276cf7f6edff0c040935a7
Opcode Fuzzy Hash: 42e8c31e2c92d1ee186c396b0f1a2fe1daeb4aecc7cac49efa616ac95f277c5e
Instruction Fuzzy Hash: 43313230E1895E9FDB84FBA898996EDBBA1FF98310F504576D009D3386CE3878418751

Function 00007FF7C0E410D0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1581092656.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0e40000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a54c7aa1d256200c26785cd0388a6527ccb50c3c15598d4d3a2a278886fba98
Instruction ID: 2a89a8727a1a403d6b00805fed01dc1b6b4d32f3f50abd6821a2f96156d59fb5
Opcode Fuzzy Hash: 5a54c7aa1d256200c26785cd0388a6527ccb50c3c15598d4d3a2a278886fba98
Instruction Fuzzy Hash: 06F0496180D7C95FD703A7748C642A5BF71EF57354F0A05EBD085CB2E3DA68A9088762

Function 00007FF7C0E40A89 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1581092656.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0e40000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64bc0a2f4c602201d9f70b58996c0dd25da4f35376b26895409e4759f691cc5
Instruction ID: b32d5f4042b26c9ddcdd32524c7468f7f9feffd05b7a511afcafb1dcde666a51
Opcode Fuzzy Hash: c64bc0a2f4c602201d9f70b58996c0dd25da4f35376b26895409e4759f691cc5
Instruction Fuzzy Hash: 7921C421E18E458FE344BBB8485D77ABBD6EF947A0F44427AE009C3383DD68AC414792

Function 00007FF7C0E41168 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1581092656.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0e40000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f83c4688f481dd9706c89b09ee1dd7a752194faa97787af04bb2bef11ea6be53
Instruction ID: 1d358acee1def993e9c6a739dc6305dde0b46378cb7fad50ffd5775b63e992af
Opcode Fuzzy Hash: f83c4688f481dd9706c89b09ee1dd7a752194faa97787af04bb2bef11ea6be53
Instruction Fuzzy Hash: 9C215E70A5494E8FDB48EBA8C8A52EEF7B1FF88350F400165C00AE3786CE30B8519B90

Function 00007FF7C0E41D51 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1581092656.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0e40000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81b563a763457512dcd53666c4e844480d695255b5770280ecc41b73f1bdedda
Instruction ID: 8e4cec54ba591ac7e69ada36d826d6fde5066bd61cc40a7023523180baa699af
Opcode Fuzzy Hash: 81b563a763457512dcd53666c4e844480d695255b5770280ecc41b73f1bdedda
Instruction Fuzzy Hash: 5F019E10D0C7854FE742BA782C505B57FE18FD6761F0801FBE888C72D7D908694483E2

Function 00007FF7C0E40B68 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1581092656.00007FF7C0E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_7ff7c0e40000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e4e94ed09170dfd2274c4fbb0061fd11575268ffb30b62b870a668d6ad173c
Instruction ID: 58c168cae8230ec3fd53e4476932b2eefa1dc340e92f3448ff8ecaddcc4ffc96
Opcode Fuzzy Hash: 96e4e94ed09170dfd2274c4fbb0061fd11575268ffb30b62b870a668d6ad173c
Instruction Fuzzy Hash: 83E0ED21B14D194FAF80FFECA4492FCB2D1EB9C261F504177D60ED3292DE2868518791

Analysis Process: Windows.exePID: 2472, Parent PID: 1040COMMON

Executed Functions

Function 00007FF7C0E3128C Relevance: .7, Instructions: 721COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1823658554.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db474bc5881fc3d527ddfe7a585dfda0c5a8b09e1d69516f0bd7f8671ca3ea67
Instruction ID: 6c98416f74a91316a4e6f26006bdcf82093907736fe1ef2ae581ff8f8f2cf581
Opcode Fuzzy Hash: db474bc5881fc3d527ddfe7a585dfda0c5a8b09e1d69516f0bd7f8671ca3ea67
Instruction Fuzzy Hash: 9922B270B18A494FE798FB2894997B9B7D2FF98B50F90457DD00EC3382DE68B8418781

Function 00007FF7C0E31B99 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1823658554.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f1bc157b910774be8b47813ca579a1430416e5bcb35b6d04215a43f7eda43e3
Instruction ID: 920b0b9bff86358dc307a173fcbbc4bf6480f1402510c290de63c1beb31c8a27
Opcode Fuzzy Hash: 0f1bc157b910774be8b47813ca579a1430416e5bcb35b6d04215a43f7eda43e3
Instruction Fuzzy Hash: 5E510560A5DAC54FD786BB385868275BFE1EF87225B0805FFE08DC7293DE186846C352

Function 00007FF7C0E31065 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1823658554.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716f16885ce0b461d7ccd1f14385de01f27c802848525bec9474175dca835e1b
Instruction ID: 7e4b48b8274da14908ff3c99e7bd85a7d3abd07b66adf80672ff72969a6bad99
Opcode Fuzzy Hash: 716f16885ce0b461d7ccd1f14385de01f27c802848525bec9474175dca835e1b
Instruction Fuzzy Hash: C641E17290868A4FD701FB2CE8A52E9BF70FF85364F4541BBC049D7293DE2478468B90

Function 00007FF7C0E310D0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1823658554.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a89881a71817c43ceb67f1a9afdea6ebe3fedc3733c2a46efb5539a8f6671a
Instruction ID: 53f12678c70628042bdfd40265c08de08ee65c6ea09220a430eace682296a071
Opcode Fuzzy Hash: 81a89881a71817c43ceb67f1a9afdea6ebe3fedc3733c2a46efb5539a8f6671a
Instruction Fuzzy Hash: 4531CD7190898A8FDB45FB28D8A52EDBF71FF48350F4401AAC00AE3697CF3479458B90

Function 00007FF7C0E30BEE Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1823658554.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e83256ae9ba821605a1493a54e79964c49e1900c575fb340aa3c8b032cef9cc1
Instruction ID: 048e6e6d0a2cc0f274fc81efb013decc1b44ae6bc5840e49a84b82050ac0deeb
Opcode Fuzzy Hash: e83256ae9ba821605a1493a54e79964c49e1900c575fb340aa3c8b032cef9cc1
Instruction Fuzzy Hash: EA511520A0DAC60FE356AB3858262757FE2EF87660B4901FAD48DC7293DD5C7C468362

Function 00007FF7C0E30528 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1823658554.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7507f36d545175f514df470b678f44bb6cdb0825ec1705eb5da3c209e54977d8
Instruction ID: 72c90ad67e9dfba067267b4b8386c4ba8ca032d38c64201b213efc81b7c22421
Opcode Fuzzy Hash: 7507f36d545175f514df470b678f44bb6cdb0825ec1705eb5da3c209e54977d8
Instruction Fuzzy Hash: B331B521B18D494FE798FB2D9459379B6D2EF99761F4406BEE00EC3293CE68AC458381

Function 00007FF7C0E30949 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1823658554.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fef3789febf04b081e1a9bb7f39736126177721524371c1b9318cf63e5960afa
Instruction ID: 810bc2bbb065e3a504b5ffb8526fea15d512f899c2c7299e44c9005e6aa2bb43
Opcode Fuzzy Hash: fef3789febf04b081e1a9bb7f39736126177721524371c1b9318cf63e5960afa
Instruction Fuzzy Hash: D4317230E5894A9FDB44FB6898A96FDBBE1FF98310F90457AD009D3786CE6878418B50

Function 00007FF7C0E30A89 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1823658554.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355c693873a8ff2cb63720a75e0be3c17dec5d96983621e40d4c747c4f7bf40f
Instruction ID: 3611af5ea4f4254528161f98bdc4a954ee670ecbbd535e3bb7120a45165e4379
Opcode Fuzzy Hash: 355c693873a8ff2cb63720a75e0be3c17dec5d96983621e40d4c747c4f7bf40f
Instruction Fuzzy Hash: FC21C721E18E454FE344BB785869779BBD1EF54B60F44427AE008C3383DE18AC414791

Function 00007FF7C0E3116C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1823658554.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12897117c58fa8b5409e618e685d2a20e295678cf2b3f94e829fcef32c59dc6
Instruction ID: 09f60bddcf225e4f7a325b6541b80a9f7f33a6c1f6ca9bc1ec3ef3f950998a47
Opcode Fuzzy Hash: f12897117c58fa8b5409e618e685d2a20e295678cf2b3f94e829fcef32c59dc6
Instruction Fuzzy Hash: CD215E71A5484E9FDB48FB68D8A56EDBB71FF88350F400129C10AE3686CF3079558B90

Function 00007FF7C0E31D51 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1823658554.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68339c9ba80c6d549c742467508d0af2f8ff1a9456f816c22ac0a65427b68425
Instruction ID: 187b48d94eab55c79c0ccfa3a5f1f63e6a5be1b2a6e7a5bf2b49fbaf20308aab
Opcode Fuzzy Hash: 68339c9ba80c6d549c742467508d0af2f8ff1a9456f816c22ac0a65427b68425
Instruction Fuzzy Hash: 23F0EC6590D6D94FE352F738A811570BFB0DF4763275A01E7D088C71A3E55AAC05C3D2

Function 00007FF7C0E31D6C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1823658554.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d54de1dd4a4f1df3f1a981ac0f6b3707ad27f678293721d4dc5548e2621d38
Instruction ID: 32bea40067d99db923c25ff2bf24955018adbf69cf2c8d983ffc15e6b72889c9
Opcode Fuzzy Hash: f6d54de1dd4a4f1df3f1a981ac0f6b3707ad27f678293721d4dc5548e2621d38
Instruction Fuzzy Hash: 75F02761A08E150BE384FA3C7489579FBD1EBA4B64B44056EE84DC6295DD14AA8147C1

Function 00007FF7C0E30B68 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1823658554.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83167d742ef314c4a1540d342d1c0ae35692174c26e75be9c0cdb0c5c5a3bebb
Instruction ID: 1a56b8ef8044839c1a0815514b4c385a7f0993eb3e31fa86a56cc37983d9adb1
Opcode Fuzzy Hash: 83167d742ef314c4a1540d342d1c0ae35692174c26e75be9c0cdb0c5c5a3bebb
Instruction Fuzzy Hash: 2EE0ED21B14D194FAF80FFACA4592FCB2D1EB9C221F504177D60DD3296DE2868558791

Analysis Process: Windows.exePID: 3068, Parent PID: 1040COMMON

Executed Functions

Function 00007FF7C0E3128C Relevance: .7, Instructions: 721COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2412864572.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec0661eed3d43008b026a38d750104b2b0b6027c6d3dcf48dbc11c9f3dbb752
Instruction ID: 7f8c3de90c17e05cbd55ab7f9e0e1ca1b60db21211e618b01b4008481ecb479f
Opcode Fuzzy Hash: aec0661eed3d43008b026a38d750104b2b0b6027c6d3dcf48dbc11c9f3dbb752
Instruction Fuzzy Hash: DD228170B58A095FEB98FB2894997B9B7D2FF98750F804579D00EC33C6DE28B8418791

Function 00007FF7C0E31B99 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2412864572.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60a55d22dd13a8553ce41f6122594b2f3e0ded15f662f9bc91203efe6f9c037
Instruction ID: 7d8e1d748eca1bd931258f9ce0605e45be056dab4d1144b603fda3cb79029095
Opcode Fuzzy Hash: d60a55d22dd13a8553ce41f6122594b2f3e0ded15f662f9bc91203efe6f9c037
Instruction Fuzzy Hash: 14511660A5DAC54FD786BB385864275BFE1EF87225B0805FFE08DC7293DE186806C352

Function 00007FF7C0E31065 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2412864572.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e2cfe1249ee32be41fcb561498d1e6c5cdfd025323d09f117f751a2f898583f
Instruction ID: 1bcece9b0c1bf66f7867c20fde79782208f896404fb6705e0933c2237c374d1b
Opcode Fuzzy Hash: 0e2cfe1249ee32be41fcb561498d1e6c5cdfd025323d09f117f751a2f898583f
Instruction Fuzzy Hash: 2F41E67290858A4FDB01FB2CD8A52E9BF70FF85364F4541BBC049D7293CE28784A8B90

Function 00007FF7C0E310D0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2412864572.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f12bdac05ca6ee8455aa8f744158e536498e778515b63a55422b7e6b07275e4
Instruction ID: 5d9bcb9c180dd388a26b79ac0173f0761abffdb8cc11f4ecba69f2bfb7a74afc
Opcode Fuzzy Hash: 1f12bdac05ca6ee8455aa8f744158e536498e778515b63a55422b7e6b07275e4
Instruction Fuzzy Hash: 3631A47190894A8FDB45EB68D8A52EDBF71FF85350F4501AAC00AD3297CF3479598BA0

Function 00007FF7C0E30BEE Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2412864572.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a3d2b1562fe93eda9236417b662254e234de988a4851e3bdfbfc0631ebfcc9
Instruction ID: f4cb08c2dc7924ae56fa9377a3ce9c068b49323fcee23a304f396a90187fc628
Opcode Fuzzy Hash: a3a3d2b1562fe93eda9236417b662254e234de988a4851e3bdfbfc0631ebfcc9
Instruction Fuzzy Hash: 93511520A0DB860FE356AB3858262757FE2EF87660B4901FAD489C7293DD1C6C468362

Function 00007FF7C0E30528 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2412864572.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c7fc738f34330cce0c026dae9091c8ca1ac95f5189895df2f8637924e49776
Instruction ID: c67a83b2d63a8649f3008ce0f343481286e3f6bbc1d1843cbde594095785946b
Opcode Fuzzy Hash: 44c7fc738f34330cce0c026dae9091c8ca1ac95f5189895df2f8637924e49776
Instruction Fuzzy Hash: 0631B521B18D494FE798FB2D9459379B6D2EF99761F4406BEE00EC3293CE68AC458381

Function 00007FF7C0E30949 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2412864572.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0028034c735b0d833bfbb705a428ab6ebbe7712d7ed02b36fe1c3ba724c1a321
Instruction ID: 350856222657cdc088f07eb6605cf5bd01b98074d9a53de20b87e07ca3f05a04
Opcode Fuzzy Hash: 0028034c735b0d833bfbb705a428ab6ebbe7712d7ed02b36fe1c3ba724c1a321
Instruction Fuzzy Hash: B5316F34E58A0A9FDB44FB68D8A56FDBBA1FF88310F90457AD009D3786CE7878458B50

Function 00007FF7C0E30A89 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2412864572.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355c693873a8ff2cb63720a75e0be3c17dec5d96983621e40d4c747c4f7bf40f
Instruction ID: 3611af5ea4f4254528161f98bdc4a954ee670ecbbd535e3bb7120a45165e4379
Opcode Fuzzy Hash: 355c693873a8ff2cb63720a75e0be3c17dec5d96983621e40d4c747c4f7bf40f
Instruction Fuzzy Hash: FC21C721E18E454FE344BB785869779BBD1EF54B60F44427AE008C3383DE18AC414791

Function 00007FF7C0E3116C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2412864572.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 763331d7e37746cf9bc988d8f0c8ac53dce17837131e43046e31f8f422c5bd9c
Instruction ID: dae50df7d7054a9d410488460ec434435745b048a076601f2e24a5a39918a7f3
Opcode Fuzzy Hash: 763331d7e37746cf9bc988d8f0c8ac53dce17837131e43046e31f8f422c5bd9c
Instruction Fuzzy Hash: C3217175A1480E9FDB48EB68D8A56EDFBB1FF88350F400129C00AE3786CF3479558B90

Function 00007FF7C0E31D51 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2412864572.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68339c9ba80c6d549c742467508d0af2f8ff1a9456f816c22ac0a65427b68425
Instruction ID: 187b48d94eab55c79c0ccfa3a5f1f63e6a5be1b2a6e7a5bf2b49fbaf20308aab
Opcode Fuzzy Hash: 68339c9ba80c6d549c742467508d0af2f8ff1a9456f816c22ac0a65427b68425
Instruction Fuzzy Hash: 23F0EC6590D6D94FE352F738A811570BFB0DF4763275A01E7D088C71A3E55AAC05C3D2

Function 00007FF7C0E31D6C Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2412864572.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4f295d1fb6c17282ec256b5dd71b06a173e1bceff9284354b045b3ad51acc0e
Instruction ID: ecf488cad6b474b87df55538afa0b9506701031607b2d8a3c6f2d33161cca48f
Opcode Fuzzy Hash: a4f295d1fb6c17282ec256b5dd71b06a173e1bceff9284354b045b3ad51acc0e
Instruction Fuzzy Hash: EBF05C70A08E150BE784FB3CB485579FBD1EBD4B64B44056EEC4DC7295CE14BA8147C1

Function 00007FF7C0E30B68 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.2412864572.00007FF7C0E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_7ff7c0e30000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83167d742ef314c4a1540d342d1c0ae35692174c26e75be9c0cdb0c5c5a3bebb
Instruction ID: 1a56b8ef8044839c1a0815514b4c385a7f0993eb3e31fa86a56cc37983d9adb1
Opcode Fuzzy Hash: 83167d742ef314c4a1540d342d1c0ae35692174c26e75be9c0cdb0c5c5a3bebb
Instruction Fuzzy Hash: 2EE0ED21B14D194FAF80FFACA4592FCB2D1EB9C221F504177D60DD3296DE2868558791

Analysis Process: Windows.exePID: 6100, Parent PID: 1040COMMON

Executed Functions

Function 00007FF7C0E61058 Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3013960496.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75642385111f2b89552fee6fc68b64ebaac80fb7f28a679c2dcf3be8b3e2568c
Instruction ID: b3da93751a34dfb524e134973c00b2ff4f899e6b0515390396174d1817731751
Opcode Fuzzy Hash: 75642385111f2b89552fee6fc68b64ebaac80fb7f28a679c2dcf3be8b3e2568c
Instruction Fuzzy Hash: 7522B260F58A5D4FE798FB38949A6B9B7D2FF88754F840579D00EC3382DE28B8018781

Function 00007FF7C0E60DFA Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3013960496.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7558e2e6959cc95bd281ac9da6d37f734d43f5b509b757e8071157b77570131
Instruction ID: e22c4a6f1a02577f6aad9ed3304386a8ec2629d27e6dc73b5e59cb9ed16eadca
Opcode Fuzzy Hash: b7558e2e6959cc95bd281ac9da6d37f734d43f5b509b757e8071157b77570131
Instruction Fuzzy Hash: 0471FA67E0C5620FE61177BEF89A2EA3B50DF413B9F088177D1CC8D2939D1934468AD5

Function 00007FF7C0E61B99 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3013960496.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c8daeb32c5b3cbbeff7768c9a2df204d55604bf77259b9989dc210cceebdb66
Instruction ID: 2401a1b49dab22db0807a69250a2113a4ec7808b17a60050c40cf165b4fb3f1c
Opcode Fuzzy Hash: 1c8daeb32c5b3cbbeff7768c9a2df204d55604bf77259b9989dc210cceebdb66
Instruction Fuzzy Hash: 2B513924A4DAC94FD786BB385864275BFD1DF87225B0805FFE08DC7293DE186806C392

Function 00007FF7C0E61060 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3013960496.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e00db4eb949e066e173d23a21aed5b543818c27192cb5b2f1ced59a2cd4d51
Instruction ID: 2d902ed234cddc8939877bca3656c2d0d8affa055039c25d00b8995d4085df73
Opcode Fuzzy Hash: d6e00db4eb949e066e173d23a21aed5b543818c27192cb5b2f1ced59a2cd4d51
Instruction Fuzzy Hash: DFF18060B5891D5FE794FB78949ABB9B2E2FF88750F844579D00EC3392DE28B8418781

Function 00007FF7C0E61239 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3013960496.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ff6bac5793c5d2e182c6800c41efbd1ec4cb8974ab6db6646465556e158be8
Instruction ID: eb6ea74574311799582726fecc970ad5878daf5bf344fc8005136cf3534b7927
Opcode Fuzzy Hash: 21ff6bac5793c5d2e182c6800c41efbd1ec4cb8974ab6db6646465556e158be8
Instruction Fuzzy Hash: 0BE19160E5895D5FE794FB78949A7B9B7E1FF88750F8405B9D00EC3392DE28B8018781

Function 00007FF7C0E60BEE Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3013960496.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cbaaba1629cf27f4c8310364827416960d8f9cb8b13a13d01674560856de365
Instruction ID: 2526d5b67aebac2bf2176c9120cb51960a00785b8f15ef9df95116e5663a275b
Opcode Fuzzy Hash: 1cbaaba1629cf27f4c8310364827416960d8f9cb8b13a13d01674560856de365
Instruction Fuzzy Hash: CC512621A0DA8A0FE357AB3858562767FE2DF87270B4902FAD489C7293DD5C7C468352

Function 00007FF7C0E60528 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3013960496.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ed97ea2db0641fc10e8caace8cc80e624e0347aff1dfcdaffc5122d3d9fb1d6
Instruction ID: c5421f7604db58b2f0f34cdf8ca913f002cb29a300baf22afdf0bea31d767c56
Opcode Fuzzy Hash: 1ed97ea2db0641fc10e8caace8cc80e624e0347aff1dfcdaffc5122d3d9fb1d6
Instruction Fuzzy Hash: DE31B631B18D494FE798FB2D945A279B7D2EB99361F4406BEE00EC3293CE64AC418381

Function 00007FF7C0E60949 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3013960496.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412f6fd2cfec5ce32022ba74ea6c273e73341019917374958349604743849d7a
Instruction ID: eb0f3cddaf1c03699722fafca3d7c7c1e5268d8b6773b38057a0a5360b2a0350
Opcode Fuzzy Hash: 412f6fd2cfec5ce32022ba74ea6c273e73341019917374958349604743849d7a
Instruction Fuzzy Hash: 7A317074E58A1E9FDB84FB68D8A56EEB7A1FF88310F50457AD009D3386CE6878418B50

Function 00007FF7C0E610D0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3013960496.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723e017152addfd516f6fcf220ca7450b3ed0efd88440dd7b397c45f5f2dca5b
Instruction ID: 6412e0405c65c93d8b29773a92ebad1b754312c01212bbc25efeb9bb7486a4c2
Opcode Fuzzy Hash: 723e017152addfd516f6fcf220ca7450b3ed0efd88440dd7b397c45f5f2dca5b
Instruction Fuzzy Hash: 8AF0876180D7C95FD703A7348C202E5BF70EF17254F0A05EBD084DB2E3DA28690883A2

Function 00007FF7C0E60A89 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3013960496.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12abfc0719ed570ca08411579d6a249304e839bdcc5eebd7ee133be5fe2cc0b6
Instruction ID: 18633222c821ad1756ce234aacef916d975c873b896ef3f4838f43cd8fb92215
Opcode Fuzzy Hash: 12abfc0719ed570ca08411579d6a249304e839bdcc5eebd7ee133be5fe2cc0b6
Instruction Fuzzy Hash: B821C461E18E494FE345BB785C597BAB7D2EF547A0F44827AE00DC3392DE28AC418791

Function 00007FF7C0E61168 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3013960496.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec5a0628a32f73a8117eea127b312904155b9118f2edc033049f1ced879ca055
Instruction ID: 03a2598dc26fc7738f24f2fa65baaff0586f813800a09108f42f51dd4d78814d
Opcode Fuzzy Hash: ec5a0628a32f73a8117eea127b312904155b9118f2edc033049f1ced879ca055
Instruction Fuzzy Hash: 95215A75A4480E9FDB44EB58D8A66EDB7B1FF88351F840125C40AE33A6CF3079958BD0

Function 00007FF7C0E61D51 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3013960496.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f6e615f404037020c8057426dc122e6e5e76d974adc50d21b5a4f389ab5d649
Instruction ID: f460535818165dcf77f547ced6e10662832fb0af0bd497ab888d88d331e657c1
Opcode Fuzzy Hash: 5f6e615f404037020c8057426dc122e6e5e76d974adc50d21b5a4f389ab5d649
Instruction Fuzzy Hash: 9D012B54D0DB890FE383BA3878519B57FF08F96665F4C01EBE489C72D7D908AA4483D2

Function 00007FF7C0E60B68 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3013960496.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c0595c1df0dc8425f73310370e3f19485e2f77145880ba297cb732ddb141aa
Instruction ID: 6ddb3eeb40be229eb5cc7506138e8544162ca79324ae8696a9b4a82352d31f56
Opcode Fuzzy Hash: c1c0595c1df0dc8425f73310370e3f19485e2f77145880ba297cb732ddb141aa
Instruction Fuzzy Hash: 8CE0ED21B14D1D4FAF80FFACA4492FDB2D1EB9C261F504177D50ED3292DE2868518791

Analysis Process: Windows.exePID: 5652, Parent PID: 1040COMMON

Executed Functions

Function 00007FF7C0E61058 Relevance: .7, Instructions: 668COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3602972800.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3caf0d8464395bfec6e47f795079cbc6ac87e0d7e6db2e7be32499065357670
Instruction ID: 821533a2d74e7109c545e21ed7899bb7c5b6f47bdea579eb61e457b173854bb9
Opcode Fuzzy Hash: e3caf0d8464395bfec6e47f795079cbc6ac87e0d7e6db2e7be32499065357670
Instruction Fuzzy Hash: D022A260F58E594FE799FB3894996BAB7D2FF88750F840579D00EC3392DE28B8418781

Function 00007FF7C0E60DFA Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3602972800.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7558e2e6959cc95bd281ac9da6d37f734d43f5b509b757e8071157b77570131
Instruction ID: e22c4a6f1a02577f6aad9ed3304386a8ec2629d27e6dc73b5e59cb9ed16eadca
Opcode Fuzzy Hash: b7558e2e6959cc95bd281ac9da6d37f734d43f5b509b757e8071157b77570131
Instruction Fuzzy Hash: 0471FA67E0C5620FE61177BEF89A2EA3B50DF413B9F088177D1CC8D2939D1934468AD5

Function 00007FF7C0E61B99 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3602972800.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c05601df343a154744f3624844a2824fd872f4c3a391b2b980ef1e24528352
Instruction ID: f569c828ae577940232d1ca0f5d012f9fbe89d611214a9e3bb2f24cc42b88448
Opcode Fuzzy Hash: 80c05601df343a154744f3624844a2824fd872f4c3a391b2b980ef1e24528352
Instruction Fuzzy Hash: 96512924A5DAC94FD746BB385868275BFD1DF87225B0805FFE08DC7293DD186846C392

Function 00007FF7C0E61060 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3602972800.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c1b84bafdc5dbe5d03058baf32cda381d4a95ec33b6934bd6d4002053aa001
Instruction ID: 073a1c6884c594330f5f7f56346d937c0966598063913565a36b9fc347efc8d6
Opcode Fuzzy Hash: 65c1b84bafdc5dbe5d03058baf32cda381d4a95ec33b6934bd6d4002053aa001
Instruction Fuzzy Hash: 71F18160B589194FE794FB7894997BAB7E2FF88750F840579E00EC3392DE28BC418781

Function 00007FF7C0E61239 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3602972800.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09993538332807632445a53c92c54dcb163e35985b650b1d71abdee26c5793a2
Instruction ID: 012256638a830d3c48a4371037134a8f80f5c21c38e358e0cc95eb96931817e5
Opcode Fuzzy Hash: 09993538332807632445a53c92c54dcb163e35985b650b1d71abdee26c5793a2
Instruction Fuzzy Hash: E4E18260E589594FE794FB7894997BAB7E2FF88750F8405B9D00EC33D2DE28B8418781

Function 00007FF7C0E60BEE Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3602972800.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5b7fed8d65e6e2bc725a3980b14c1395f6cde23471e86224c61606ab1490f7
Instruction ID: f3cdb945679d9c3b256f3ef13b85865494fc9478852075d9400006c7313727d7
Opcode Fuzzy Hash: 8f5b7fed8d65e6e2bc725a3980b14c1395f6cde23471e86224c61606ab1490f7
Instruction Fuzzy Hash: 1B512821A0DA8A0FE357AB3858562767FD1DF87270B4901FAD489C7293DD5C7C468352

Function 00007FF7C0E60528 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3602972800.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3687e2360b016d07a7960ccf6aa792c10379a4ebfcd2f755d42201511d9480a7
Instruction ID: b057ebe8353590e2c847250c20c86e859fa2cec1effab42cc8cd651f7ea94448
Opcode Fuzzy Hash: 3687e2360b016d07a7960ccf6aa792c10379a4ebfcd2f755d42201511d9480a7
Instruction Fuzzy Hash: 4D319631B18D494FE798FB2D9459279B7D2EB99361F4406BEE00EC3293DD64AC458381

Function 00007FF7C0E60949 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3602972800.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78576c0c27cf575fe0f84d027defb7d10406cb3ea63c78bdb2d3d8fd20e921cc
Instruction ID: 3f7cbcbc7ad64fe4c314d253c9f10549add5a7df3d83f497e6752277dd8bae65
Opcode Fuzzy Hash: 78576c0c27cf575fe0f84d027defb7d10406cb3ea63c78bdb2d3d8fd20e921cc
Instruction Fuzzy Hash: F8313074E58A1E9FDB84FB68D8996EEB7A1FF88310F90457AD009D3386CE3878418750

Function 00007FF7C0E610D0 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3602972800.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 723e017152addfd516f6fcf220ca7450b3ed0efd88440dd7b397c45f5f2dca5b
Instruction ID: 6412e0405c65c93d8b29773a92ebad1b754312c01212bbc25efeb9bb7486a4c2
Opcode Fuzzy Hash: 723e017152addfd516f6fcf220ca7450b3ed0efd88440dd7b397c45f5f2dca5b
Instruction Fuzzy Hash: 8AF0876180D7C95FD703A7348C202E5BF70EF17254F0A05EBD084DB2E3DA28690883A2

Function 00007FF7C0E60A89 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3602972800.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12abfc0719ed570ca08411579d6a249304e839bdcc5eebd7ee133be5fe2cc0b6
Instruction ID: 18633222c821ad1756ce234aacef916d975c873b896ef3f4838f43cd8fb92215
Opcode Fuzzy Hash: 12abfc0719ed570ca08411579d6a249304e839bdcc5eebd7ee133be5fe2cc0b6
Instruction Fuzzy Hash: B821C461E18E494FE345BB785C597BAB7D2EF547A0F44827AE00DC3392DE28AC418791

Function 00007FF7C0E61168 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3602972800.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27f7f53759babd46deef2efcf1c0bed307a3adecaed6eeb8e743c3631c72f5bd
Instruction ID: 21a1414121ae91235a5d8f226f023f5bd829a37f1213b62a57ebbc9e41da80cb
Opcode Fuzzy Hash: 27f7f53759babd46deef2efcf1c0bed307a3adecaed6eeb8e743c3631c72f5bd
Instruction Fuzzy Hash: B4215A75A4480E9FDB44EB58D8A52EEFB71FF88351F840125D40AE33A6CE3079968BD0

Function 00007FF7C0E61D51 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3602972800.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2cebbbb3271bc7b213c5a058ef9bc8e18ca1e7aeb3db1af5acc053aedad8f0
Instruction ID: 6839529382fa59a27087d90aa36a263aa17973843d5427dd36166897f92776ce
Opcode Fuzzy Hash: ee2cebbbb3271bc7b213c5a058ef9bc8e18ca1e7aeb3db1af5acc053aedad8f0
Instruction Fuzzy Hash: 58017B14D0CB850FE342BA3878144B2BFF08F96661F4C00EBE488C72D7D9086A4483D2

Function 00007FF7C0E60B68 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3602972800.00007FF7C0E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_7ff7c0e60000_Windows.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c0595c1df0dc8425f73310370e3f19485e2f77145880ba297cb732ddb141aa
Instruction ID: 6ddb3eeb40be229eb5cc7506138e8544162ca79324ae8696a9b4a82352d31f56
Opcode Fuzzy Hash: c1c0595c1df0dc8425f73310370e3f19485e2f77145880ba297cb732ddb141aa
Instruction Fuzzy Hash: 8CE0ED21B14D1D4FAF80FFACA4492FDB2D1EB9C261F504177D50ED3292DE2868518791

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report uctgkfb7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows.exe.log

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

C:\Users\user\Windows.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
uctgkfb7.exe